On Fri, Jul 13, 2018 at 8:03 AM, Chinmay Pandya <chinmay.pan...@inmobi.com> wrote: > Nothing on OS logs also. > > Should I run ossec in debug mode ?just in case ? to see if debug shows some > insite ? >
You can try it, definitely. Running it in the foreground would give you more immediate results (-df). > On Friday, July 13, 2018 at 4:32:56 PM UTC+5:30, dan (ddpbsd) wrote: >> >> On Fri, Jul 13, 2018 at 1:39 AM, Chinmay Pandya >> <chinmay...@inmobi.com> wrote: >> > Here are my logs after restarting ossec. I do not see any remoted error >> > but >> > still got stall entries >> > >> >> I don't see anything exciting. Anything in the system logs about a crash? >> You could try running remoted in the foreground >> (`/var/ossec/bin/ossec-remoted -df`) >> or in gdb to see if it's crashing. >> >> > root@ossec-1000:/ossec-server# grep remoted logs/ossec.log >> > 2018/07/13 05:30:37 ossec-remoted: INFO: Started (pid: 4785). >> > 2018/07/13 05:30:37 ossec-remoted: Remote syslog allowed from: >> > '127.0.0.1' >> > 2018/07/13 05:30:37 ossec-remoted: Remote syslog allowed from: >> > '10.0.0.0/8' >> > 2018/07/13 05:30:37 ossec-remoted: Remote syslog allowed from: >> > '192.168.0.0/16' >> > 2018/07/13 05:30:37 ossec-remoted: Remote syslog allowed from: >> > '172.16.0.0/12' >> > root@ossec-1000:/ossec-server# bin/ossec-control restart >> > Deleting PID file '/ossec-server/var/run/ossec-remoted-5389.pid' not >> > used... >> > Deleting PID file '/ossec-server/var/run/ossec-remoted-5615.pid' not >> > used... >> > Deleting PID file '/ossec-server/var/run/ossec-remoted-5625.pid' not >> > used... >> > Killing ossec-monitord .. >> > Killing ossec-logcollector .. >> > Killing ossec-remoted .. >> > bin/ossec-control: 260: kill: No such process >> > >> > bin/ossec-control: 260: kill: No such process >> > >> > Killing ossec-syscheckd .. >> > Killing ossec-analysisd .. >> > ossec-maild not running .. >> > ossec-execd not running .. >> > Killing ossec-csyslogd .. >> > OSSEC HIDS v2.9.3 Stopped >> > Starting OSSEC HIDS v2.9.3 (by Trend Micro Inc.)... >> > Started ossec-csyslogd... >> > 2018/07/13 05:32:34 ossec-maild: INFO: E-Mail notification disabled. >> > Clean >> > Exit. >> > Started ossec-maild... >> > Started ossec-execd... >> > Started ossec-analysisd... >> > 2018/07/13 05:32:34 ossec-logcollector(1905): INFO: No file configured >> > to >> > monitor. >> > Started ossec-logcollector... >> > Started ossec-remoted... >> > 2018/07/13 05:32:34 ossec-syscheckd(1702): INFO: No directory provided >> > for >> > syscheck to monitor. >> > 2018/07/13 05:32:34 ossec-syscheckd: WARN: Syscheck disabled. >> > 2018/07/13 05:32:34 rootcheck: Rootcheck disabled. Exiting. >> > 2018/07/13 05:32:34 ossec-syscheckd: WARN: Rootcheck module disabled. >> > Started ossec-syscheckd... >> > Started ossec-monitord... >> > Completed. >> > root@ossec-1000:/ossec-server# grep remoted logs/ossec.log >> > root@ossec-1000:/ossec-server# grep remoted logs/ossec.log >> > 2018/07/13 05:30:37 ossec-remoted: INFO: Started (pid: 4785). >> > 2018/07/13 05:30:37 ossec-remoted: Remote syslog allowed from: >> > '127.0.0.1' >> > 2018/07/13 05:30:37 ossec-remoted: Remote syslog allowed from: >> > '10.0.0.0/8' >> > 2018/07/13 05:30:37 ossec-remoted: Remote syslog allowed from: >> > '192.168.0.0/16' >> > 2018/07/13 05:30:37 ossec-remoted: Remote syslog allowed from: >> > '172.16.0.0/12' >> > 2018/07/13 05:32:34 ossec-remoted: INFO: Started (pid: 8866). >> > 2018/07/13 05:32:34 ossec-remoted: Remote syslog allowed from: >> > '127.0.0.1' >> > 2018/07/13 05:32:34 ossec-remoted: Remote syslog allowed from: >> > '10.0.0.0/8' >> > 2018/07/13 05:32:34 ossec-remoted: Remote syslog allowed from: >> > '192.168.0.0/16' >> > 2018/07/13 05:32:34 ossec-remoted: Remote syslog allowed from: >> > '172.16.0.0/12' >> > >> > >> > > > > _____________________________________________________________ > The information contained in this communication is intended solely for the > use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally privileged > information. If you are not the intended recipient you are hereby notified > that any disclosure, copying, distribution or taking any action in reliance > on the contents of this information is strictly prohibited and may be > unlawful. If you have received this communication in error, please notify us > immediately by responding to this email and then delete it from your system. > The firm is neither liable for the proper and complete transmission of the > information contained in this communication nor for any delay in its > receipt. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.