Re: [ossec-list] Making OSSEC logging into mysql and not in .log anymore

Mon, 14 May 2012 08:29:47 -0700 

The last logs from ossec-dbd are those:


2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Rules_ReadInsertDB()
2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Groups_ReadInsertDB
2012/05/14 09:34:03 ossec-syscheckd: INFO: Starting syscheck scan.
2012/05/14 09:43:04 ossec-syscheckd: INFO: Ending syscheck scan.

As you can see there is nothing interresting, after dbd starts up syscheck 
starts and logs some data. I got no more information than just that useless 
one... Even if I start mysql with  --log-warning
 option.

Today while restarting OSSEC I did notice this:

/var/ossec/bin/ossec-control restart
Deleting PID file '/var/ossec/var/run/ossec-remoted-1720.pid' not used...
Deleting PID file '/var/ossec/var/run/ossec-dbd-1692.pid' not used...
Deleting PID file '/var/ossec/var/run/ossec-dbd-2034.pid' not used...
Deleting PID file '/var/ossec/var/run/ossec-dbd-2045.pid' not used...
Deleting PID file '/var/ossec/var/run/ossec-dbd-2053.pid' not used...
Deleting PID file '/var/ossec/var/run/ossec-dbd-2059.pid' not used...

Is an unused pid bad news ?

I already deleted and recreated the databse from scratch three times, I'll 
try it again but it don't helps...

It's strange because when watching the /var/log/mysql/mysql.log whith "tail 
-f" and connecting via SSH, I can see that ossec-dbd is logging....

   49 Connect ossecuser@localhost on ossec
                   49 Query INSERT INTO data(id, server_id, user, full_log) 
VALUES ('3', '1', 'root', 'May 14 16:01:26 vm3 sshd[3850]: Accepted 
password for root from 192.168.1.20 port 36647 ssh2')
   49 Query INSERT INTO 
alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid)
 
VALUES ('3', '1', '5715','1337004092', '2', '3232235796', '23824', '0', 
'23776', '1337004088.7515')
   49 Quit 

As you can see there are INSERT commands but nothing says if it succeeded 
or not.

I also noticed something that seems important !

I just droped complete database and when database is just freshly recreated 
it starts to log without any problem, (if I use "select * from data" it 
shows every action that happend since ossec started).
I see exactly the same things hapenning in the mysql.log file than before 
(when it wasn't working).

I hope it will keep on working...


On Monday, May 14, 2012 3:26:19 PM UTC+2, dan (ddpbsd) wrote:
>
> On Mon, May 14, 2012 at 5:42 AM, secatoor wrote: 
> > Hi, 
> > 
> > 
> > I don't find any option to make mysl more talkative (there is no log 
> level 
> > option). I thought it could be linked with the number of simultaneous 
> > sessions, but I still can connect to with the ossec user myself ! 
> > 
> > By the way dbd in debug mode don't gives me anything more than this: 
> > 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: Starting ... 
> > 2012/05/14 09:24:57 adding rule: rules_config.xml 
> > 2012/05/14 09:24:57 adding rule: pam_rules.xml 
> > 2012/05/14 09:24:57 adding rule: sshd_rules.xml 
> > 2012/05/14 09:24:57 adding rule: telnetd_rules.xml 
> > 2012/05/14 09:24:57 adding rule: syslog_rules.xml 
> > 2012/05/14 09:24:57 adding rule: arpwatch_rules.xml 
> > 2012/05/14 09:24:57 adding rule: symantec-av_rules.xml 
> > 2012/05/14 09:24:57 adding rule: symantec-ws_rules.xml 
> > 2012/05/14 09:24:57 adding rule: pix_rules.xml 
> > 2012/05/14 09:24:57 adding rule: named_rules.xml 
> > 2012/05/14 09:24:57 adding rule: smbd_rules.xml 
> > 2012/05/14 09:24:57 adding rule: vsftpd_rules.xml 
> > 2012/05/14 09:24:57 adding rule: pure-ftpd_rules.xml 
> > 2012/05/14 09:24:57 adding rule: proftpd_rules.xml 
> > 2012/05/14 09:24:57 adding rule: ms_ftpd_rules.xml 
> > 2012/05/14 09:24:57 adding rule: ftpd_rules.xml 
> > 2012/05/14 09:24:57 adding rule: hordeimp_rules.xml 
> > 
> > AND ALL THE OTHER RULES... 
> > AND THEN : 
> > 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: Connecting to '127.0.0.1', using 
> > 'XXXX', 'XXXXX', 'ossec', 0,'(null)'. 
> > 2012/05/14 09:24:57 ossec-dbd: Connected to database 'ossec' at 
> '127.0.0.1'. 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering OS_Server_ReadInsertDB() 
> > 2012/05/14 09:24:57 ossec-dbd: Reading rules file: 'rules_config.xml' 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: read xml for rule 
> > '/rules/rules_config.xml'. 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: XML Variables applied. 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Rules_ReadInsertDB() 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Groups_ReadInsertDB 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Rules_ReadInsertDB() 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Groups_ReadInsertDB 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Rules_ReadInsertDB() 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Groups_ReadInsertDB 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Rules_ReadInsertDB() 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Groups_ReadInsertDB 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Rules_ReadInsertDB() 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Groups_ReadInsertDB 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Rules_ReadInsertDB() 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Groups_ReadInsertDB 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Rules_ReadInsertDB() 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Groups_ReadInsertDB 
> > 2012/05/14 09:24:57 ossec-dbd: Reading rules file: 'pam_rules.xml' 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: read xml for rule 
> > '/rules/pam_rules.xml'. 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: XML Variables applied. 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Rules_ReadInsertDB() 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Groups_ReadInsertDB 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Rules_ReadInsertDB() 
> > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Groups_ReadInsertDB 
> > 
> > 
> > AND SO ON ! 
> > 
>
> What are the last few logs you see from ossec-dbd? This all looks like 
> startup stuff, I'm hoping to see something about inserts. 
>
> This is a similar situation to the mysql log line you gave us earlier. 
> It feels like you didn't give us enough. Was there a message after the 
> log message you posted? Something that might have hinted at the 
> success or failure of the insert? 
>
> > 
> > As you can see OSSEC succesfully connects to mysql. I think there must 
> be 
> > something with mysql, but because I don't get it's log verbose higher 
> it's 
> > not going to be easy. 
> > 
> > Any idea ? 
> > 
>
> Check permissions on the database for the ossec user? Delete and 
> recreate the ossec database? Ask your DBA? Add more logging to 
> ossec-dbd? 
>

Reply via email to