[ossec-list] Re: The part of ossec were aborted

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Oleksander,

Which files were with the executable flags? The update only changes what
is necessary for the new version, so some old files or directories will
still be there.
The /var/ossec/queue/agent-info is only used by the server when there
is agents there.
These 0 size files are your currently days alerts. After the end of the
day, if they are still 0 size, they will be deleted.

If you are using the server/agent model, you need to add the agents
on the server. If you had done that before the update, you don't
need to do again...

Hope it helps

--
Daniel B. Cid
dcid @ ( at ) ossec.net

On 6/6/06, Oleksander Panchuk <oleksander.panchuk@xxxxxxxxxxx> wrote:
> Hi Daniel,
>
> I did upgrade, but every file become with executable flag.
> I had to set off it by hands :).
>
> I have one question yet.
> One directory left empty
> /var/ossec/queue/agent-info
>
> Some of files left unchanged from first install
> /var/ossec/queue/fts/fts-queue
> drwx------ 2 ossec ossec 4096 Jun  6 19:11 .
> dr-xr-x--- 8 root  ossec 4096 May 17 16:40 ..
> -rw-r----- 1 ossec ossec  472 May 17 18:06 fts-queue
> -rw-r----- 1 ossec ossec    0 Jun  6 19:11 ig-queue
>
> /var/ossec/queue/rootcheck/rootcheck
>
> Some of files are zero of size
>
> /var/ossec/logs/firewall/2006/Jun/ossec-firewall-06.log
> /var/ossec/logs/archives/2006/Jun/ossec-archive-06.log
>
> And if the target system is server and agent, I have to add agent with
> manage_agents. I didn't so. Is it right?
>
> Best regards,
> Oleksander.
>
>
>
>
> > -----Original Message-----
> > From: Daniel Cid [mailto:daniel.cid@xxxxxxxxx]
> > Sent: Tuesday, June 06, 2006 5:49 AM
> > To: Peter Ahlert; Oleksander Panchuk
> > Cc: ossec-list@xxxxxxxxx
> > Subject: Re: [Ossec-list] The part of ossec were aborted
> >
> > HI Peter and Oleksander,
> >
> > I just uploaded to the server a version 0.8-2 of the ossec. It has a
> > "upgrade"
> > option during the install that should make the updating very fast and
> > easy.
> > If you still see the problem, or if you want to run on debug mode, just
> > execute the install script as:
> >
> > ./install debug
> >
> > It will setup debug mode. Note that by doing that ossec will generate
> > a lot of messages on /var/ossec/logs/ossec.log (and should only
> > be using for debuging problems). Can you try that?
> >
> > Download
> > http://www.ossec.net/files/ossec-hids-0.8-2.tar.gz
> >
> >
> > Thanks for the report and the cooperation.
> >
> > --
> > Daniel B. Cid
> > dcid @ ( at ) ossec.net
> >
> >
> > On 6/1/06, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:
> > > Thanks for the information Peter. Can you send part of your logs just
> > before
> > > logcollector died (the messages complaining about the socket error)?
> > Without
> > > it I have no way ot knowing what is going on... Next version will have
> > some
> > > better debug options to find these problems easily.
> > >
> > > Thanks!
> > >
> > > --
> > > Daniel B. Cid
> > > dcid @ ( at ) ossec.net
> > >
> > > On 6/1/06, Peter Ahlert <peter@xxxxxxx> wrote:
> > > > Hi,
> > > >
> > > > I would like to add just a quick "me too" ;) The log looks like the
> > one from Oleksander
> > > > - no sign of analysisd dying. Only the files analyzed are different:
> > > >
> > > >
> > > > 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file:
> > '/var/log/messages
> > > > '.
> > > > 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file:
> > '/var/log/auth.log
> > > > '.
> > > > 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file:
> > '/var/log/syslog'.
> > > > 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file:
> > '/var/log/mail.inf
> > > > o'.
> > > > 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file:
> > '/var/log/snort/al
> > > > ert'.
> > > > 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file:
> > '/var/log/apache2/
> > > > error.log'.
> > > > 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file:
> > '/var/log/apache2/
> > > > access.log'.
> > > >
> > > > Greetings Peter
> > > >
> > > >
> > > >
> > > > On Wed, 31 May 2006 10:17:52 +0300
> > > > "Oleksander Panchuk" <oleksander.panchuk@xxxxxxxxxxx> wrote:
> > > >
> > > > > Hi Daniel,
> > > > > I use 0.8 version of ossec.
> > > > > Everything were started, please, see below.
> > > > >
> > > > > 2006/05/30 09:34:05 ossec-maild: Started (pid: 2360).
