I am running: ossec-hids-agent-3.0.1-5667.el7.art.x86_64 ossec-hids-3.0.1-5667.el7.art.x86_64 >From what I can tell I do not have any errors in my config files. I start up >ossec and all logs good on the agent in the logs. I then use metasploite on a >different host to attack ssh on the agent. Very quickly I set the following >in the log file: 2018/10/26 13:10:34 ossec-logcollector: INFO: (unix_domain) Maximum send buffer set to: '212992'. 2018/10/26 13:10:34 ossec-logcollector: DEBUG: Entering LogCollectorStart(). 2018/10/26 13:10:34 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'. 2018/10/26 13:10:34 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'. 2018/10/26 13:10:34 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'. 2018/10/26 13:10:34 ossec-logcollector: WARN: Duplicated log file given: '/var/log/messages'. 2018/10/26 13:10:34 ossec-logcollector: WARN: Duplicated log file given: '/var/log/secure'. 2018/10/26 13:10:34 ossec-logcollector: WARN: Duplicated log file given: '/var/log/maillog'. 2018/10/26 13:10:34 ossec-logcollector: INFO: Started (pid: 30071). 2018/10/26 13:10:42 ossec-logcollector: DEBUG: Reading syslog message: 'Oct 26 13:10:41 ip-10-100-17-186 sshd[30077]: Invalid user 3d from 10.100.17.49 port 38783' 2018/10/26 13:10:42 ossec-logcollector: WARN: Process locked. Waiting for permission... 2018/10/26 13:11:34 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2018/10/26 13:11:34 ossec-syscheckd: WARN: Process locked. Waiting for permission…
I get the same result if I start up ossec-logcollector with -ddd -f. I saw an old post saying stop all OSSEC and then remove /var/ossec/queue/ossec/.wait. So I did that. Then started up OSSEC. [root@ip-10-100-17-186 ossec]# ls -al /var/ossec/queue/ossec/.wait -rw-r--r-- 1 ossec ossec 1 Oct 26 13:34 /var/ossec/queue/ossec/.wait Before I could even start up metasploit I found the following in the logs: [root@ip-10-100-17-186 ossec]# tail -f logs/ossec.log 2018/10/26 13:34:07 ossec-syscheckd: INFO: Directory set for real time monitoring: '/data'. 2018/10/26 13:34:09 ossec-logcollector: INFO: (unix_domain) Maximum send buffer set to: '212992'. 2018/10/26 13:34:09 ossec-logcollector: DEBUG: Entering LogCollectorStart(). 2018/10/26 13:34:09 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'. 2018/10/26 13:34:09 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'. 2018/10/26 13:34:09 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'. 2018/10/26 13:34:09 ossec-logcollector: WARN: Duplicated log file given: '/var/log/messages'. 2018/10/26 13:34:09 ossec-logcollector: WARN: Duplicated log file given: '/var/log/secure'. 2018/10/26 13:34:09 ossec-logcollector: WARN: Duplicated log file given: '/var/log/maillog'. 2018/10/26 13:34:09 ossec-logcollector: INFO: Started (pid: 30292). 2018/10/26 13:34:53 ossec-logcollector: DEBUG: Reading syslog message: 'Oct 26 13:34:53 ip-10-100-17-186 dhclient[2226]: XMT: Solicit on eth0, interval 117890ms.' 2018/10/26 13:34:53 ossec-logcollector: WARN: Process locked. Waiting for permission... 2018/10/26 13:35:09 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2018/10/26 13:35:09 ossec-syscheckd: WARN: Process locked. Waiting for permission… So clearly its something else. Any clue what is causing the issue? Thanks, Louis -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
