Adi, Quick question. Were you able to get the new file alert working? I've been trying with no success. I modified the rules and syscheck as documented but still it doesn't work. Any information would be greatly appreciated. Thank You Christian.... Christian L. Kovac Sr Network Support Analyst Information Technology & Project Management Metro-North Railroad ko...@mnr.org 212-499-4642 THINK GREEN q Do you really need to print this e-mail?
>>> Adi CHIRU <adi.ch...@avangate.com> 5/19/2010 8:51 AM >>> First, I stoped ossec daemons, emptied those files manually and start ossec daemons. Everything went find until a restarted ossec when that errors started to appear again. After this I stopped ossec, deleted the files completely and started ossec. The files were created and again, the errors in logs only appeared after I restarted ossec (usually because I change the configuration files). It seems that a solution would be to clear the database (those files in /var/ossec/queue/syscheck/ directory before each [re]start) but I am not sure that this would also be a good idea. And one more question, if I may: Where can I find details about the logic in alerting behaviour of ossec? I am interested in an answear about what ossec does after an event of new file or deleted file or modified ownership on a file was found and an alert was issued; does ossec keep sending that alert each time it detects the event or after first detection the database is updated and so the next run will not detec the same event again? Thanks, Adi -----Original Message----- From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of dan (ddp) Sent: Tuesday, May 18, 2010 5:25 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] analysisd: ERROR: Invalid syscheck message received. This is how to log to an sql database: http://www.ossec.net/wiki/Know_How:DatabaseOutput But I don't think the problem has anything to do with an sql database. I was thinking syscheck_control -u all: "-u all Updates (clear) the database for all agents." I guess you could manually clear out the syscheck database file(s). I'd copy them off first as a backup. They should be located in: /var/ossec/queue/syscheck. There is the syscheck file, which I think is the server, and various "(AGENT) IP_ADDRESS->syscheck" files. Maybe after stopping the ossec processes and copying the files, try to clear them out manually... On Tue, May 18, 2010 at 8:41 AM, Adi CHIRU <adi.ch...@avangate.com> wrote: > Hi Dan, > > If by clearing the syscheck database you mean: > ./syscheck_update -a > and/or > ./syscheck_update -u local > > I already did that while ossec daemons were stopped. > After restart the same errors appears in logs. > I am using ossec-hids-2.4.1. > The above error messages appear in server and agent logs. > > Can you please give me the SQL syntax/file (or a link) to create the MySQL > database; I suspect the problem may be from the structure of the database I > use now. > > Thanks, > Adi > > > -----Original Message----- > From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On > Behalf Of dan (ddp) > Sent: Monday, May 17, 2010 5:27 PM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] analysisd: ERROR: Invalid syscheck message received. > > I don't know what's going on with the messages, but you could try > stopping the server and clearing the syscheck database for that agent. > > On Mon, May 17, 2010 at 9:19 AM, Adi CHIRU <adi.ch...@avangate.com> wrote: >> Hi guys, >> >> >> >> I have some problems with ossec syscheck as it seems it does not catch all >> the events that happen in a directory configured to be monitored in >> real-time. To find out what is going wrong I was watching the logs and found >> the below errors for which I could not find a relevant discussion/solution >> with google. >> >> >> >> Can you please help? >> >> >> >> 2010/05/17 12:29:35 ossec-logcollector: INFO: Started (pid: 11462). >> >> 2010/05/17 12:30:06 ossec-syscheckd: INFO: Starting syscheck database >> (pre-scan). >> >> 2010/05/17 12:31:40 ossec-syscheckd: INFO: Finished creating syscheck >> database (pre-scan completed). >> >> 2010/05/17 12:33:40 ossec-syscheckd: INFO: Starting syscheck scan >> (forwarding database). >> >> 2010/05/17 12:34:12 ossec-analysisd(1755): ERROR: Invalid syscheck message >> received. >> >> 2010/05/17 12:34:16 ossec-analysisd(1755): ERROR: Invalid syscheck message >> received. >> >> 2010/05/17 12:34:16 ossec-analysisd(1755): ERROR: Invalid syscheck message >> received. >> >> 2010/05/17 12:38:28 ossec-syscheckd: INFO: Ending syscheck scan (forwarding >> database). >> >> 2010/05/17 12:38:48 ossec-rootcheck: INFO: Starting rootcheck scan. >> >> 2010/05/17 12:41:08 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> 2010/05/17 13:04:17 ossec-analysisd: Invalid integrity message in the >> database. >> >> 2010/05/17 13:06:18 ossec-analysisd: Invalid integrity message in the >> database. >> >> 2010/05/17 13:10:14 ossec-analysisd: Invalid integrity message in the >> database. >> >> 2010/05/17 13:10:14 ossec-analysisd: Invalid integrity message in the >> database. >> >> 2010/05/17 13:10:14 ossec-analysisd: Invalid integrity message in the >> database. >> >> 2010/05/17 13:10:14 ossec-analysisd: Invalid integrity message in the >> database. >> >> >> >> If you need any other info please let me know... >> >> >> >> Thanks, >> >> Adi >
