On Fri, Feb 10, 2017 at 3:04 AM, Quintin Beukes <[email protected]> wrote: > Thanks Dan. Is there a way to get OSSEC to provide more details on the > messages it actually processes? I'd like to gain a better understanding of > this application because it has a lot of seemingly random behaviour. >
What information do you want? Other than what's provided by turning on debug, I can't think of anything off hand. > On Thursday, February 9, 2017 at 9:59:24 PM UTC+2, dan (ddpbsd) wrote: >> >> On Thu, Feb 9, 2017 at 9:48 AM, Quintin Beukes <[email protected]> >> wrote: >> > Hi group, >> > >> > Server uname: Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11 >> > 20:56:24 >> > UTC 2017 x86_64 x86_64 x86_64 GNU/Linux >> > Agent uname: Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11 20:56:24 >> > UTC >> > 2017 x86_64 x86_64 x86_64 GNU/Linux >> > >> > I am generating 5 log messages at 2 second intervals to trigger rule >> > 1002. >> > 16:40:43 [quintinb@ho-pri-vm-quintindev ~]$ for x in {11..15}; do logger >> > test error$x; date; sleep 2; done >> > Thu Feb 9 16:40:48 SAST 2017 >> > Thu Feb 9 16:40:50 SAST 2017 >> > Thu Feb 9 16:40:52 SAST 2017 >> > Thu Feb 9 16:40:54 SAST 2017 >> > Thu Feb 9 16:40:56 SAST 2017 >> > A tcpdump on the server indicates all 5 are received: >> > 16:40:49.197974 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length >> > 121 >> > 16:40:51.200118 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length >> > 121 >> > 16:40:53.202224 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length >> > 121 >> > 16:40:55.204480 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length >> > 121 >> > 16:40:57.206407 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length >> > 121 >> > >> > Though alerts.log only shows 3 of the 5. >> > ** Alert 1486651295.2432248: mail - syslog,errors, >> > 2017 Feb 09 16:41:35 (quintindev) 10.10.10.100->/var/log/messages >> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' >> > Feb 9 16:40:48 ho-pri-vm-quintindev quintinb: test error11 >> > >> > ** Alert 1486651298.2432494: mail - syslog,errors, >> > 2017 Feb 09 16:41:38 (quintindev) 10.10.10.100->/var/log/messages >> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' >> > Feb 9 16:40:52 ho-pri-vm-quintindev quintinb: test error13 >> > >> > ** Alert 1486651305.2432740: mail - syslog,errors, >> > 2017 Feb 09 16:41:45 (quintindev) 10.10.10.100->/var/log/messages >> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' >> > Feb 9 16:40:56 ho-pri-vm-quintindev quintinb: test error15 >> > >> > >> > Sometimes it alerts on all 5. Though upon inspection it seems OSSEC >> > misses >> > 50%+ of my messages, even though I see the packets delivered to the >> > server. >> > >> > Is there an explanation for this? Any way I can get more verbose >> > logging on >> > this to investigate deeper? >> > >> >> OSSEC does discard some duplicate messages, and I'm not sure if the >> timestamp is taken into account or not off hand. >> >> > Quintin >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
