2011/07/08 14:42:34 ossec-syscheckd: INFO: Ending syscheck scan. 2011/07/08 14:43:01 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit Cleaning... 2011/07/08 14:43:01 ossec-agentd(1225): INFO: SIGNAL Received. Exit Cleaning... 2011/07/08 14:43:01 ossec-execd(1314): INFO: Shutdown received. Deleting responses. 2011/07/08 14:43:01 ossec-execd(1225): INFO: SIGNAL Received. Exit Cleaning... 2011/07/08 14:43:01 ossec-logcollector(1225): INFO: SIGNAL Received. Exit Cleaning... 2011/07/08 14:43:01 ossec-config(1121): ERROR: Glob error. Invalid pattern: '/var/log/httpd/*_log'. 2011/07/08 14:43:01 ossec-config(1121): ERROR: Glob error. Invalid pattern: '/var/log/httpd/*_log'. 2011/07/08 14:43:01 ossec-execd: INFO: Started (pid: 13377). 2011/07/08 14:43:01 ossec-agentd(1410): INFO: Reading authentication keys file. 2011/07/08 14:43:01 ossec-agentd: INFO: Assigning counter for agent flanders.inv.anglerlabs.com: '17001:1586'. 2011/07/08 14:43:01 ossec-agentd: INFO: Assigning sender counter: 193495:6478 2011/07/08 14:43:01 ossec-agentd: INFO: Started (pid: 13381). 2011/07/08 14:43:01 ossec-agentd: INFO: Server IP Address: 10.80.80.100 2011/07/08 14:43:01 ossec-agentd: INFO: Trying to connect to server (10.80.80.100:1514). 2011/07/08 14:43:02 ossec-agentd(4102): INFO: Connected to the server (10.80.80.100:1514). 2011/07/08 14:43:05 ossec-syscheckd: INFO: Started (pid: 13389). 2011/07/08 14:43:05 ossec-rootcheck: INFO: Started (pid: 13389). 2011/07/08 14:43:05 ossec-syscheckd: INFO: Monitoring directory: '/ etc'. 2011/07/08 14:43:05 ossec-syscheckd: INFO: Monitoring directory: '/usr/ bin'. 2011/07/08 14:43:05 ossec-syscheckd: INFO: Monitoring directory: '/usr/ sbin'. 2011/07/08 14:43:05 ossec-syscheckd: INFO: Monitoring directory: '/ bin'. 2011/07/08 14:43:05 ossec-syscheckd: INFO: Monitoring directory: '/ sbin'. 2011/07/08 14:43:05 ossec-syscheckd: INFO: Monitoring directory: '/var/ named'. 2011/07/08 14:43:05 ossec-syscheckd: INFO: Monitoring directory: '/ root/.ssh'. 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ var/log/messages'. 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ var/log/secure'. 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ var/log/maillog'. 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ var/log/messages'. 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ var/log/secure'. 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ var/log/maillog'. 2011/07/08 14:43:07 ossec-logcollector(1103): ERROR: Unable to open file '/var/log/httpd/*_log'. 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ var/log/httpd/*_log'. 2011/07/08 14:43:07 ossec-logcollector(1103): ERROR: Unable to open file '/var/lib/pgsql/pgstartup.log'. 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ var/lib/pgsql/pgstartup.log'. 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ opt/zimbra/log/mailbox.log'. 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ opt/zimbra/log/audit.log'. 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ var/log/zimbra.log'. 2011/07/08 14:43:07 ossec-logcollector(1103): ERROR: Unable to open file '/var/log/ha-log'. 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ var/log/ha-log'. 2011/07/08 14:43:07 ossec-logcollector: INFO: Started (pid: 13385). 2011/07/08 14:43:37 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2011/07/08 14:45:18 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/log/httpd/*_log'. 2011/07/08 14:45:18 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/lib/pgsql/pgstartup.log'. 2011/07/08 14:45:18 ossec-logcollector(1103): ERROR: Unable to open file '/var/log/ha-log'. 2011/07/08 14:46:25 ossec-syscheckd: WARN: Error opening directory: '/ var/named': No such file or directory 2011/07/08 14:46:25 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). 2011/07/08 14:47:30 ossec-logcollector(1103): ERROR: Unable to open file '/var/log/ha-log'. 2011/07/08 14:48:25 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2011/07/08 14:49:41 ossec-logcollector(1103): ERROR: Unable to open file '/var/log/ha-log'. 2011/07/08 14:51:52 ossec-logcollector(1103): ERROR: Unable to open file '/var/log/ha-log'. 2011/07/08 14:52:17 ossec-agentd: INFO: Event count after '20000': 4674605->3893616 (83%) 2011/07/08 14:54:03 ossec-logcollector(1103): ERROR: Unable to open file '/var/log/ha-log'. 2011/07/08 14:56:02 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database). 2011/07/08 14:56:14 ossec-logcollector(1103): ERROR: Unable to open file '/var/log/ha-log'. 2011/07/08 14:56:22 ossec-rootcheck: INFO: Starting rootcheck scan. 2011/07/08 14:58:25 ossec-logcollector(1103): ERROR: Unable to open file '/var/log/ha-log'. 2011/07/08 15:00:37 ossec-logcollector(1103): ERROR: Unable to open file '/var/log/ha-log'. 2011/07/08 15:02:46 ossec-agentd: INFO: Event count after '20000': 4662410->3882584 (83%) 2011/07/08 15:02:48 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/log/ha-log'. 2011/07/08 15:12:37 ossec-agentd: INFO: Event count after '20000': 4761351->3974808 (83%) 2011/07/08 15:21:29 ossec-agentd: INFO: Event count after '20000': 4780493->3986800 (83%) 2011/07/08 15:22:52 ossec-rootcheck: INFO: Ending rootcheck scan. 2011/07/08 15:22:52 ossec-syscheckd: INFO: Starting syscheck scan. 2011/07/08 15:31:05 ossec-agentd: INFO: Event count after '20000': 4763412->3977096 (83%) 2011/07/08 15:33:15 ossec-syscheckd: INFO: Ending syscheck scan. 2011/07/08 15:38:15 ossec-syscheckd: INFO: Starting syscheck scan. 2011/07/08 15:40:46 ossec-agentd: INFO: Event count after '20000': 4783612->3991336 (83%) 2011/07/08 15:48:38 ossec-syscheckd: INFO: Ending syscheck scan. 2011/07/08 15:49:14 ossec-agentd: INFO: Event count after '20000': 4755376->3967920 (83%) 2011/07/08 15:53:38 ossec-syscheckd: INFO: Starting syscheck scan. 2011/07/08 15:59:02 ossec-agentd: INFO: Event count after '20000': 4920194->4066320 (82%) 2011/07/08 16:04:01 ossec-syscheckd: INFO: Ending syscheck scan. 2011/07/08 16:08:02 ossec-agentd: INFO: Event count after '20000': 4873936->4053080 (83%) 2011/07/08 16:09:01 ossec-syscheckd: INFO: Starting syscheck scan. 2011/07/08 16:16:54 ossec-agentd: INFO: Event count after '20000': 4801849->4005736 (83%)
On Jul 8, 3:16 pm, Christopher Moraes <cmoraes....@gmail.com> wrote: > Ok, so it seem that there is some progress (in our analysis). > > Can you paste the full contents of the ossec.log file on agent (since the > last restart). > > > > > > > > On Fri, Jul 8, 2011 at 12:24 PM, blacklight <vphu...@yahoo.com> wrote: > > It appears at this point that OSSEC is not publishing any alert > > nothing from mailbox.log is being published. Since all OSSEC daemons > > on the OSSEC server host are 100% operational