This is how to log to an sql database: http://www.ossec.net/wiki/Know_How:DatabaseOutput
But I don't think the problem has anything to do with an sql database. I was thinking syscheck_control -u all: "-u all Updates (clear) the database for all agents." I guess you could manually clear out the syscheck database file(s). I'd copy them off first as a backup. They should be located in: /var/ossec/queue/syscheck. There is the syscheck file, which I think is the server, and various "(AGENT) IP_ADDRESS->syscheck" files. Maybe after stopping the ossec processes and copying the files, try to clear them out manually... On Tue, May 18, 2010 at 8:41 AM, Adi CHIRU <[email protected]> wrote: > Hi Dan, > > If by clearing the syscheck database you mean: > ./syscheck_update -a > and/or > ./syscheck_update -u local > > I already did that while ossec daemons were stopped. > After restart the same errors appears in logs. > I am using ossec-hids-2.4.1. > The above error messages appear in server and agent logs. > > Can you please give me the SQL syntax/file (or a link) to create the MySQL > database; I suspect the problem may be from the structure of the database I > use now. > > Thanks, > Adi > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Monday, May 17, 2010 5:27 PM > To: [email protected] > Subject: Re: [ossec-list] analysisd: ERROR: Invalid syscheck message received. > > I don't know what's going on with the messages, but you could try > stopping the server and clearing the syscheck database for that agent. > > On Mon, May 17, 2010 at 9:19 AM, Adi CHIRU <[email protected]> wrote: >> Hi guys, >> >> >> >> I have some problems with ossec syscheck as it seems it does not catch all >> the events that happen in a directory configured to be monitored in >> real-time. To find out what is going wrong I was watching the logs and found >> the below errors for which I could not find a relevant discussion/solution >> with google. >> >> >> >> Can you please help? >> >> >> >> 2010/05/17 12:29:35 ossec-logcollector: INFO: Started (pid: 11462). >> >> 2010/05/17 12:30:06 ossec-syscheckd: INFO: Starting syscheck database >> (pre-scan). >> >> 2010/05/17 12:31:40 ossec-syscheckd: INFO: Finished creating syscheck >> database (pre-scan completed). >> >> 2010/05/17 12:33:40 ossec-syscheckd: INFO: Starting syscheck scan >> (forwarding database). >> >> 2010/05/17 12:34:12 ossec-analysisd(1755): ERROR: Invalid syscheck message >> received. >> >> 2010/05/17 12:34:16 ossec-analysisd(1755): ERROR: Invalid syscheck message >> received. >> >> 2010/05/17 12:34:16 ossec-analysisd(1755): ERROR: Invalid syscheck message >> received. >> >> 2010/05/17 12:38:28 ossec-syscheckd: INFO: Ending syscheck scan (forwarding >> database). >> >> 2010/05/17 12:38:48 ossec-rootcheck: INFO: Starting rootcheck scan. >> >> 2010/05/17 12:41:08 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> 2010/05/17 13:04:17 ossec-analysisd: Invalid integrity message in the >> database. >> >> 2010/05/17 13:06:18 ossec-analysisd: Invalid integrity message in the >> database. >> >> 2010/05/17 13:10:14 ossec-analysisd: Invalid integrity message in the >> database. >> >> 2010/05/17 13:10:14 ossec-analysisd: Invalid integrity message in the >> database. >> >> 2010/05/17 13:10:14 ossec-analysisd: Invalid integrity message in the >> database. >> >> 2010/05/17 13:10:14 ossec-analysisd: Invalid integrity message in the >> database. >> >> >> >> If you need any other info please let me know... >> >> >> >> Thanks, >> >> Adi >
