The logs do not mention that audit.log or mailbox.log are being monitored. Is there something missing from the logs?
On Fri, Jul 8, 2011 at 4:27 PM, blacklight <vphu...@yahoo.com> wrote: > 2011/07/08 14:42:34 ossec-syscheckd: INFO: Ending syscheck scan. > 2011/07/08 14:43:01 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2011/07/08 14:43:01 ossec-agentd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2011/07/08 14:43:01 ossec-execd(1314): INFO: Shutdown received. > Deleting responses. > 2011/07/08 14:43:01 ossec-execd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2011/07/08 14:43:01 ossec-logcollector(1225): INFO: SIGNAL Received. > Exit Cleaning... > 2011/07/08 14:43:01 ossec-config(1121): ERROR: Glob error. Invalid > pattern: '/var/log/httpd/*_log'. > 2011/07/08 14:43:01 ossec-config(1121): ERROR: Glob error. Invalid > pattern: '/var/log/httpd/*_log'. > 2011/07/08 14:43:01 ossec-execd: INFO: Started (pid: 13377). > 2011/07/08 14:43:01 ossec-agentd(1410): INFO: Reading authentication > keys file. > 2011/07/08 14:43:01 ossec-agentd: INFO: Assigning counter for agent > flanders.inv.anglerlabs.com: '17001:1586'. > 2011/07/08 14:43:01 ossec-agentd: INFO: Assigning sender counter: > 193495:6478 > 2011/07/08 14:43:01 ossec-agentd: INFO: Started (pid: 13381). > 2011/07/08 14:43:01 ossec-agentd: INFO: Server IP Address: > 10.80.80.100 > 2011/07/08 14:43:01 ossec-agentd: INFO: Trying to connect to server > (10.80.80.100:1514). > 2011/07/08 14:43:02 ossec-agentd(4102): INFO: Connected to the server > (10.80.80.100:1514). > 2011/07/08 14:43:05 ossec-syscheckd: INFO: Started (pid: 13389). > 2011/07/08 14:43:05 ossec-rootcheck: INFO: Started (pid: 13389). > 2011/07/08 14:43:05 ossec-syscheckd: INFO: Monitoring directory: '/ > etc'. > 2011/07/08 14:43:05 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > bin'. > 2011/07/08 14:43:05 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > sbin'. > 2011/07/08 14:43:05 ossec-syscheckd: INFO: Monitoring directory: '/ > bin'. > 2011/07/08 14:43:05 ossec-syscheckd: INFO: Monitoring directory: '/ > sbin'. > 2011/07/08 14:43:05 ossec-syscheckd: INFO: Monitoring directory: '/var/ > named'. > 2011/07/08 14:43:05 ossec-syscheckd: INFO: Monitoring directory: '/ > root/.ssh'. > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/messages'. > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/secure'. > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/maillog'. > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/messages'. > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/secure'. > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/maillog'. > 2011/07/08 14:43:07 ossec-logcollector(1103): ERROR: Unable to open > file '/var/log/httpd/*_log'. > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/httpd/*_log'. > 2011/07/08 14:43:07 ossec-logcollector(1103): ERROR: Unable to open > file '/var/lib/pgsql/pgstartup.log'. > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/lib/pgsql/pgstartup.log'. > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ > opt/zimbra/log/mailbox.log'. > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ > opt/zimbra/log/audit.log'. > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/zimbra.log'. > 2011/07/08 14:43:07 ossec-logcollector(1103): ERROR: Unable to open > file '/var/log/ha-log'. > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/ha-log'. > 2011/07/08 14:43:07 ossec-logcollector: INFO: Started (pid: 13385). > 2011/07/08 14:43:37 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2011/07/08 