[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: The part of ossec were aborted

To: "'Daniel Cid'" <daniel.cid@xxxxxxxxx>, "'Peter Ahlert'" <peter@xxxxxxx>
Subject: [ossec-list] Re: The part of ossec were aborted
From: "Oleksander Panchuk" <oleksander.panchuk@xxxxxxxxxxx>
Date: Tue, 6 Jun 2006 20:13:11 +0300
Cc: <ossec-list@xxxxxxxxx>
Content-transfer-encoding: quoted-printable
Importance: Normal

Hi Daniel,

I did upgrade, but every file become with executable flag.
I had to set off it by hands :).

I have one question yet.
One directory left empty
/var/ossec/queue/agent-info

Some of files left unchanged from first install
/var/ossec/queue/fts/fts-queue
drwx------ 2 ossec ossec 4096 Jun  6 19:11 .
dr-xr-x--- 8 root  ossec 4096 May 17 16:40 ..
-rw-r----- 1 ossec ossec  472 May 17 18:06 fts-queue
-rw-r----- 1 ossec ossec    0 Jun  6 19:11 ig-queue

/var/ossec/queue/rootcheck/rootcheck

Some of files are zero of size

/var/ossec/logs/firewall/2006/Jun/ossec-firewall-06.log
/var/ossec/logs/archives/2006/Jun/ossec-archive-06.log

And if the target system is server and agent, I have to add agent with
manage_agents. I didn't so. Is it right?

Best regards,
Oleksander.




