The last logs from ossec-dbd are those:
2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Rules_ReadInsertDB() 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Groups_ReadInsertDB 2012/05/14 09:34:03 ossec-syscheckd: INFO: Starting syscheck scan. 2012/05/14 09:43:04 ossec-syscheckd: INFO: Ending syscheck scan. As you can see there is nothing interresting, after dbd starts up syscheck starts and logs some data. I got no more information than just that useless one... Even if I start mysql with --log-warning option. Today while restarting OSSEC I did notice this: /var/ossec/bin/ossec-control restart Deleting PID file '/var/ossec/var/run/ossec-remoted-1720.pid' not used... Deleting PID file '/var/ossec/var/run/ossec-dbd-1692.pid' not used... Deleting PID file '/var/ossec/var/run/ossec-dbd-2034.pid' not used... Deleting PID file '/var/ossec/var/run/ossec-dbd-2045.pid' not used... Deleting PID file '/var/ossec/var/run/ossec-dbd-2053.pid' not used... Deleting PID file '/var/ossec/var/run/ossec-dbd-2059.pid' not used... Is an unused pid bad news ? I already deleted and recreated the databse from scratch three times, I'll try it again but it don't helps... It's strange because when watching the /var/log/mysql/mysql.log whith "tail -f" and connecting via SSH, I can see that ossec-dbd is logging.... 49 Connect ossecuser@localhost on ossec 49 Query INSERT INTO data(id, server_id, user, full_log) VALUES ('3', '1', 'root', 'May 14 16:01:26 vm3 sshd[3850]: Accepted password for root from 192.168.1.20 port 36647 ssh2') 49 Query INSERT INTO alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid) VALUES ('3', '1', '5715','1337004092', '2', '3232235796', '23824', '0', '23776', '1337004088.7515') 49 Quit As you can see there are INSERT commands but nothing says if it succeeded or not. I also noticed something that seems important ! I just droped complete database and when database is just freshly recreated it starts to log without any problem, (if I use "select * from data" it shows every action that happend since ossec started). I see exactly the same things hapenning in the mysql.log file than before (when it wasn't working). I hope it will keep on working... On Monday, May 14, 2012 3:26:19 PM UTC+2, dan (ddpbsd) wrote: > > On Mon, May 14, 2012 at 5:42 AM, secatoor wrote: > > Hi, > > > > > > I don't find any option to make mysl more talkative (there is no log > level > > option). I thought it could be linked with the number of simultaneous > > sessions, but I still can connect to with the ossec user myself ! > > > > By the way dbd in debug mode don't gives me anything more than this: > > > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: Starting ... > > 2012/05/14 09:24:57 adding rule: rules_config.xml > > 2012/05/14 09:24:57 adding rule: pam_rules.xml > > 2012/05/14 09:24:57 adding rule: sshd_rules.xml > > 2012/05/14 09:24:57 adding rule: telnetd_rules.xml > > 2012/05/14 09:24:57 adding rule: syslog_rules.xml > > 2012/05/14 09:24:57 adding rule: arpwatch_rules.xml > > 2012/05/14 09:24:57 adding rule: symantec-av_rules.xml > > 2012/05/14 09:24:57 adding rule: symantec-ws_rules.xml > > 2012/05/14 09:24:57 adding rule: pix_rules.xml > > 2012/05/14 09:24:57 adding rule: named_rules.xml > > 2012/05/14 09:24:57 adding rule: smbd_rules.xml > > 2012/05/14 09:24:57 adding rule: vsftpd_rules.xml > > 2012/05/14 09:24:57 adding rule: pure-ftpd_rules.xml > > 2012/05/14 09:24:57 adding rule: proftpd_rules.xml > > 2012/05/14 09:24:57 adding rule: ms_ftpd_rules.xml > > 2012/05/14 09:24:57 adding rule: ftpd_rules.xml > > 2012/05/14 09:24:57 adding rule: hordeimp_rules.xml > > > > AND ALL THE OTHER RULES... > > AND THEN : > > > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: Connecting to '127.0.0.1', using > > 'XXXX', 'XXXXX', 'ossec', 0,'(null)'. > > 2012/05/14 09:24:57 ossec-dbd: Connected to database 'ossec' at > '127.0.0.1'. > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering OS_Server_ReadInsertDB() > > 2012/05/14 09:24:57 ossec-dbd: Reading rules file: 'rules_config.xml' > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: read xml for rule > > '/rules/rules_config.xml'. > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: XML Variables applied. > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Rules_ReadInsertDB() > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Groups_ReadInsertDB > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Rules_ReadInsertDB() > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Groups_ReadInsertDB > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Rules_ReadInsertDB() > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Groups_ReadInsertDB > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Rules_ReadInsertDB() > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Groups_ReadInsertDB > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Rules_ReadInsertDB() > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Groups_ReadInsertDB > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Rules_ReadInsertDB() > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Groups_ReadInsertDB > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Rules_ReadInsertDB() > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Groups_ReadInsertDB > > 2012/05/14 09:24:57 ossec-dbd: Reading rules file: 'pam_rules.xml' > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: read xml for rule > > '/rules/pam_rules.xml'. > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: XML Variables applied. > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Rules_ReadInsertDB() > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Groups_ReadInsertDB > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Rules_ReadInsertDB() > > 2012/05/14 09:24:57 ossec-dbd: DEBUG: entering _Groups_ReadInsertDB > > > > > > AND SO ON ! > > > > What are the last few logs you see from ossec-dbd? This all looks like > startup stuff, I'm hoping to see something about inserts. > > This is a similar situation to the mysql log line you gave us earlier. > It feels like you didn't give us enough. Was there a message after the > log message you posted? Something that might have hinted at the > success or failure of the insert? > > > > > As you can see OSSEC succesfully connects to mysql. I think there must > be > > something with mysql, but because I don't get it's log verbose higher > it's > > not going to be easy. > > > > Any idea ? > > > > Check permissions on the database for the ossec user? Delete and > recreate the ossec database? Ask your DBA? Add more logging to > ossec-dbd? >