1. I'm assuming your audit.log file is on the same server as the
mailbox.log, right? - Correct.
2. Is OSSEC alerting on anything in the mailbox.log file? Can you
test with another known alert and insert it into mailbox.log and
verify that OSSEC is alerting on it?
The log entry in /var/log/secure below
Jul 5 17:09:29 mailserver sshd[19395]: Accepted password for root
from ::ffff:69.38.173.162 port 45026 ssh2
is captured through our custom rule 105715
<rule id="105715" level="7">
<if_sid>5715</if_sid>
<user>root</user>
<!-- match>^Accepted|authenticated.$</match -->
<description>SSHD authentication success.</description>
<group>authentication_success,</group>
</rule>
OSSEC published the alert for this rule on 5 Jul 2011 after 17:09:29:
011 Jul 05 17:09:31 Rule Id: 105715 level: 7
Location: (flanders.inv.anglerlabs.com) 10.80.80.3->/var/log/secure
Src IP: ::ffff:69.38.173.162
SSHD authentication success.
Jul 5 17:09:29 flanders sshd[19395]: Accepted password for root
from ::ffff:69.38.173.162 port 45026 ssh2
I adjusted this log entry for time (11:41:29) and date (Jul 8),
appended "<-- test by V." as usual and inserted it into audit.log.
OSSEC published it almost immediately as expected:
011 Jul 08 11:41:18 Rule Id: 105715 level: 7
Location: (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/zimbra/log/
audit.log
Src IP: ::ffff:69.38.173.162
SSHD authentication success.
Jul 8 11:41:29 flanders sshd[19395]: Accepted password for root
from ::ffff:69.38.173.162 port 45026 ssh2 <-- test by V.
Unfortunately, OSSEC did not publish anything when I inserted the same
exact entry into mailbox.log
It appears at this point that OSSEC is not publishing any alert
nothing from mailbox.log is being published. Since all OSSEC daemons
on the OSSEC server host are 100% operational
[root@ossecserver ~]# service ossec status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...
ossec-csyslogd is running...
and so are the OSSEC daemons on the OSSEC agent host
[root@mailserver log]# service ossec status
ossec-logcollector is running...
ossec-syscheckd is running...
ossec-agentd is running...
ossec-execd is running...
it appears as if OSSEC agent is not reading anything from mailbox.log,
despite the ossec.log entry in the mailserver host claiming that the
OSSEC agent is analyzing both audit.log and mailbox.log as I had
mentioned yesterday.
Both audit.log and mailbox.log are in the same /opt/zimbra/log
directory, by the way :)
This situation is beyond weird, and I am tempted to restart the OSSEC
agent on on the mailserver, just for the hell of it.
On Jul 8, 11:07 am, Christopher Moraes <cmoraes....@gmail.com> wrote:
> 1. I'm assuming your audit.log file is on the same server as the
> mailbox.log, right?
>
> 2. Is OSSEC alerting on anything in the mailbox.log file? Can you test
> with another known alert and insert it into mailbox.log and verify that
> OSSEC is alerting on it?
>
>
>
>
>
>
>
> On Fri, Jul 8, 2011 at 10:50 AM, blacklight <vphu...@yahoo.com> wrote:
>
> > I adjusted the time again and inserted the statement in audit.log:
>
> > 2011-07-08 10:35:39,180 INFO [main] [] misc - version=7.1.1_GA_3213
> > release=20110624102500 builddate=20110624-1027 buildhost=zre-
> > rhel4.eng.vmware.com <--- test by V.
>
> > Note: OSSEC caught that event and published it as an alert, as seen
> > below
