[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: strftime() on Solaris 8

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: strftime() on Solaris 8
From: Leslie S Arvin <arvin@xxxxxxxxxx>
Date: Fri, 09 Jun 2006 14:35:09 -0400
Cc: ossec-list@xxxxxxxxx

I did as you suggested and the log and email times are now correct.
FWIW, we only have one timezone on our servers, so I didn't copy all of
/usr/share/lib/zoneinfo/*.  It seems to be working just fine.

For timezone "US/East-Indiana":

cp -p /etc/TIMEZONE /opt/ossec/etc/TIMEZONE
mkdir -p /opt/ossec/usr/share/lib/zoneinfo/US
cp -p /usr/share/lib/zoneinfo/US/East-Indiana \
	/opt/ossec/usr/share/lib/zoneinfo/US/East-Indiana

/opt/ossec/bin/ossec-control restart

Thanks!

-- Leslie Arvin
    arvin@xxxxxxxxxx, Office: FREH G409, Phone: 765-496-3971
    Network Systems Administrator, ITI-Unix Platforms
    Purdue University, Information Technology at Purdue


Daniel Cid wrote:
> Hi Leslie,
> 
> I was talking to Ahmet about this problem and I think we know what
> is going on. Ossec runs on a chroot jail, so it does not have access
> to /etc/timezone, /etc/localtime or any other time related file. During
> install, the script copies /etc/localtime to /var/ossec/etc/localtime
> (which works for Linux and *BSD). However, on Solaris we also need
> to copy the following:
> 
> cp -pr /etc/timezone /var/ossec/etc/timezone   (if you have it)
> cp -pr /etc/TIMEZONE /var/ossec/etc/TIMEZONE
> mkdir -p /var/ossec/usr/share/lib/zoneinfo/
> cp -p /usr/share/lib/zoneinfo/* /var/ossec/usr/share/lib/zoneinfo/
> 
> And restart ossec? It should fix this issue. For the next release, we
> are going to do that automatically during install. Let us know
> if it works or not.
> 
> Thanks,
> 
> --
> Daniel B. Cid
> dcid @ ( at ) ossec.net
> 
> On 6/7/06, Leslie S Arvin <arvin@xxxxxxxxxx> wrote:
>> Thanks all for replying.  Changing the source to use %Z in maild.c:strftime()
>> is quieting SpamAssassin.
>>
>> I am also seeing strangeness with the dates in the alert logs
>> and in the Date: line of emails.  The time value returned is not
>> adjusting for timezone/daylight savings time -- it is printing GMT.
>>
>> Specifically, an alert at 15:11:35 US/East-Indiana -0400 creates
>> this in its entry in the alert logs:
>>
>> ** Alert 1149707495.15121: mail
>> 2006 Jun 07 19:11:35 /var/adm/messages
>>
>> and creates this email header excerpt in its notification:
>>
>> From: OSSEC HIDS <ossecm@xxxxxxxxxxxxxxxxxxxxxxx>
>> Date: Wed, 07 Jun 2006 19:11:45 US/East
>>
>> Separate tests with localtime() confirm that it returns the correct
>> timezone-adjusted time; however, my test C program prints "EDT" for
>> the %Z value to strftime(), not "US/East" as in the email headers,
>> so I'm wondering if I'm testing the right version of localtime().
>>
>> This is ossec-hids 0.8 on Solaris 8 sparc.
>>
>> -- Leslie Arvin
>>     arvin@xxxxxxxxxx, Office: FREH G409, Phone: 765-496-3971
>>     Network Systems Administrator, ITI-Unix Platforms
>>     Purdue University, Information Technology at Purdue
>>
>>
>> Daniel Cid wrote:
>>> >From what I'm seeing (after checking some standards) we should
>>> have used the uppercase Z instead of the lowercase one. It will
>>> fail on most non-linux and non-bsd systems...
>>>
>>> Thanks for reporting it!
>>>
>>> --
>>> Daniel B. Cid
>>> dcid @ ( at ) ossec.net
>>>
>>>
>>> On 6/7/06, oahmet <oahmet@xxxxxxxxxxx> wrote:
>>>> Hi Leslie,
>>>>
>>>> Thanks for reporting this issue. I'll work on it.
>>>> However in order to make ossec-hids work on your environment, you may
>>>> want to edit "src/os_maild/sendmail.c" file and change line 212:
>>>>
>>>> strftime(snd_msg, 127, "Date: %a, %d %b %Y %T %z\r\n",p);
>>>> to
>>>> strftime(snd_msg, 127, "Date: %a, %d %b %Y %T %Z\r\n",p);
>>>> (I mean change %z -> %Z). and install ossec-hids.
>>>>
>>>> Then it will print "timezone name" instead of  "hour offset from GMT".
>>>>
>>>> Best Regards,
>>>>
>>>> Ahmet Ozturk.
>>>>
>>>> Leslie S Arvin wrote:
>>>>> I'm getting sendmail errors because the default strftime() on Solaris 8
>>>>> does not support %z.  The Date: in the formatted email is displaying as:
>>>>>
>>>>> Date: Wed, 07 Jun 2006 15:14:31 %z
>>>>>
>>>>> and getting flagged by SpamAssassin.
>>>>>
>>>>> Since ossec has been tested on Solaris 2.8 (Sparc) systems, how does one
>>>>> get around this?
>>>>>
>>>>> -- Leslie Arvin
>>>>>     arvin@xxxxxxxxxx, Office: FREH G409, Phone: 765-496-3971
>>>>>     Network Systems Administrator, ITI-Unix Platforms
>>>>>     Purdue University, Information Technology at Purdue
>>>>>
>>>>>
>>>
> 
> 

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---

References:
- [ossec-list] strftime() on Solaris 8
  - From: Leslie S Arvin
- [ossec-list] Re: strftime() on Solaris 8
  - From: oahmet
- [ossec-list] Re: strftime() on Solaris 8
  - From: Daniel Cid
- [ossec-list] Re: strftime() on Solaris 8
  - From: Leslie S Arvin
- [ossec-list] Re: strftime() on Solaris 8
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: New to OSSEC HIDS
Next by Date: [ossec-list] Re: New to OSSEC HIDS
Previous by thread: [ossec-list] Re: strftime() on Solaris 8
Next by thread: [ossec-list] I don't seem to be getting emails about changed binaries
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.