[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] The part of ossec were aborted

Subject: [Ossec-list] The part of ossec were aborted
From: oleksander.panchuk at cbn-cis.org (Oleksander Panchuk)
Date: Wed, 31 May 2006 10:17:52 +0300

Hi Daniel,
I use 0.8 version of ossec.
Everything were started, please, see below.

2006/05/30 09:34:05 ossec-maild: Started (pid: 2360).
2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'rules_config.xml'
2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'sshd_rules.xml'
2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'syslog_rules.xml'
2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'pix_rules.xml'
2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'named_rules.xml'
2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
'pure-ftpd_rules.xml'
2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'proftpd_rules.xml'
2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'web_rules.xml'
2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'apache_rules.xml'
2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'ids_rules.xml'
2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'squid_rules.xml'
2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
'firewall_rules.xml'
2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'postfix_rules.xml'
2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
'sendmail_rules.xml'
2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'spamd_rules.xml'
2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'msauth_rules.xml'
2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'attack_rules.xml'
2006/05/30 09:34:05 ossec-analysisd: Total rules enabled: '246'
2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/mtab'
2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/hosts.deny'
2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/mail/statistics'
2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/random-seed'
2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/adjtime'
2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/httpd/logs'
2006/05/30 09:34:05 ossec-execd: Started (pid: 2364).
2006/05/30 09:34:05 ossec-analysisd: 3 IPs in the white list for active
response.
2006/05/30 09:34:05 ossec-analysisd: Started (pid: 2368).
2006/05/30 09:34:05 ossec-remoted: Started (pid: 2376).
2006/05/30 09:34:05 ossec-remoted: Started (pid: 2377).
2006/05/30 09:34:08 ossec-analysisd: Connected to '/queue/alerts/ar'
(active-response queue
2006/05/30 09:34:08 ossec-analysisd: Connected to '/queue/alerts/execq'
(exec queue)
2006/05/30 09:34:08 ossec-syscheckd: Started (pid: 2381).
2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
'/var/log/messages'.
2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
'/var/log/secure'.
2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
'/var/log/xferlog'.
2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
'/var/log/maillog'.
2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
'/var/log/snort/alert'.
2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
'/var/log/httpd/error_log'.
2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
'/var/log/httpd/access_log'.
2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
'/etc/httpd/logs/audit_log'.
2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
'/etc/httpd/logs/ssl_request_
2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
'/etc/httpd/logs/suexec.log'.
2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
'/var/log/squid/access.log'.
2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
'/var/log/squid/cache.log'.
2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
'/var/log/squid/store.log'.
2006/05/30 09:34:12 ossec-logcollector: Started (pid: 2372).
2006/05/30 10:00:02 ossec-syscheckd: socketerr
2006/05/30 10:00:02 ossec-syscheckd(1224): Error sending message to queue.
2006/05/30 10:00:03 ossec-logcollector: socketerr
2006/05/30 10:00:03 ossec-logcollector(1224): Error sending message to
queue.
2006/05/30 10:00:05 ossec-syscheckd(1210): Queue
'/var/ossec/queue/ossec/queue' not accessible.
2006/05/30 10:00:05 ossec-syscheckd(1211): Unable to access queue:
'/var/ossec/queue/ossec/queue'. Giving up..
2006/05/30 10:00:06 ossec-logcollector(1210): Queue
'/var/ossec/queue/ossec/queue' not accessible.
2006/05/30 10:00:06 ossec-logcollector(1211): Unable to access queue:
'/var/ossec/queue/ossec/queue/ossec/queue'. Giving up..

This is last message from ossec-alerts-30.log

** Alert 1148972399.27274: mail
2006 May 30 09:59:59 /var/log/squid/store.log
Rule: 102 (level 7) -> 'Unknown problem somewhere in the system.'
Src IP: (none)
User: (none)
RELEASE 00 000001B6 D6C15FA04F99D2C0BFBAD4CCA27E9BEB   ?         ?         ?
? ?/?

