Hello! Sorry for revive this thread but. i'm having de same problem... cdb list dont update when I made changes in list.
if at the moment any solution? El jueves, 19 de enero de 2012 16:35:48 UTC-3, dan (ddpbsd) escribió: > > Sorry for the delay. I'm seeing the same behavior. I'll try to look at > it later, but between moving and the code complexity it might be > beyond me right now. > > On Tue, Jan 10, 2012 at 9:42 AM, Andy Jack > <andy...@caledoncard.com<javascript:>> > wrote: > > Hello Dan. ossec-makelists does report that it is making a new .cdb: > > > > * File lists/employees.cdb need to be updated > > > > The longest I was waiting was 3-5 minutes. > > > > On a related note, I was trying to figure out if there was a format for > > comments in the text version of the list. ossec-makelists appeared to > > put lines with leading '#' into the .cdb file (according to strings). I > > guess I could come up with a simple Makefile to manage comments though. > > > > Thanks, Andy > > > > On Mon, Jan 09, 2012 at 08:33:59PM -0500, dan (ddp) wrote: > >> On Mon, Jan 9, 2012 at 4:27 PM, Andy Jack > >> <andy...@caledoncard.com<javascript:>> > wrote: > >> > Hello list! So I'm working on a cdb list of users so there can be > rules > >> > that differentiate when a user on the list vs. not on the list logs > in, > >> > as described here: > >> > > >> > http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html > >> > > >> > After confirming that the list is being read and the two rules are > being > >> > alerted correctly (one for on-the-list, and the other for > >> > not-on-the-list), I tried modifying the text list and re-running > >> > bin/ossec-makelists to see if the alerts change when a user is taken > off > >> > the list: > >> > > >> > 1) user1 and user2, are on the list, user3 is not. run > >> > bin/ossec-makelists. run ossec-control start. > >> > 2) logging in as either user1 or user2 alerts the on-the-list rule. > >> > logging in as user3 alerts the not-on-the-list rule. > >> > 3) modify the list, removing the line for user2. re-run > >> > bin/ossec-makelists. leave ossec running as-is. > >> > 4) logging in as user2 alerts the on-the-list rule still. > >> > > >> > According to the URL above, updating the cdb file should invalidate > the > >> > mmap and make the analysis daemon re-read the db from disk as needed, > >> > but this doesn't appear to be happening. Could I have something > >> > configured incorrectly? Permissions issue perhaps? Or do I have to > >> > wait a period of time for ossec to notice or purge a cache or > something? > >> > > >> > root@pegasus:/var/ossec# ls -ld /var/ossec > >> > dr-xr-x--- 14 root ossec 4096 2012-01-09 14:13 /var/ossec > >> > root@pegasus:/var/ossec# ls -ld /var/ossec/lists > >> > drwxr-xr-x 2 root ossec 4096 2012-01-09 16:08 /var/ossec/lists > >> > root@pegasus:/var/ossec# ls -l /var/ossec/lists > >> > total 8 > >> > -rw-r--r-- 1 root ossec 77 2012-01-09 16:08 employees > >> > -rw-r--r-- 1 root ossec 2345 2012-01-09 16:08 employees.cdb > >> > > >> > I just tried adding user4 to the list and remaking the cdb, and ossec > >> > still alerts as though user4 is not on the list. The behavior seems > to > >> > indicate that ossec isn't re-reading the updated lists. I guess > >> > restarting ossec is a workaround but that's a pain for every list > >> > modification. > >> > > >> > Thanks, > >> > Andy > >> > >> I don't know the answer off hand, but how long do you wait? > >> Does ossec-makelists indicate that it's rebuilding the list? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