> -----Original Message-----
> From: Daniel Cid [mailto:daniel.cid@xxxxxxxxx]
> Sent: Tuesday, June 06, 2006 5:49 AM
> To: Peter Ahlert; Oleksander Panchuk
> Cc: ossec-list@xxxxxxxxx
> Subject: Re: [Ossec-list] The part of ossec were aborted
> 
> HI Peter and Oleksander,
> 
> I just uploaded to the server a version 0.8-2 of the ossec. It has a
> "upgrade"
> option during the install that should make the updating very fast and
> easy.
> If you still see the problem, or if you want to run on debug mode, just
> execute the install script as:
> 
> ./install debug
> 
> It will setup debug mode. Note that by doing that ossec will generate
> a lot of messages on /var/ossec/logs/ossec.log (and should only
> be using for debuging problems). Can you try that?
> 
> Download
> http://www.ossec.net/files/ossec-hids-0.8-2.tar.gz
> 
> 
> Thanks for the report and the cooperation.
> 
> --
> Daniel B. Cid
> dcid @ ( at ) ossec.net
> 
> 
> On 6/1/06, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:
> > Thanks for the information Peter. Can you send part of your logs just
> before
> > logcollector died (the messages complaining about the socket error)?
> Without
> > it I have no way ot knowing what is going on... Next version will have
> some
> > better debug options to find these problems easily.
> >
> > Thanks!
> >
> > --
> > Daniel B. Cid
> > dcid @ ( at ) ossec.net
> >
> > On 6/1/06, Peter Ahlert <peter@xxxxxxx> wrote:
> > > Hi,
> > >
> > > I would like to add just a quick "me too" ;) The log looks like the
> one from Oleksander
> > > - no sign of analysisd dying. Only the files analyzed are different:
> > >
> > >
> > > 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file:
> '/var/log/messages
> > > '.
> > > 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file:
> '/var/log/auth.log
> > > '.
> > > 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file:
> '/var/log/syslog'.
> > > 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file:
> '/var/log/mail.inf
> > > o'.
> > > 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file:
> '/var/log/snort/al
> > > ert'.
> > > 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file:
> '/var/log/apache2/
> > > error.log'.
> > > 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file:
> '/var/log/apache2/
> > > access.log'.
> > >
> > > Greetings Peter
> > >
> > >
> > >
> > > On Wed, 31 May 2006 10:17:52 +0300
> > > "Oleksander Panchuk" <oleksander.panchuk@xxxxxxxxxxx> wrote:
> > >
> > > > Hi Daniel,
> > > > I use 0.8 version of ossec.
> > > > Everything were started, please, see below.
> > > >
> > > > 2006/05/30 09:34:05 ossec-maild: Started (pid: 2360).
> > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> 'rules_config.xml'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> 'sshd_rules.xml'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> 'syslog_rules.xml'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> 'pix_rules.xml'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> 'named_rules.xml'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > > 'pure-ftpd_rules.xml'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> 'proftpd_rules.xml'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> 'web_rules.xml'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> 'apache_rules.xml'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> 'ids_rules.xml'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> 'squid_rules.xml'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > > 'firewall_rules.xml'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> 'postfix_rules.xml'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > > 'sendmail_rules.xml'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> 'spamd_rules.xml'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> 'msauth_rules.xml'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> 'attack_rules.xml'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Total rules enabled: '246'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/mtab'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file:
> '/etc/hosts.deny'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file:
> '/etc/mail/statistics'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/random-
> seed'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/adjtime'
> > > > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file:
> '/etc/httpd/logs'
> > > > 2006/05/30 09:34:05 ossec-execd: Started (pid: 2364).
> > > > 2006/05/30 09:34:05 ossec-analysisd: 3 IPs in the white list for
> active
> > > > response.
> > > > 2006/05/30 09:34:05 ossec-analysisd: Started (pid: 2368).
> > > > 2006/05/30 09:34:05 ossec-remoted: Started (pid: 2376).
> > > > 2006/05/30 09:34:05 ossec-remoted: Started (pid: 2377).
> > > > 2006/05/30 09:34:08 ossec-analysisd: Connected to '/queue/alerts/ar'
> > > > (active-response queue
> > > > 2006/05/30 09:34:08 ossec-analysisd: Connected to
> '/queue/alerts/execq'
> > > > (exec queue)
> > > > 2006/05/30 09:34:08 ossec-syscheckd: Started (pid: 2381).
> > > > 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> > > > '/var/log/messages'.
> > > > 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> > > > '/var/log/secure'.
> > > > 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> > > > '/var/log/xferlog'.
> > > > 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> > > > '/var/log/maillog'.
> > > > 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> > > > '/var/log/snort/alert'.
> > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > '/var/log/httpd/error_log'.
> > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > '/var/log/httpd/access_log'.
> > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > '/etc/httpd/logs/audit_log'.
> > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > '/etc/httpd/logs/ssl_request_
> > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > '/etc/httpd/logs/suexec.log'.
> > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > '/var/log/squid/access.log'.
> > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > '/var/log/squid/cache.log'.
> > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > '/var/log/squid/store.log'.
> > > > 2006/05/30 09:34:12 ossec-logcollector: Started (pid: 2372).
> > > > 2006/05/30 10:00:02 ossec-syscheckd: socketerr
> > > > 2006/05/30 10:00:02 ossec-syscheckd(1224): Error sending message to
> queue.
> > > > 2006/05/30 10:00:03 ossec-logcollector: socketerr
> > > > 2006/05/30 10:00:03 ossec-logcollector(1224): Error sending message
> to
> > > > queue.
> > > > 2006/05/30 10:00:05 ossec-syscheckd(1210): Queue
> > > > '/var/ossec/queue/ossec/queue' not accessible.
> > > > 2006/05/30 10:00:05 ossec-syscheckd(1211): Unable to access queue:
> > > > '/var/ossec/queue/ossec/queue'. Giving up..
> > > > 2006/05/30 10:00:06 ossec-logcollector(1210): Queue
> > > > '/var/ossec/queue/ossec/queue' not accessible.
> > > > 2006/05/30 10:00:06 ossec-logcollector(1211): Unable to access
> queue:
> > > > '/var/ossec/queue/ossec/queue/ossec/queue'. Giving up..
> > > >
> > > _______________________________________________
> > > ossec-list mailing list
> > > ossec-list@xxxxxxxxx
> > > http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
> > >
> >


--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---

Follow-Ups:
- [ossec-list] Re: The part of ossec were aborted
  - From: Daniel Cid

Prev by Date: [Ossec-list] Some changes to the site and the mailling list.
Next by Date: [ossec-list] Re: The part of ossec were aborted
Previous by thread: [Ossec-list] Some changes to the site and the mailling list.
Next by thread: [ossec-list] Re: The part of ossec were aborted
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.