[ossec-list] Loop on opensuse

Schultheis Burkhard Mon, 13 Jan 2020 06:04:54 -0800

Some weeks ago I've installed Ossec on on three servers. One is runningCentOS 6.10, the others Opensuse 15.1. The CentOS installation behavesas expected, but the opensuse installations behave very different,although the configurations are as close as possible.

From the CentOS server we get emails as expected, from the opensuseservers not (other programs send us emails as expected from allservers). The opensuse servers write tons of ossec logs, because it's ina start-terminate loop. Excerpt:


2020/01/13 13:45:25 ossec-testrule: INFO: Reading local decoder file.
2020/01/13 13:45:25 ossec-testrule: INFO: Started (pid: 28499).
2020/01/13 13:45:25 ossec-maild: INFO: Started (pid: 28516).
2020/01/13 13:45:25 ossec-execd: INFO: Started (pid: 28520).
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading local decoder file.

2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'rules_config.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'pam_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'sshd_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'telnetd_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'syslog_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'arpwatch_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'symantec-av_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'symantec-ws_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'pix_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'named_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'smbd_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'vsftpd_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'pure-ftpd_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'proftpd_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'ms_ftpd_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'ftpd_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'hordeimp_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'roundcube_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'wordpress_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'cimserver_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'vpopmail_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'vmpop3d_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'courier_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'web_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'web_appsec_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'apache_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'nginx_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'php_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'mysql_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'postgresql_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'ids_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'squid_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'firewall_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'apparmor_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'cisco-ios_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'netscreenfw_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'sonicwall_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'postfix_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'sendmail_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'imapd_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'mailscanner_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'dovecot_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'ms-exchange_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'racoon_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'vpn_concentrator_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'spamd_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'msauth_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'mcafee_av_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'trend-osce_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'ms-se_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'zeus_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'solaris_bsm_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'vmware_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'ms_dhcp_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'asterisk_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'ossec_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'attack_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'openbsd_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'clam_av_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'dropbear_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'sysmon_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'opensmtpd_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'exim_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'openbsd-dhcpd_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'dnsmasq_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'nsd_rules.xml'2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:'local_rules.xml'

2020/01/13 13:45:25 ossec-analysisd: INFO: Total rules enabled: '1603'
2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab'
2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'

2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file:'/etc/mail/statistics'

2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx'
2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx'
2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs'
2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates'

2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file:'/etc/svc/volatile'2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file:'C:\WINDOWS/System32/LogFiles'

2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Debug'

2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file:'C:\WINDOWS/WindowsUpdate.log'2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file:'C:\WINDOWS/iis6.log'2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file:'C:\WINDOWS/system32/wbem/Logs'2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file:'C:\WINDOWS/system32/wbem/Repository'2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file:'C:\WINDOWS/Prefetch'2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file:'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl'2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file:'C:\WINDOWS/SoftwareDistribution'

2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Temp'

2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file:'C:\WINDOWS/system32/config'2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file:'C:\WINDOWS/system32/spool'2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file:'C:\WINDOWS/system32/CatRoot'

2020/01/13 13:45:25 ossec-analysisd: INFO: Allow listing IP: '127.0.0.1'
2020/01/13 13:45:25 ossec-analysisd: INFO: Allow listing IP: 'xxxx'
2020/01/13 13:45:25 ossec-analysisd: INFO: Allow listing IP: 'xxxx'
2020/01/13 13:45:25 ossec-analysisd: INFO: Allow listing IP: 'xxxx'

2020/01/13 13:45:25 ossec-analysisd: INFO: 4 IPs in the allow list foractive response.

2020/01/13 13:45:25 ossec-analysisd: INFO: Allow listing Hostname: '::1'

2020/01/13 13:45:25 ossec-analysisd: INFO: Allow listing Hostname:'localhost.localdomain'2020/01/13 13:45:25 ossec-analysisd: INFO: 2 Hostname(s) in the allowlist for active response.

2020/01/13 13:45:25 ossec-analysisd: INFO: Started (pid: 28524).
2020/01/13 13:45:26 ossec-monitord: INFO: Started (pid: 28536).

2020/01/13 13:45:28 ossec-monitord(1225): INFO: SIGNAL[(15)-(Terminated)] Received. Exit Cleaning...2020/01/13 13:45:28 ossec-logcollector(1225): INFO: SIGNAL[(15)-(Terminated)] Received. Exit Cleaning...2020/01/13 13:45:28 ossec-analysisd(1225): INFO: SIGNAL[(15)-(Terminated)] Received. Exit Cleaning...2020/01/13 13:45:28 ossec-maild(1225): INFO: SIGNAL [(15)-(Terminated)]Received. Exit Cleaning...2020/01/13 13:45:28 ossec-execd(1314): INFO: Shutdown received. Deletingresponses.2020/01/13 13:45:28 ossec-execd(1225): INFO: SIGNAL [(15)-(Terminated)]Received. Exit Cleaning...


Where should I look what could terminate the process?

Best regards
Burkhard

--

---You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/2f6a0b29-db32-1a1a-8a67-e031ce24bab3%40gmail.com.

[ossec-list] Loop on opensuse

Reply via email to