Is there anything we can do when the log rotation results in an inode change? Aside from stopping the log from rotating, that is.
On Jul 8, 4:35 pm, blacklight <vphu...@yahoo.com> wrote: > I restarted OSSEC agent at 14:43:01 - see the mailserver OSSEC agent's > ossec.log that I posted in response to your request. > > audit.log is not rotated and we don't have a problem with audit.log > mailbox.log is rotated, is gifted with a new inode as part of its > rotation. And mailbox.log is driving us crazy :). > > On Jul 8, 4:22 pm, Christopher Moraes <cmoraes....@gmail.com> wrote: > > > > > > > > > When did you last restart the OSSEC agent? On jul 7th or Jul 8th? > > > Can you also run the same grep command on your alert log file for today (Jul > > 08) > > > The log rotation could be an issue if the Zimbra server is created a new > > file (new inode) at the end of each day. (just thinking aloud) > > > On Fri, Jul 8, 2011 at 4:12 PM, blacklight <vphu...@yahoo.com> wrote: > > > [root@ossecserver tmp]# grep -A5 'mailbox.log' ossec-alerts-07.log| > > > more > > > > ossec: File rotated (inode changed): '/opt/zimbra/log/mailbox.log'. > > > > ** Alert 1310011255.433273: - syslog,postfix,spam, > > > 2011 Jul 07 00:00:55 (mailserver2.domain.com) 10.80.80.4->/var/log/ > > > maillog > > > Rule: 3306 (level 6) -> 'IP Address black-listed by anti-spam > > > (blocked).' > > > Src IP: 123.27.188.67 > > > > 2011 Jul 07 00:02:41 (mailserver.domain.com) 10.8.8.30->/opt/zimbra/ > > > log/mailbox.log > > > Rule: 100301 (level 5) -> 'we are monitoring failed authentication > > > attempts to zimbra' > > > Src IP: 209.85.214.134 > > > User: (none) > > > 2011-07-07 00:02:40,330 INFO [Pop3Server-39] [ip=209.85.214.134;] > > > account - authentication failed for hsander...@lefrakproductions.com > > > (no such account) > > > > 2011 Jul 07 04:54:15 (mailserver.domain.com) 10.8.8.3->/opt/zimbra/log/ > > > mailbox.log > > > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' > > > Src IP: (none) > > > User: (none) > > > Code:service.FAILURE > > > > 33% of the messages refer to custom rule 100301; the balance of the > > > messages refer to rule 1002 > > > We get one log rotation message per day. > > > > Speaking about rotation, is "inode changed" a concern as far as > > > getting data from mailbox.log is concerned? My opinion is "probably > > > not, because the OSSEC server is clearly receiving messages culled > > > from mailbox.log from the log-collector daemon of the OSSSEC agent. > > > It's just that these messages don't include the ones we want as > > > specified in our new rule. > > > > On Jul 8, 3:19 pm, Christopher Moraes <cmoraes....@gmail.com> wrote: > > > > For point #2 - can you go into your alerts.log file and paste the entire > > > > alert message that is logged there. I'm interested in knowing what > > > > alert > > > > has been generated. > > > > > On Fri, Jul 8, 2011 at 3:10 PM, blacklight <vphu...@yahoo.com> wrote: > > > > > (1) I restarted the OSSEC agent on the mailserver and the the log > > > > > entry test on mailbox.log still failed. > > > > > > (2) I got an inspiration and grepped alerts.log in the OSSEC server > > > > > for mailbox.log, and I found recent activity: > > > > > > 2011 Jul 08 10:47:10 (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/ > > > > > zimbra/log/mailbox.log > > > > > 2011 Jul 08 11:02:42 (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/ > > > > > zimbra/log/mailbox.log > > > > > 2011 Jul 08 11:04:39 (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/ > > > > > zimbra/log/mailbox.log > > > > > 2011 Jul 08 11:06:31 (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/ > > > > > zimbra/log/mailbox.log > > > > > 2011 Jul 08 11:07:10 (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/ > > > > > zimbra/log/mailbox.log > > > > > 2011 Jul 08 11:18:27 (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/ > > > > > zimbra/log/mailbox.log > > > > > > This tells me that the OSSEC log-collector daemons are doing their job > > > > > both on the OSSEC server host and on the OSSEC agent mailserver. > > > > > > I grepped for "buildhost" in alerts.log and found just one current > > > > > instance, and that instance was a test entry inserted in audit.log. I > > > > > am 100% sure that any instances that are archived from alerts.log will > > > > > be test entries inserted in audit.log > > > > > > On Jul 8, 12:24 pm, blacklight <vphu...