Thanks Ryan. It seems is working now properly. regards El viernes, 17 de julio de 2015, 23:12:21 (UTC+2), Ryan Schulze escribió:
> Yes, that is what I pointed out in my last email, according to your > netstat your mysql is only listening to 127.0.0.1:3306, but you are > trying to connect to 172.16.15.154:3306. > OSSEC can't connect to mysql if you point it to an IP:PORT combination > where there is no daemon listening. > > > On 7/17/2015 1:03 AM, Legolas Klaitxu wrote: > > One question about the database configuration. > > I've my ossec server and their database in the same server but I've > configured the database Ip with the eth0 ip address. That could be the > problem and I've to assign 127.0.0.1? > > regards > > El jueves, 16 de julio de 2015, 19:18:14 (UTC+2), dan (ddpbsd) escribió: > >> >> On Jul 16, 2015 11:14 AM, "Legolas Klaitxu" <[email protected]> wrote: >> > >> > I've actívate the log in mysql and mantain the IP address no the >> localhost >> > >> > As you can see the events are inserting ok into the database >> > >> > 65 Query INSERT INTO data(id, server_id, user, full_log) VALUES >> ('69', '1', 'Tareas_C', '2015 Jul 16 17:03:18 WinEvtLog: Security: >> AUDIT_SUCCESS(4634): Microsoft-Windows-Security-Auditing: TAreasC: IND: >> miservidor: An account was logged off. Subject: Security ID: S-1-5-21- >> Account Name: Tareas_ Account Domain: IND Logon ID: 0x11f65bed4 Logon >> Type: 3 This event is generated when a logon session is destroyed. It >> may be positively correlated with a logon event using the Logon ID value. >> Logon IDs are only unique between reboots on the same computer." 4646,1') >> > 65 Query INSERT INTO >> alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid) >> >> VALUES ('69', '1', '18149','1437058097', '6', '0', '0', '0', '0', >> '1437058092.4614772') >> > 65 Query INSERT INTO data(id, server_id, user, >> full_log) VALUES ('70', '1', 'TAreasC', '2015 Jul 16 17:03:20 WinEvtLog: >> Security: AUDIT_SUCCESS(4634): Microsoft-Windows-Security-Auditing: >> Tareas_PROD.SVC: IND: BAE-I-WEB1D.ind.aronde.es: An account was logged >> off. Subject: Security ID: S-1-5-21-635382758-268241423-2897451402-2711 >> Account Name: Tareas_PROD.SVC Account Domain: IND Logon ID: >> 0x11f65c049 Logon Type: 3 This event is generated when a logon session >> is destroyed. It may be positively correlated with a logon event using the >> Logon ID value. Logon IDs are only unique between reboots on the same >> computer." 4646,1') >> > 65 Query INSERT INTO >> alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid) >> >> VALUES ('70', '1', '18149','1437058097', '6', '0', '0', '0', '0', >> '1437058096.4615492') >> > >> >> So no errors? >> >> > In Ossec server the problema persists >> > >> > 2015/07/16 16:49:59 ossec-dbd(5202): ERROR: Error connecting to >> database '172.16.15.154'(ossec): ERROR: Can't connect to MySQL server on >> '172.16.15.154' (111). >> > 2015/07/16 16:51:23 ossec-dbd(5202): ERROR: Error connecting to >> database '172.16.15.154'(ossec): ERROR: Can't connect to MySQL server on >> '172.16.15.154' (111). >> > >> >> From what i see, 111 means connection is refused. Mysql has a >> troubleshooting page for this error code, perhaps that has the solution? >> >> > I think sometimes Works properly but in others moments no :( >> > >> > >> > >> > El jueves, 16 de julio de 2015, 16:05:56 (UTC+2), Ryan Schulze escribió: >> >> >> >> >> >> You redacted the IP address in the ossec logs, so I'm assuming it is >> something other than 127.0.0.1? >> >> Because your netstat shows that mysql is only bound to 127.0.0.1. >> >> >> >> >> >> On 7/16/2015 4:01 AM, Legolas Klaitxu wrote: >> >>> >> >>> Good Morning, >> >>> >> >>> I've started to work with ossec and reviewing the log I identify this >> error >> >>> >> >>> 2015/07/16 10:30:37 ossec-syscheckd: INFO: Starting syscheck database >> (pre-scan). >> >>> 2015/07/16 10:30:50 ossec-dbd(5202): ERROR: Error connecting to >> database <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip >> address> (111). >> >>> 2015/07/16 10:31:31 ossec-dbd(5202): ERROR: Error connecting to >> database <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip >> address> (111). >> >>> 2015/07/16 10:32:30 ossec-dbd(5202): ERROR: Error connecting to >> database <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip >> address> (111). >> >>> 2015/07/16 10:35:30 ossec-dbd(5202): ERROR: Error connecting to >> database <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip >> address> (111). >> >>> 2015/07/16 10:36:21 ossec-dbd(5202): ERROR: Error connecting to >> database <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip >> address> (111). >> >>> 2015/07/16 10:38:31 ossec-dbd(5202): ERROR: Error connecting to >> database <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip >> address> (111). >> >>> 2015/07/16 10:38:48 ossec-syscheckd: INFO: Finished creating syscheck >> database (pre-scan completed). >> >>> 2015/07/16 10:39:00 ossec-syscheckd: INFO: Ending syscheck scan >> (forwarding database). >> >>> 2015/07/16 10:39:13 ossec-dbd(5202): ERROR: Error connecting to >> database <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip >> address> (111). >> >>> 2015/07/16 10:39:20 ossec-rootcheck: INFO: Starting rootcheck scan. >> >>> 2015/07/16 10:39:30 ossec-dbd(5202): ERROR: Error connecting to >> database <ip address> (ossec): ERROR: Can't connect to MySQL server on<ip >> address> (111). >> >>> >> >>> /var/ossec/logs/alerts# netstat -atp | grep LISTEN >> >>> tcp 0 0 localhost:mysql *:* >> LISTEN 3324/mysqld >> >>> >> >>> Mysql is UP, I've updated /var/ossec/etc/internal_options.conf" >> setting dbd.reconnect_attempts to 30 but the error persists. >> >>> >> >>> any help? >> >>> >> >>> regards >> >>> >> >>> -- >> >>> >> >>> --- >> >>> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> >>> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> >>> >> >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
