Hi dan, With ps aux | grep dbd I get this:
ossecm 2006 0.0 0.4 5372 2124 ? S 11:35 0:00 /var/ossec/bin/ossec-dbd So yes, dbd seems to be still running and there is no error in ossec.log file. Both /var/log/mysql.log and /var/log/mysql.err are empty, seems to be no more information (may be I should change mysql logging level). Texte editor is ready to get creative :) Thanks On Wednesday, May 9, 2012 1:16:47 PM UTC+2, secatoor wrote: > > Hi all, > > Like well explained in the OSSEC documentation, I "upgraded" my OSSEC > server to log into mysql database. I compiled OSSEC with setdb and > updated the previous installation. > I got mysql and OSSEC server working on the same machine. > > I made the ossec database with the mysql.schema file and created the > "ossec" user account to allow connecting to mysql. > > OSSEC starts up fine, and in the /var/ossec/logs/ossec.log file I can > see this line wich means to it should be able to connect correctly to > database: > > 2012/05/09 11:35:32 ossec-dbd: Connected to database 'ossec' at > '127.0.0.1'. > > > But... it seems working fine during a few minutes and then... > nothing ! > > When I connec to mysql to show the content of the "data" table (select > * from data) I get this: > > +----+-----------+-------- > +----------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > > + > | id | server_id | user | > full_log > | > +----+-----------+-------- > +----------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > > + > | 1 | 1 | (null) | ossec: Ossec > started. > | > | 2 | 1 | root | May 7 16:57:29 vm3 sshd[2329]: > pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 > tty=ssh ruser= rhost=g-test.local user=root | > | 3 | 1 | root | May 7 16:57:30 vm3 sshd[2329]: Failed > password for root from 192.168.1.20 port 48068 > ssh2 > | > | 4 | 1 | root | May 7 16:57:43 vm3 sshd[2329]: Failed > password for root from 192.168.1.20 port 48068 > ssh2 > | > | 5 | 1 | root | May 7 16:57:44 vm3 sshd[2329]: Accepted > password for root from 192.168.1.20 port 48068 > ssh2 > | > | 6 | 1 | (null) | May 7 16:57:44 vm3 sshd[2329]: > pam_unix(sshd:session): session opened for user root by > (uid=0) > | > | 7 | 1 | (null) | May 7 16:57:48 vm3 sshd[2329]: > pam_unix(sshd:session): session closed for user > root > | > | 8 | 1 | (null) | May 7 17:25:32 vm3 sshd[2878]: > pam_unix(sshd:session): session opened for user root by > (uid=0) > | > | 9 | 1 | (null) | May 7 17:25:36 vm3 sshd[2878]: > pam_unix(sshd:session): session closed for user > root > | > | 10 | 1 | (null) | May 9 09:53:49 vm3 gnome-screensaver- > dialog: pam_unix(gnome-screensaver:auth): authentication failure; > logname= uid=1000 euid=1000 tty=:0.0 ruser= rhost= user=user | > | 11 | 1 | (null) | May 9 09:56:27 vm3 sshd[1993]: Invalid > user test from > 192.168.1.20 > | > | 12 | 1 | (null) | May 9 09:56:27 vm3 sshd[1993]: Failed > none for invalid user test from 192.168.1.20 port 39825 > ssh2 | > +----+-----------+-------- > +----------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > > + > 12 rows in set (0.00 sec) > > > Which shows that I succeeded to connect via ssh with my "root" account > and that I tried with a false account. > > But the next hour I tried to log again with a false account (to check > if OSSEC is working fine) and nothing had been logged into mysql... > > And when I open the /var/ossec/logs/archives/2012/May/ossec- > archive-09.log file, I can observe things like : > > 2012 May 09 11:36:10 vm3->/var/log/auth.log May 9 11:36:10 vm3 > sshd[2038]: Invalid user foker from 192.168.1.20 > 2012 May 09 11:36:10 vm3->/var/log/auth.log May 9 11:36:10 vm3 > sshd[2038]: Failed none for invalid user foker from 192.168.1.20 port > 39834 ssh2 > 2012 May 09 11:36:14 vm3->/var/log/auth.log May 9 11:36:13 vm3 > sshd[2038]: pam_unix(sshd:auth): check pass; user unknown > 2012 May 09 11:36:14 vm3->/var/log/auth.log May 9 11:36:13 vm3 > sshd[2038]: pam_unix(sshd:auth): authentication failure; logname= > uid=0 euid=0 tty=ssh ruser= rhost=g-test.local > 2012 May 09 11:36:16 vm3->/var/log/auth.log May 9 11:36:15 vm3 > sshd[2038]: Failed password for invalid user foker from 192.168.1.20 > port 39834 ssh2 > 2012 May 09 11:36:18 vm3->/var/log/auth.log May 9 11:36:16 vm3 > sshd[2038]: pam_unix(sshd:auth): check pass; user unknown > 2012 May 09 11:36:20 vm3->/var/log/auth.log May 9 11:36:18 vm3 > sshd[2038]: Failed password for invalid user foker from 192.168.1.20 > port 39834 ssh2 > 2012 May 09 11:36:20 vm3->/var/log/auth.log May 9 11:36:19 vm3 > sshd[2038]: pam_unix(sshd:auth): check pass; user unknown > 2012 May 09 11:36:22 vm3->/var/log/auth.log May 9 11:36:21 vm3 > sshd[2038]: Failed password for invalid user foker from 192.168.1.20 > port 39834 ssh2 > 2012 May 09 11:36:22 vm3->/var/log/auth.log May 9 11:36:21 vm3 > sshd[2038]: PAM 2 more authentication failures; logname= uid=0 euid=0 > tty=ssh ruser= rhost=g-test.local > > That makes understand that OSSEC is logging but not in the database... > I checked the /var/ossec/logs/ossec.log file again and there was no > problem with dbd. > > Is there something specific I have to tell OSSEC to make it stop > logging into log files and log into mysql database ? > > I tried starting it again and again but it still does not work fine (I > even tried from scratch, with no previous installation)... > > If someone has any idea, you're welcome ;) > Thanks