@yahoo.com> wrote: > > > > > > 1. I'm assuming your audit.log file is on the same server as the > > > > > > mailbox.log, right? - Correct. > > > > > > > 2. Is OSSEC alerting on anything in the mailbox.log file? Can you > > > > > > test with another known alert and insert it into mailbox.log and > > > > > > verify that OSSEC is alerting on it? > > > > > > > The log entry in /var/log/secure below > > > > > > > Jul 5 17:09:29 mailserver sshd[19395]: Accepted password for root > > > > > > from ::ffff:69.38.173.162 port 45026 ssh2 > > > > > > > is captured through our custom rule 105715 > > > > > > > <rule id="105715" level="7"> > > > > > > <if_sid>5715</if_sid> > > > > > > <user>root</user> > > > > > > <!-- match>^Accepted|authenticated.$</match --> > > > > > > <description>SSHD authentication success.</description> > > > > > > <group>authentication_success,</group> > > > > > > </rule> > > > > > > > OSSEC published the alert for this rule on 5 Jul 2011 after > > > > > > 17:09:29: > > > > > > > 011 Jul 05 17:09:31 Rule Id: 105715 level: 7 > > > > > > Location: (flanders.inv.anglerlabs.com) 10.80.80.3->/var/log/secure > > > > > > Src IP: ::ffff:69.38.173.162 > > > > > > SSHD authentication success. > > > > > > Jul 5 17:09:29 flanders sshd[19395]: Accepted password for root > > > > > > from ::ffff:69.38.173.162 port 45026 ssh2 > > > > > > > I adjusted this log entry for time (11:41:29) and date (Jul 8), > > > > > > appended "<-- test by V." as usual and inserted it into audit.log. > > > > > > OSSEC published it almost immediately as expected: > > > > > > > 011 Jul 08 11:41:18 Rule Id: 105715 level: 7 > > > > > > Location: (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/zimbra/log/ > > > > > > audit.log > > > > > > Src IP: ::ffff:69.38.173.162 > > > > > > SSHD authentication success. > > > > > > Jul 8 11:41:29 flanders sshd[19395]: Accepted password for root > > > > > > from ::ffff:69.38.173.162 port 45026 ssh2 <-- test by V. > > > > > > > Unfortunately, OSSEC did not publish anything when I inserted the > > > same > > > > > > exact entry into mailbox.log > > > > > > > It appears at this point that OSSEC is not publishing any alert > > > > > > nothing from mailbox.log is being published. Since all OSSEC daemons > > > > > > on the OSSEC server host are 100% operational > > > > > > > [root@ossecserver ~]# service ossec status > > > > > > ossec-monitord is running... > > > > > > ossec-logcollector is running... > > > > > > ossec-remoted is running... > > > > > > ossec-syscheckd is running... > > > > > > ossec-analysisd is running... > > > > > > ossec-maild is running... > > > > > > ossec-execd is running... > > > > > > ossec-csyslogd is running... > > > > > > > and so are the OSSEC daemons on the OSSEC agent host > > > > > > > [root@mailserver log]# service ossec status > > > > > > ossec-logcollector is running... > > > > > > ossec-syscheckd is running... > > > > > > ossec-agentd is running... > > > > > > ossec-execd is running... > > > > > > > it appears as if OSSEC agent is not reading anything from > > > mailbox.log, > > > > > > despite the ossec.log entry in the mailserver host claiming that the > > > > > > OSSEC agent is analyzing both audit.log and mailbox.log as I had > > > > > > mentioned yesterday. > > > > > > > Both audit.log and mailbox.log are in the same /opt/zimbra/log > > > > > > directory, by the way :) > > > > > > > This situation is beyond weird, and I am tempted to restart the > > > > > > OSSEC > > > > > > agent on on the mailserver, just for the hell of it. > > > > > > > On Jul 8, 11:07 am, Christopher Moraes <cmoraes....@gmail.com> > > > wrote: > > > > > > > > 1. I'm assuming your audit.log file is on the same server as the > > > > > > > mailbox.log, right? > > > > > > > > 2. Is OSSEC alerting on anything in the mailbox.log file? Can > > > > > > > you > > > > > test > > > > > > > with another known alert and insert it into mailbox.log and verify > > > that > > > > > > > OSSEC is alerting on it? > > > > > > > > On Fri, Jul 8, 2011 at 10:50 AM, blacklight <vphu...@yahoo.com> > > > wrote: > > > > > > > > > I adjusted the time again and inserted the statement in > > > audit.log: > > > > > > > > > 2011-07-08 10:35:39,180 INFO [main] [] misc - > > > version=7.1.1_GA_3213 > > > > > > > > release=20110624102500 builddate=20110624-1027 buildhost=zre- > > > > > > > > rhel4.eng.vmware.com <--- test by V. > > > > > > > > > Note: OSSEC caught that event and published it as an alert, as > > > seen > > > > > > > > below