Re: [ossec-list] ossec-analysisd Running In Debug Mode?

Thu, 07 Jul 2011 13:32:18 -0700 

Hi William,

It is possible that someone may have accidentally changed the following
debug flag in your OSSEC installation.

I suggest you check the following -
Go to the directory from where you installed OSSEC,
locate the src/shared directory
open the file debug_op.c

Around line #16, you will see a line -
int dbg_flag = 0;

Confirm that the value is "0" and not set to another value.




On Thu, Jul 7, 2011 at 3:16 PM, William Voyek <william.vo...@gmail.com>wrote:

> On Thu, Jul 7, 2011 at 11:44 AM, dan (ddp) <ddp...@gmail.com> wrote:
> > Other than the log message there isn't any indication the processes
> > are running in debug mode.
> > This is how they generally look in debug mode:
> > root      4356  4.4  0.4  7600  7720 ??  S     29Jun11  185:22.82
> > /var/ossec/bin/ossec-syscheckd -d
> > ossecm      36  0.0  0.2  4564  4940 ??  S     29Jun11    0:03.57
> > /var/ossec/bin/ossec-csyslogd -d
> > root     27304  0.0  0.0   536   892 ??  I     29Jun11    0:00.10
> > /var/ossec/bin/ossec-execd -d
> > ossec    22263  0.0  0.3  3400  5348 ??  S     29Jun11   14:07.31
> > /var/ossec/bin/ossec-analysisd -d
> > root     32060  0.0  0.1   884  1272 ??  S     29Jun11    0:52.38
> > /var/ossec/bin/ossec-logcollector -d (ossec-logcollect)
> > ossecr   30702  0.0  0.1  2916  1460 ??  S     29Jun11    0:18.68
> > /var/ossec/bin/ossec-remoted -d
> > ossec    28070  0.0  0.1   952  1032 ??  I     29Jun11    0:55.38
> > /var/ossec/bin/ossec-monitord -d
> >
> > Also, that system always runs the processes in debug mode, and the log
> > file isn't very big (since Feb).
> >
> > What kinds of messages are causing your logfile to grow to 10G?
> >
>
> It appears that for each logfile, system, eventlog, etc. monitored I'm
> getting these in the log:
>
> 2011/07/07 12:07:16 ossec-analysisd: DEBUG: Checking the rules - 9
> 2011/07/07 12:07:16 ossec-analysisd: DEBUG: Waiting for msgs - 1310065636
> 2011/07/07 12:07:16 ossec-analysisd: DEBUG: Received msg:
> 1:(myhost.mydomain) 10.0.0.101->WinEvtLog:WinEvtLog: Security:
> AUDIT_SUCCESS(538): Security: a_user: MYDOMAIN: MYHOST: User Logoff:
>        User Name: a_user       Domain:         MYDOMAIN        Logon ID:
>        (0x2,0xA12345B7)        Logon Type: 3
> 2011/07/07 12:07:16 ossec-analysisd: DEBUG: Msg cleanup: WinEvtLog:
> Security: AUDIT_SUCCESS(538): Security: a_user: MYDOMAIN: MYHOST: User
> Logoff:         User Name: a_user       Domain:         MYDOMAIN
>  Logon ID:
>        (0x2,0xA12345B7)        Logon Type: 3
>
>
> There was 10,000+ messages logged to that file in the last five minutes.
>
> William
>

Reply via email to