Re: [ossec-list] ERror connecting database

Fri, 17 Jul 2015 14:12:33 -0700

Yes, that is what I pointed out in my last email, according to your netstat your mysql is only listening to 127.0.0.1:3306, but you are trying to connect to 172.16.15.154:3306. OSSEC can't connect to mysql if you point it to an IP:PORT combination where there is no daemon listening. 

On 7/17/2015 1:03 AM, Legolas Klaitxu wrote:

One question about the database configuration.


I've my ossec server and their database in the same server but I've 
configured the database Ip with the eth0 ip address. That could be the 
problem and I've to assign 127.0.0.1?


regards

El jueves, 16 de julio de 2015, 19:18:14 (UTC+2), dan (ddpbsd) escribió:


    On Jul 16, 2015 11:14 AM, "Legolas Klaitxu" <[email protected]
    <javascript:>> wrote:
    >
    > I've actívate the log in mysql and mantain the IP address no the
    localhost
    >
    > As you can see the events are inserting ok into the database
    >
    > 65 Query     INSERT INTO data(id, server_id, user, full_log)
    VALUES ('69', '1', 'Tareas_C', '2015 Jul 16 17:03:18 WinEvtLog:
    Security: AUDIT_SUCCESS(4634):
    Microsoft-Windows-Security-Auditing: TAreasC: IND: miservidor: An
    account was logged off. Subject:  Security ID:  S-1-5-21-  Account
    Name:  Tareas_  Account Domain: IND  Logon ID:  0x11f65bed4  Logon
    Type:   3  This event is generated when a logon session is
    destroyed. It may be positively correlated with a logon event
    using the Logon ID value. Logon IDs are only unique between
    reboots on the same computer."  4646,1')
    > 65 Query     INSERT INTO
    
alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid)
    VALUES ('69', '1', '18149','1437058097', '6', '0', '0', '0', '0',
    '1437058092.4614772')
    >                    65 Query     INSERT INTO data(id, server_id,
    user, full_log) VALUES ('70', '1', 'TAreasC', '2015 Jul 16
    17:03:20 WinEvtLog: Security: AUDIT_SUCCESS(4634):
    Microsoft-Windows-Security-Auditing: Tareas_PROD.SVC: IND:
    BAE-I-WEB1D.ind.aronde.es <http://BAE-I-WEB1D.ind.aronde.es>: An
    account was logged off. Subject:  Security ID:
    S-1-5-21-635382758-268241423-2897451402-2711  Account Name:

    Tareas_PROD.SVC  Account Domain:  IND  Logon ID: 0x11f65c049 
    Logon Type:   3  This event is generated when a logon session is

    destroyed. It may be positively correlated with a logon event
    using the Logon ID value. Logon IDs are only unique between
    reboots on the same computer."  4646,1')
    >                    65 Query     INSERT INTO
    
alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid)
    VALUES ('70', '1', '18149','1437058097', '6', '0', '0', '0', '0',
    '1437058096.4615492')
    >

    So no errors?

    > In Ossec server the problema persists
    >
    > 2015/07/16 16:49:59 ossec-dbd(5202): ERROR: Error connecting to
    database '172.16.15.154'(ossec): ERROR: Can't connect to MySQL
    server on '172.16.15.154' (111).
    > 2015/07/16 16:51:23 ossec-dbd(5202): ERROR: Error connecting to
    database '172.16.15.154'(ossec): ERROR: Can't connect to MySQL
    server on '172.16.15.154' (111).
    >

    From what i see, 111 means connection is refused. Mysql has a
    troubleshooting page for this error code, perhaps that has the
    solution?

    > I think sometimes Works properly but in others moments no :(
    >
    >
    >
    > El jueves, 16 de julio de 2015, 16:05:56 (UTC+2), Ryan Schulze
    escribió:
    >>
    >>
    >> You redacted the IP address in the ossec logs, so I'm assuming
    it is something other than 127.0.0.1?
    >> Because your netstat shows that mysql is only bound to 127.0.0.1.
    >>
    >>
    >> On 7/16/2015 4:01 AM, Legolas Klaitxu wrote:
    >>>
    >>> Good Morning,
    >>>
    >>> I've started to work with ossec and reviewing the log I
    identify this error
    >>>
    >>> 2015/07/16 10:30:37 ossec-syscheckd: INFO: Starting syscheck
    database (pre-scan).
    >>> 2015/07/16 10:30:50 ossec-dbd(5202): ERROR: Error connecting
    to database  <ip address> (ossec): ERROR: Can't connect to MySQL
    server on <ip address> (111).
    >>> 2015/07/16 10:31:31 ossec-dbd(5202): ERROR: Error connecting
    to database <ip address> (ossec): ERROR: Can't connect to MySQL
    server on <ip address> (111).
    >>> 2015/07/16 10:32:30 ossec-dbd(5202): ERROR: Error connecting
    to database <ip address> (ossec): ERROR: Can't connect to MySQL
    server on <ip address> (111).
    >>> 2015/07/16 10:35:30 ossec-dbd(5202): ERROR: Error connecting
    to database <ip address>  (ossec): ERROR: Can't connect to MySQL
    server on <ip address> (111).
    >>> 2015/07/16 10:36:21 ossec-dbd(5202): ERROR: Error connecting
    to database <ip address> (ossec): ERROR: Can't connect to MySQL
    server on <ip address> (111).
    >>> 2015/07/16 10:38:31 ossec-dbd(5202): ERROR: Error connecting
    to database <ip address> (ossec): ERROR: Can't connect to MySQL
    server on <ip address> (111).
    >>> 2015/07/16 10:38:48 ossec-syscheckd: INFO: Finished creating
    syscheck database (pre-scan completed).
    >>> 2015/07/16 10:39:00 ossec-syscheckd: INFO: Ending syscheck
    scan (forwarding database).
    >>> 2015/07/16 10:39:13 ossec-dbd(5202): ERROR: Error connecting
    to database <ip address> (ossec): ERROR: Can't connect to MySQL
    server on <ip address> (111).
    >>> 2015/07/16 10:39:20 ossec-rootcheck: INFO: Starting rootcheck
    scan.
    >>> 2015/07/16 10:39:30 ossec-dbd(5202): ERROR: Error connecting
    to database <ip address> (ossec): ERROR: Can't connect to MySQL
    server on<ip address> (111).
    >>>
    >>> /var/ossec/logs/alerts# netstat -atp | grep LISTEN

    >>> tcp        0      0 localhost:mysql *:*                    
    LISTEN      3324/mysqld

    >>>
    >>> Mysql is UP, I've updated
    /var/ossec/etc/internal_options.conf" setting
    dbd.reconnect_attempts to 30 but the error persists.
    >>>
    >>> any help?
    >>>
    >>> regards
    >>>
    >>> --
    >>>
    >>> ---
    >>> You received this message because you are subscribed to the
    Google Groups "ossec-list" group.
    >>> To unsubscribe from this group and stop receiving emails from
    it, send an email to [email protected].
    >>>
    >>> For more options, visit https://groups.google.com/d/optout.
    >>
    >>
    > --
    >
    > ---
    > You received this message because you are subscribed to the
    Google Groups "ossec-list" group.
    > To unsubscribe from this group and stop receiving emails from
    it, send an email to [email protected] <javascript:>.
    > For more options, visit https://groups.google.com/d/optout.

--

---

You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to [email protected] 
<mailto:[email protected]>.

For more options, visit https://groups.google.com/d/optout.


--


--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to