[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] The part of ossec were aborted

Subject: [Ossec-list] The part of ossec were aborted
From: daniel.cid at gmail.com (Daniel Cid)
Date: Thu, 1 Jun 2006 23:39:46 -0300

Thanks for the information Peter. Can you send part of your logs just before
logcollector died (the messages complaining about the socket error)? Without
it I have no way ot knowing what is going on... Next version will have some
better debug options to find these problems easily.

Thanks!

--
Daniel B. Cid
dcid @ ( at ) ossec.net

On 6/1/06, Peter Ahlert <peter at ifup.de> wrote:
> Hi,
>
> I would like to add just a quick "me too" ;) The log looks like the one from Oleksander
> - no sign of analysisd dying. Only the files analyzed are different:
>
>
> 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file: '/var/log/messages
> '.
> 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file: '/var/log/auth.log
> '.
> 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file: '/var/log/syslog'.
> 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file: '/var/log/mail.inf
> o'.
> 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file: '/var/log/snort/al
> ert'.
> 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file: '/var/log/apache2/
> error.log'.
> 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file: '/var/log/apache2/
> access.log'.
>
> Greetings Peter
>
>
>
> On Wed, 31 May 2006 10:17:52 +0300
> "Oleksander Panchuk" <oleksander.panchuk at cbn-cis.org> wrote:
>
> > Hi Daniel,
> > I use 0.8 version of ossec.
> > Everything were started, please, see below.
> >
> > 2006/05/30 09:34:05 ossec-maild: Started (pid: 2360).
> > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'rules_config.xml'
> > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'sshd_rules.xml'
> > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'syslog_rules.xml'
> > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'pix_rules.xml'
> > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'named_rules.xml'
> > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > 'pure-ftpd_rules.xml'
> > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'proftpd_rules.xml'
> > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'web_rules.xml'
> > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'apache_rules.xml'
> > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'ids_rules.xml'
> > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'squid_rules.xml'
> > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > 'firewall_rules.xml'
> > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'postfix_rules.xml'
> > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > 'sendmail_rules.xml'
> > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'spamd_rules.xml'
> > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'msauth_rules.xml'
> > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'attack_rules.xml'
> > 2006/05/30 09:34:05 ossec-analysisd: Total rules enabled: '246'
> > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/mtab'
> > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/hosts.deny'
> > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/mail/statistics'
> > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/random-seed'
> > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/adjtime'
> > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/httpd/logs'
> > 2006/05/30 09:34:05 ossec-execd: Started (pid: 2364).
> > 2006/05/30 09:34:05 ossec-analysisd: 3 IPs in the white list for active
> > response.
> > 2006/05/30 09:34:05 ossec-analysisd: Started (pid: 2368).
> > 2006/05/30 09:34:05 ossec-remoted: Started (pid: 2376).
> > 2006/05/30 09:34:05 ossec-remoted: Started (pid: 2377).
> > 2006/05/30 09:34:08 ossec-analysisd: Connected to '/queue/alerts/ar'
> > (active-response queue
> > 2006/05/30 09:34:08 ossec-analysisd: Connected to '/queue/alerts/execq'
> > (exec queue)
> > 2006/05/30 09:34:08 ossec-syscheckd: Started (pid: 2381).
> > 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> > '/var/log/messages'.
> > 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> > '/var/log/secure'.
> > 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> > '/var/log/xferlog'.
> > 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> > '/var/log/maillog'.
> > 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> > '/var/log/snort/alert'.
> > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > '/var/log/httpd/error_log'.
> > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > '/var/log/httpd/access_log'.
> > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > '/etc/httpd/logs/audit_log'.
> > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > '/etc/httpd/logs/ssl_request_
> > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > '/etc/httpd/logs/suexec.log'.
> > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > '/var/log/squid/access.log'.
> > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > '/var/log/squid/cache.log'.
> > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > '/var/log/squid/store.log'.
> > 2006/05/30 09:34:12 ossec-logcollector: Started (pid: 2372).
> > 2006/05/30 10:00:02 ossec-syscheckd: socketerr
> > 2006/05/30 10:00:02 ossec-syscheckd(1224): Error sending message to queue.
> > 2006/05/30 10:00:03 ossec-logcollector: socketerr
> > 2006/05/30 10:00:03 ossec-logcollector(1224): Error sending message to
> > queue.
> > 2006/05/30 10:00:05 ossec-syscheckd(1210): Queue
> > '/var/ossec/queue/ossec/queue' not accessible.
> > 2006/05/30 10:00:05 ossec-syscheckd(1211): Unable to access queue:
> > '/var/ossec/queue/ossec/queue'. Giving up..
> > 2006/05/30 10:00:06 ossec-logcollector(1210): Queue
> > '/var/ossec/queue/ossec/queue' not accessible.
> > 2006/05/30 10:00:06 ossec-logcollector(1211): Unable to access queue:
> > '/var/ossec/queue/ossec/queue/ossec/queue'. Giving up..
> >
> _______________________________________________
> ossec-list mailing list
> ossec-list at ossec.net
> http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
>

References:
- [Ossec-list] The part of ossec were aborted
  - From: Peter Ahlert

Prev by Date: [Ossec-list] The part of ossec were aborted
Next by Date: [Ossec-list] Some changes to the site and the mailling list.
Previous by thread: [Ossec-list] The part of ossec were aborted
Next by thread: [Ossec-list] Some changes to the site and the mailling list.
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.