14:45:18 ossec-logcollector(1904): INFO: File not > available, ignoring it: '/var/log/httpd/*_log'. > 2011/07/08 14:45:18 ossec-logcollector(1904): INFO: File not > available, ignoring it: '/var/lib/pgsql/pgstartup.log'. > 2011/07/08 14:45:18 ossec-logcollector(1103): ERROR: Unable to open > file '/var/log/ha-log'. > 2011/07/08 14:46:25 ossec-syscheckd: WARN: Error opening directory: '/ > var/named': No such file or directory > 2011/07/08 14:46:25 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2011/07/08 14:47:30 ossec-logcollector(1103): ERROR: Unable to open > file '/var/log/ha-log'. > 2011/07/08 14:48:25 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2011/07/08 14:49:41 ossec-logcollector(1103): ERROR: Unable to open > file '/var/log/ha-log'. > 2011/07/08 14:51:52 ossec-logcollector(1103): ERROR: Unable to open > file '/var/log/ha-log'. > 2011/07/08 14:52:17 ossec-agentd: INFO: Event count after '20000': > 4674605->3893616 (83%) > 2011/07/08 14:54:03 ossec-logcollector(1103): ERROR: Unable to open > file '/var/log/ha-log'. > 2011/07/08 14:56:02 ossec-syscheckd: INFO: Ending syscheck scan > (forwarding database). > 2011/07/08 14:56:14 ossec-logcollector(1103): ERROR: Unable to open > file '/var/log/ha-log'. > 2011/07/08 14:56:22 ossec-rootcheck: INFO: Starting rootcheck scan. > 2011/07/08 14:58:25 ossec-logcollector(1103): ERROR: Unable to open > file '/var/log/ha-log'. > 2011/07/08 15:00:37 ossec-logcollector(1103): ERROR: Unable to open > file '/var/log/ha-log'. > 2011/07/08 15:02:46 ossec-agentd: INFO: Event count after '20000': > 4662410->3882584 (83%) > 2011/07/08 15:02:48 ossec-logcollector(1904): INFO: File not > available, ignoring it: '/var/log/ha-log'. > 2011/07/08 15:12:37 ossec-agentd: INFO: Event count after '20000': > 4761351->3974808 (83%) > 2011/07/08 15:21:29 ossec-agentd: INFO: Event count after '20000': > 4780493->3986800 (83%) > 2011/07/08 15:22:52 ossec-rootcheck: INFO: Ending rootcheck scan. > 2011/07/08 15:22:52 ossec-syscheckd: INFO: Starting syscheck scan. > 2011/07/08 15:31:05 ossec-agentd: INFO: Event count after '20000': > 4763412->3977096 (83%) > 2011/07/08 15:33:15 ossec-syscheckd: INFO: Ending syscheck scan. > 2011/07/08 15:38:15 ossec-syscheckd: INFO: Starting syscheck scan. > 2011/07/08 15:40:46 ossec-agentd: INFO: Event count after '20000': > 4783612->3991336 (83%) > 2011/07/08 15:48:38 ossec-syscheckd: INFO: Ending syscheck scan. > 2011/07/08 15:49:14 ossec-agentd: INFO: Event count after '20000': > 4755376->3967920 (83%) > 2011/07/08 15:53:38 ossec-syscheckd: INFO: Starting syscheck scan. > 2011/07/08 15:59:02 ossec-agentd: INFO: Event count after '20000': > 4920194->4066320 (82%) > 2011/07/08 16:04:01 ossec-syscheckd: INFO: Ending syscheck scan. > 2011/07/08 16:08:02 ossec-agentd: INFO: Event count after '20000': > 4873936->4053080 (83%) > 2011/07/08 16:09:01 ossec-syscheckd: INFO: Starting syscheck scan. > 2011/07/08 16:16:54 ossec-agentd: INFO: Event count after '20000': > 4801849->4005736 (83%) > > > > On Jul 8, 3:16 pm, Christopher Moraes <cmoraes....@gmail.com> wrote: > > Ok, so it seem that there is some progress (in our analysis). > > > > Can you paste the full contents of the ossec.log file on agent (since the > > last restart). > > > > > > > > > > > > > > > > On Fri, Jul 8, 2011 at 12:24 PM, blacklight <vphu...@yahoo.com> wrote: > > > It appears at this point that OSSEC is not publishing any alert > > > nothing from mailbox.log is being published. Since all OSSEC daemons > > > on the OSSEC server host are 100% operational >
