[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: OSSEC error message blows up log file
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: OSSEC error message blows up log file
- From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
- Date: Wed, 1 Aug 2007 19:47:44 -0300
- Content-transfer-encoding: quoted-printable
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=FtvvBE0mf0Q+HZYTBnckfCFp7L/tliIC2b0evYFkXE1BMw6jmt6yY8C/cW5P39pxykQnY8QJSsn5+P7Wia0ts/4ora33lRHoDUsuia5fJ8enPUEXF6gNWnP3ZbVzliwXAhdgwGZEv2r6P64QYeciT5AR9gh12awqm86KEgrMdMQ=
Hi John (and David),
I never saw these message myself on ossec since they can only happen if your
integrity checking database gets corrupted. It could happen if you upgraded from
an old version of ossec (before 1.0) and the upgrade didn't work out
very well....
Can you send me a zipped (or gziped) copy of your /var/ossec/queue/syscheck?
I want to see what is wrong in there...
Btw, is anyone else seeing those? If yes, please send me a copy of the above
directory to debug...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/31/07, David Williams <davewill@xxxxxxxxxxxx> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> John,
> Daniel will be able to explain further I'm sure. It appears there
> are null string (missing) names in your integrity database. Those
> messages look like warnings rather than serious errors (the testing
> just moves on to the next entry). In my case, when I start to see
> those, I stop ossec, delete the databases and let ossec rebuild
> them. I'm sure that's not the best way to deal with the issue
> though....
> -David
>
> John Whittington wrote:
> > Hi – I'm pretty new to OSSEC, please bear with me:
> > I recently set up OSSEC-HIDS to manage several RHEL machines – our
> > organization's web servers. One machine was set up as the server with 13
> > agents. I configured them with the install script and pretty quickly
> > seemed to get them up and running. I am having two problems, one of
> > which concerns false positives, but I'll post that to a different thread.
> > My immediate problem is this: in the past week I've been getting the
> > following error showing up in log/ossec.log:
> >
> > ossec-analysisd: Invalid integrity message in the database.
> >
> > When it returns this error, it does so many times over; typically > 500
> > times in the last three days, but on Friday it wrote this error 668,072
> > times. Needless to say our ossec.log file has suddenly gotten rather
> > large. I've restarted OSSEC on the server a few times now without it
> > seeming to make any difference.
> >
> > Can anyone tell me what this error means? I only found one page on the
> > OSSEC site that mentions it specifically, and it was a thread from the
> > dev mailing list. Unfortunately I'm no C programmer. FWIW OSSEC itself
> > seems to keep working fine, and still alerts us to events like new users
> > logging in or changes to system files. Any feedback would be
> > appreciated; I can send more detailed info as requested.
> > Thanks – John
>
> - --
> _______________________________________________
> GPG (http://www.gnupg.org/) key available from:
> http://www.kayakero.net/per/david/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFGr9iWCzuSgviBh00RAudSAKCnZP7w5DC5CZvOTaX6JkbQKRy/AQCgqb1/
> cXQezqI9ag/GpXZAElebIn4=
> =Wa6Z
> -----END PGP SIGNATURE-----
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.