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > 'rules_config.xml'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > 'sshd_rules.xml'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > 'syslog_rules.xml'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > 'pix_rules.xml'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > 'named_rules.xml'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > > > 'pure-ftpd_rules.xml'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > 'proftpd_rules.xml'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > 'web_rules.xml'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > 'apache_rules.xml'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > 'ids_rules.xml'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > 'squid_rules.xml'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > > > 'firewall_rules.xml'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > 'postfix_rules.xml'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > > > 'sendmail_rules.xml'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > 'spamd_rules.xml'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > 'msauth_rules.xml'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > 'attack_rules.xml'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Total rules enabled: '246'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/mtab'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file:
> > '/etc/hosts.deny'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file:
> > '/etc/mail/statistics'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/random-
> > seed'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/adjtime'
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file:
> > '/etc/httpd/logs'
> > > > > 2006/05/30 09:34:05 ossec-execd: Started (pid: 2364).
> > > > > 2006/05/30 09:34:05 ossec-analysisd: 3 IPs in the white list for
> > active
> > > > > response.
> > > > > 2006/05/30 09:34:05 ossec-analysisd: Started (pid: 2368).
> > > > > 2006/05/30 09:34:05 ossec-remoted: Started (pid: 2376).
> > > > > 2006/05/30 09:34:05 ossec-remoted: Started (pid: 2377).
> > > > > 2006/05/30 09:34:08 ossec-analysisd: Connected to '/queue/alerts/ar'
> > > > > (active-response queue
> > > > > 2006/05/30 09:34:08 ossec-analysisd: Connected to
> > '/queue/alerts/execq'
> > > > > (exec queue)
> > > > > 2006/05/30 09:34:08 ossec-syscheckd: Started (pid: 2381).
> > > > > 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> > > > > '/var/log/messages'.
> > > > > 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> > > > > '/var/log/secure'.
> > > > > 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> > > > > '/var/log/xferlog'.
> > > > > 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> > > > > '/var/log/maillog'.
> > > > > 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> > > > > '/var/log/snort/alert'.
> > > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > > '/var/log/httpd/error_log'.
> > > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > > '/var/log/httpd/access_log'.
> > > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > > '/etc/httpd/logs/audit_log'.
> > > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > > '/etc/httpd/logs/ssl_request_
> > > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > > '/etc/httpd/logs/suexec.log'.
> > > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > > '/var/log/squid/access.log'.
> > > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > > '/var/log/squid/cache.log'.
> > > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > > '/var/log/squid/store.log'.
> > > > > 2006/05/30 09:34:12 ossec-logcollector: Started (pid: 2372).
> > > > > 2006/05/30 10:00:02 ossec-syscheckd: socketerr
> > > > > 2006/05/30 10:00:02 ossec-syscheckd(1224): Error sending message to
> > queue.
> > > > > 2006/05/30 10:00:03 ossec-logcollector: socketerr
> > > > > 2006/05/30 10:00:03 ossec-logcollector(1224): Error sending message
> > to
> > > > > queue.
> > > > > 2006/05/30 10:00:05 ossec-syscheckd(1210): Queue
> > > > > '/var/ossec/queue/ossec/queue' not accessible.
> > > > > 2006/05/30 10:00:05 ossec-syscheckd(1211): Unable to access queue:
> > > > > '/var/ossec/queue/ossec/queue'. Giving up..
> > > > > 2006/05/30 10:00:06 ossec-logcollector(1210): Queue
> > > > > '/var/ossec/queue/ossec/queue' not accessible.
> > > > > 2006/05/30 10:00:06 ossec-logcollector(1211): Unable to access
> > queue:
> > > > > '/var/ossec/queue/ossec/queue/ossec/queue'. Giving up..
> > > > >
> > > > _______________________________________________
> > > > ossec-list mailing list
> > > > ossec-list@xxxxxxxxx
> > > > http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
> > > >
> > >
>
>

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---