Oleksander.
> -----Original Message-----
> From: Daniel Cid [mailto:daniel.cid at gmail.com]
> Sent: Tuesday, May 30, 2006 5:38 PM
> To: Oleksander Panchuk
> Cc: ossec-list at ossec.net
> Subject: Re: [Ossec-list] The part of ossec were aborted
> 
> Hi Oleksander,
> 
> Are you using version 0.8? Did you get any message about analysisd
> starting? Basically, logcollector and syscheckd send their messages
> to analysisd. If it is not running, you will get these errors (unable to
> connect to socket). Can you also show us your logs from 5
> minutes before logcollector died?
> 
> Thanks,
> 
> --
> Daniel B. Cid
> dcid @ ( at ) ossec.net
> 
> On 5/30/06, Oleksander Panchuk <oleksander.panchuk at cbn-cis.org> wrote:
> >
> >
> >
> >
> > Hello again.
> >
> >
> >
> > What was happened with ossec-logcollector and ossec-syscheckd?
> >
> > It is repeated in 10-15 minutes after each restart ossec.
> >
> >
> >
> > ..
> >
> > ossec-logcollector(1950): Analyzing file: '/var/log/squid/access.log'.
> >
> >  ossec-logcollector(1950): Analyzing file: '/var/log/squid/cache.log'.
> >
> >  ossec-logcollector(1950): Analyzing file: '/var/log/squid/store.log'.
> >
> >  ossec-logcollector: Started (pid: 2372).
> >
> >  ossec-syscheckd: socketerr
> >
> >  ossec-syscheckd(1224): Error sending message to queue.
> >
> >  ossec-syscheckd(1210): Queue '/var/ossec/queue/ossec/queue' not
> accessible.
> >
> >  ossec-syscheckd(1211): Unable to access queue:
> > '/var/ossec/queue/ossec/queue'. Giving up..
> >
> >  ossec-logcollector: socketerr
> >
> >  ossec-logcollector(1224): Error sending message to queue.
> >
> >  ossec-logcollector(1210): Queue '/var/ossec/queue/ossec/queue' not
> > accessible.
> >
> >  ossec-logcollector(1211): Unable to access queue:
> > '/var/ossec/queue/ossec/queue'. Giving up
> >
> >
> >
> > I updated Linux OS
> >
> >     libgomp.i386 4.1.1-1.fc5
> >
> >     gcc.i386 4.1.1-1.fc5
> >
> >     libgcj-devel.i386 4.1.1-1.fc5
> >
> >     libstdc++-devel.i386 4.1.1-1.fc5
> >
> >     gcc-java.i386 4.1.1-1.fc5
> >
> >     cpp.i386 4.1.1-1.fc5
> >
> >     libgcj.i386 4.1.1-1.fc5
> >
> >     gcc-c++.i386 4.1.1-1.fc5
> >
> >     libtool-ltdl.i386 1.5.22-2.3
> >
> >     libgcc.i386 4.1.1-1.fc5
> >
> >     libtool.i386 1.5.22-2.3
> >
> >     apr-devel.i386 1.2.2-7.3
> >
> >     libgnat.i386 4.1.1-1.fc5
> >
> >     libstdc++.i386 4.1.1-1.fc5
> >
> >     apr.i386 1.2.2-7.3
> >
> >
> >
> > Best regards,
> >
> > Aleksander.
> >
> >
> >
> >
> > _______________________________________________
> > ossec-list mailing list
> > ossec-list at ossec.net
> > http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
> >
> >
> >

Follow-Ups:
- [Ossec-list] The part of ossec were aborted
  - From: Daniel Cid

References:
- [Ossec-list] The part of ossec were aborted
  - From: Daniel Cid

Prev by Date: [Ossec-list] vsftpd rule
Next by Date: [Ossec-list] The part of ossec were aborted
Previous by thread: [Ossec-list] The part of ossec were aborted
Next by thread: [Ossec-list] The part of ossec were aborted
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.