One question about the database configuration. I've my ossec server and their database in the same server but I've configured the database Ip with the eth0 ip address. That could be the problem and I've to assign 127.0.0.1?
regards El jueves, 16 de julio de 2015, 19:18:14 (UTC+2), dan (ddpbsd) escribió: > > On Jul 16, 2015 11:14 AM, "Legolas Klaitxu" <[email protected] > <javascript:>> wrote: > > > > I've actívate the log in mysql and mantain the IP address no the > localhost > > > > As you can see the events are inserting ok into the database > > > > 65 Query INSERT INTO data(id, server_id, user, full_log) VALUES > ('69', '1', 'Tareas_C', '2015 Jul 16 17:03:18 WinEvtLog: Security: > AUDIT_SUCCESS(4634): Microsoft-Windows-Security-Auditing: TAreasC: IND: > miservidor: An account was logged off. Subject: Security ID: S-1-5-21- > Account Name: Tareas_ Account Domain: IND Logon ID: 0x11f65bed4 Logon > Type: 3 This event is generated when a logon session is destroyed. It > may be positively correlated with a logon event using the Logon ID value. > Logon IDs are only unique between reboots on the same computer." 4646,1') > > 65 Query INSERT INTO > alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid) > > VALUES ('69', '1', '18149','1437058097', '6', '0', '0', '0', '0', > '1437058092.4614772') > > 65 Query INSERT INTO data(id, server_id, user, > full_log) VALUES ('70', '1', 'TAreasC', '2015 Jul 16 17:03:20 WinEvtLog: > Security: AUDIT_SUCCESS(4634): Microsoft-Windows-Security-Auditing: > Tareas_PROD.SVC: IND: BAE-I-WEB1D.ind.aronde.es: An account was logged > off. Subject: Security ID: S-1-5-21-635382758-268241423-2897451402-2711 > Account Name: Tareas_PROD.SVC Account Domain: IND Logon ID: > 0x11f65c049 Logon Type: 3 This event is generated when a logon session > is destroyed. It may be positively correlated with a logon event using the > Logon ID value. Logon IDs are only unique between reboots on the same > computer." 4646,1') > > 65 Query INSERT INTO > alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid) > > VALUES ('70', '1', '18149','1437058097', '6', '0', '0', '0', '0', > '1437058096.4615492') > > > > So no errors? > > > In Ossec server the problema persists > > > > 2015/07/16 16:49:59 ossec-dbd(5202): ERROR: Error connecting to database > '172.16.15.154'(ossec): ERROR: Can't connect to MySQL server on > '172.16.15.154' (111). > > 2015/07/16 16:51:23 ossec-dbd(5202): ERROR: Error connecting to database > '172.16.15.154'(ossec): ERROR: Can't connect to MySQL server on > '172.16.15.154' (111). > > > > From what i see, 111 means connection is refused. Mysql has a > troubleshooting page for this error code, perhaps that has the solution? > > > I think sometimes Works properly but in others moments no :( > > > > > > > > El jueves, 16 de julio de 2015, 16:05:56 (UTC+2), Ryan Schulze escribió: > >> > >> > >> You redacted the IP address in the ossec logs, so I'm assuming it is > something other than 127.0.0.1? > >> Because your netstat shows that mysql is only bound to 127.0.0.1. > >> > >> > >> On 7/16/2015 4:01 AM, Legolas Klaitxu wrote: > >>> > >>> Good Morning, > >>> > >>> I've started to work with ossec and reviewing the log I identify this > error > >>> > >>> 2015/07/16 10:30:37 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > >>> 2015/07/16 10:30:50 ossec-dbd(5202): ERROR: Error connecting to > database <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip > address> (111). > >>> 2015/07/16 10:31:31 ossec-dbd(5202): ERROR: Error connecting to > database <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip > address> (111). > >>> 2015/07/16 10:32:30 ossec-dbd(5202): ERROR: Error connecting to > database <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip > address> (111). > >>> 2015/07/16 10:35:30 ossec-dbd(5202): ERROR: Error connecting to > database <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip > address> (111). > >>> 2015/07/16 10:36:21 ossec-dbd(5202): ERROR: Error connecting to > database <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip > address> (111). > >>> 2015/07/16 10:38:31 ossec-dbd(5202): ERROR: Error connecting to > database <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip > address> (111). > >>> 2015/07/16 10:38:48 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > >>> 2015/07/16 10:39:00 ossec-syscheckd: INFO: Ending syscheck scan > (forwarding database). > >>> 2015/07/16 10:39:13 ossec-dbd(5202): ERROR: Error connecting to > database <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip > address> (111). > >>> 2015/07/16 10:39:20 ossec-rootcheck: INFO: Starting rootcheck scan. > >>> 2015/07/16 10:39:30 ossec-dbd(5202): ERROR: Error connecting to > database <ip address> (ossec): ERROR: Can't connect to MySQL server on<ip > address> (111). > >>> > >>> /var/ossec/logs/alerts# netstat -atp | grep LISTEN > >>> tcp 0 0 localhost:mysql *:* > LISTEN 3324/mysqld > >>> > >>> Mysql is UP, I've updated /var/ossec/etc/internal_options.conf" > setting dbd.reconnect_attempts to 30 but the error persists. > >>> > >>> any help? > >>> > >>> regards > >>> > >>> -- > >>> > >>> --- > >>> You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >>> To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > >>> > >>> For more options, visit https://groups.google.com/d/optout. > >> > >> > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
