[ossec-list] Re: OSSEC error message blows up log file

[David Williams <davewill@xxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel,
	I was just writing to say I've not seen that problem in a while --
but I just checked the logs and it's back.  I upgraded the server
which required a reboot recently and I believe I did a
syscheck_update -a after that.  I've also just swapped some machines
around (same name and IP became different hardware); when I did
that, I removed the old agent and created a new agent, with a new,
higher ID.  And I don't see how this makes a difference but I have
ossec installed in /home/ossec (where I have lots of room to grow).
 All of these systems now have been rebuilt recently with 1.2.
	I have a gzipped tar file of the directory (334K) and a gzipped
copy of ossec.log (3.4M); where should I send them (and do you want
the log file)?
	-David


Daniel Cid wrote:
> Hi John (and David),
> 
> I never saw these message myself on ossec since they can only happen if your
> integrity checking database gets corrupted. It could happen if you upgraded from
> an old version of ossec (before 1.0) and the upgrade didn't work out
> very well....
> 
> Can you send me a zipped (or gziped) copy of your /var/ossec/queue/syscheck?
> I want to see what is wrong in there...
> 
> Btw, is anyone else seeing those? If yes, please send me a copy of the above
> directory to debug...
> 
> 
> Thanks,
> 
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
> 
> On 7/31/07, David Williams <davewill@xxxxxxxxxxxx> wrote:
> John,
>         Daniel will be able to explain further I'm sure.  It appears there
> are null string (missing) names in your integrity database.  Those
> messages look like warnings rather than serious errors (the testing
> just moves on to the next entry).  In my case, when I start to see
> those, I stop ossec, delete the databases and let ossec rebuild
> them.  I'm sure that's not the best way to deal with the issue
> though....
>         -David
> 
> John Whittington wrote:
>>>> Hi  I'm pretty new to OSSEC, please bear with me:
>>>> I recently set up OSSEC-HIDS to manage several RHEL machines  our
>>>> organization's web servers. One machine was set up as the server with 13
>>>> agents. I configured them with the install script and pretty quickly
>>>> seemed to get them up and running. I am having two problems, one of
>>>> which concerns false positives, but I'll post that to a different thread.
>>>> My immediate problem is this: in the past week I've been getting the
>>>> following error showing up in log/ossec.log:
>>>>
>>>> ossec-analysisd: Invalid integrity message in the database.
>>>>
>>>> When it returns this error, it does so many times over; typically > 500
>>>> times in the last three days, but on Friday it wrote this error 668,072
>>>> times. Needless to say our ossec.log file has suddenly gotten rather
>>>> large. I've restarted OSSEC on the server a few times now without it
>>>> seeming to make any difference.
>>>>
>>>> Can anyone tell me what this error means? I only found one page on the
>>>> OSSEC site that mentions it specifically, and it was a thread from the
>>>> dev mailing list. Unfortunately I'm no C programmer. FWIW OSSEC itself
>>>> seems to keep working fine, and still alerts us to events like new users
>>>> logging in or changes to system files. Any feedback would be
>>>> appreciated; I can send more detailed info as requested.
>>>> Thanks  John
>>

- --
_______________________________________________
GPG (http://www.gnupg.org/) key available from:
http://www.kayakero.net/per/david/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGsn/LCzuSgviBh00RAjXzAKC0igHvP1ETAfGnTGQSaESjQfS2mwCeLFs2
baxYzDgLE1JfA6kh1nUxk00=
=zJc2
-----END PGP SIGNATURE-----