[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: OSSEC error message blows up log file

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: OSSEC error message blows up log file
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Thu, 2 Aug 2007 23:11:27 -0300
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=gnj3WPArbOcYDqGrAqULWxvdmBB8AlyD1JL12opT/68XckPd9hkPqeToJ8Wwbs19AufRd1xFZ7V86gCzAgzjm78w/2jqWqMS3lF4RUCOfAXZB0zuAqBQ08b2bjNg08Xze26eEMDBOtw64lzPczbMDVUDYCs0fee8LxcuEUvJkOo=

Hi David,

The issue with syscheck_update is that it requires restaring the
server after you
use that. Otherwise, you can get some very weird errors (like the one
mentioned).
The best way to do it is by:

-Stopping server.
-Running syscheck_update
-Starting server.

Maybe that was the issue?

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net



On 8/2/07, David Williams <davewill@xxxxxxxxxxxx> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Daniel,
>         I was just writing to say I've not seen that problem in a while --
> but I just checked the logs and it's back.  I upgraded the server
> which required a reboot recently and I believe I did a
> syscheck_update -a after that.  I've also just swapped some machines
> around (same name and IP became different hardware); when I did
> that, I removed the old agent and created a new agent, with a new,
> higher ID.  And I don't see how this makes a difference but I have
> ossec installed in /home/ossec (where I have lots of room to grow).
>  All of these systems now have been rebuilt recently with 1.2.
>         I have a gzipped tar file of the directory (334K) and a gzipped
> copy of ossec.log (3.4M); where should I send them (and do you want
> the log file)?
>         -David
>
>
> Daniel Cid wrote:
> > Hi John (and David),
> >
> > I never saw these message myself on ossec since they can only happen if your
> > integrity checking database gets corrupted. It could happen if you upgraded from
> > an old version of ossec (before 1.0) and the upgrade didn't work out
> > very well....
> >
> > Can you send me a zipped (or gziped) copy of your /var/ossec/queue/syscheck?
> > I want to see what is wrong in there...
> >
> > Btw, is anyone else seeing those? If yes, please send me a copy of the above
> > directory to debug...
> >
> >
> > Thanks,
> >
> > --
> > Daniel B. Cid
> > dcid ( at ) ossec.net
> >
> > On 7/31/07, David Williams <davewill@xxxxxxxxxxxx> wrote:
> > John,
> >         Daniel will be able to explain further I'm sure.  It appears there
> > are null string (missing) names in your integrity database.  Those
> > messages look like warnings rather than serious errors (the testing
> > just moves on to the next entry).  In my case, when I start to see
> > those, I stop ossec, delete the databases and let ossec rebuild
> > them.  I'm sure that's not the best way to deal with the issue
> > though....
> >         -David
> >
> > John Whittington wrote:
> >>>> Hi   I'm pretty new to OSSEC, please bear with me:
> >>>> I recently set up OSSEC-HIDS to manage several RHEL machines   our
> >>>> organization's web servers. One machine was set up as the server with 13
> >>>> agents. I configured them with the install script and pretty quickly
> >>>> seemed to get them up and running. I am having two problems, one of
> >>>> which concerns false positives, but I'll post that to a different thread.
> >>>> My immediate problem is this: in the past week I've been getting the
> >>>> following error showing up in log/ossec.log:
> >>>>
> >>>> ossec-analysisd: Invalid integrity message in the database.
> >>>>
> >>>> When it returns this error, it does so many times over; typically > 500
> >>>> times in the last three days, but on Friday it wrote this error 668,072
> >>>> times. Needless to say our ossec.log file has suddenly gotten rather
> >>>> large. I've restarted OSSEC on the server a few times now without it
> >>>> seeming to make any difference.
> >>>>
> >>>> Can anyone tell me what this error means? I only found one page on the
> >>>> OSSEC site that mentions it specifically, and it was a thread from the
> >>>> dev mailing list. Unfortunately I'm no C programmer. FWIW OSSEC itself
> >>>> seems to keep working fine, and still alerts us to events like new users
> >>>> logging in or changes to system files. Any feedback would be
> >>>> appreciated; I can send more detailed info as requested.
> >>>> Thanks   John
> >>
>
> - --
> _______________________________________________
> GPG (http://www.gnupg.org/) key available from:
> http://www.kayakero.net/per/david/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFGsn/LCzuSgviBh00RAjXzAKC0igHvP1ETAfGnTGQSaESjQfS2mwCeLFs2
> baxYzDgLE1JfA6kh1nUxk00=
> =zJc2
> -----END PGP SIGNATURE-----
>

Follow-Ups:
- [ossec-list] Re: OSSEC error message blows up log file
  - From: David Williams

References:
- [ossec-list] Re: OSSEC error message blows up log file
  - From: David Williams
- [ossec-list] Re: OSSEC error message blows up log file
  - From: Daniel Cid
- [ossec-list] Re: OSSEC error message blows up log file
  - From: David Williams

Prev by Date: [ossec-list] Re: OSSEC error message blows up log file
Next by Date: [ossec-list] Re: OSSEC-- File integrity check??
Previous by thread: [ossec-list] Re: OSSEC error message blows up log file
Next by thread: [ossec-list] Re: OSSEC error message blows up log file
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.