On Thu, Aug 7, 2014 at 6:43 PM, Tim Boyer <[email protected]> wrote: > Fixed by making ossec.log 777, which I don't like much - but it at least > lets me see where the problem is. Continued in another topic... >
Yeah, that's definitely wrong.If you delete it, does it get recreated with the proper permissions? > > > On Thursday, August 7, 2014 6:30:39 PM UTC-4, Tim Boyer wrote: >> >> 2.8.45 on RHEL5 >> >> Server at 10.0.130.70; agent at 10.0.130.74. Agent log says >> >> [root@yamaguchi logs]# tail ossec.log >> 2014/08/07 18:00:22 ossec-agentd(4101): WARN: Waiting for server reply >> (not started). Tried: '10.0.130.70'. >> 2014/08/07 18:01:36 ossec-agentd: INFO: Trying to connect to server >> (10.0.130.70:1514). >> 2014/08/07 18:01:36 ossec-agentd: INFO: Using IPv4 for: 10.0.130.70 . >> 2014/08/07 18:01:57 ossec-agentd(4101): WARN: Waiting for server reply >> (not started). Tried: '10.0.130.70'. >> 2014/08/07 18:03:29 ossec-agentd: INFO: Trying to connect to server >> (10.0.130.70:1514). >> 2014/08/07 18:03:29 ossec-agentd: INFO: Using IPv4 for: 10.0.130.70 . >> 2014/08/07 18:03:50 ossec-agentd(4101): WARN: Waiting for server reply >> (not started). Tried: '10.0.130.70'. >> 2014/08/07 18:05:40 ossec-agentd: INFO: Trying to connect to server >> (10.0.130.70:1514). >> 2014/08/07 18:05:40 ossec-agentd: INFO: Using IPv4 for: 10.0.130.70 . >> 2014/08/07 18:06:01 ossec-agentd(4101): WARN: Waiting for server reply >> (not started). Tried: '10.0.130.70'. >> >> and no entries at all in server ossec.log, which says 'firewall', right? >> But... >> >> root@saratoga logs)# tcpdump -nn udp and host 10.0.130.74 >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes >> 18:10:21.922766 IP 10.0.130.74.51730 > 10.0.130.70.1514: UDP, length 73 >> 18:10:27.923241 IP 10.0.130.74.51730 > 10.0.130.70.1514: UDP, length 73 >> 18:10:31.923833 IP 10.0.130.74.51730 > 10.0.130.70.1514: UDP, length 73 >> 18:10:36.924107 IP 10.0.130.74.51730 > 10.0.130.70.1514: UDP, length 73 >> >> Packets coming in, but the server isn't responding. And absolutely >> nothing in the log, and I mean nothing. So I crank remoted up to 2: >> >> root@saratoga logs)# grep remoted.debug ../etc/internal_options.conf >> remoted.debug=2 >> >> and restart: >> >> root@saratoga logs)# grep remoted.debug ../etc/internal_options.conf >> remoted.debug=2 >> root@saratoga logs)# /etc/init.d/ossec start >> Starting OSSEC: 2014/08/07 18:14:53 ossec-remoted: DEBUG: Starting ... >> grte [ OK ] >> root@saratoga logs)# tail -f ossec.log >> 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/maillog'. >> 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/httpd/access_log'. >> 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/tomcat5/catalina.out'. >> 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/httpd/error_log'. >> 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/httpd/mrepo-access_log'. >> 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/httpd/mrepo-error_log'. >> 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/httpd/ssl_access_log'. >> 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/httpd/ssl_error_log'. >> 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/httpd/ssl_request_log'. >> 2014/08/07 18:14:59 ossec-logcollector: INFO: Started (pid: 2793). >> 2014/08/07 18:16:00 ossec-syscheckd: INFO: Starting syscheck scan >> (forwarding database). >> 2014/08/07 18:16:00 ossec-syscheckd: INFO: Starting syscheck database >> (pre-scan). >> >> and.... that's all. No logging. >> >> Tried this with an agent that list-agents is showing as active, and >> tcpdump shows them shaking hands and playing nicely: >> >> root@saratoga logs)# tcpdump -nn udp and host 10.0.130.80 >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes >> 18:22:00.189102 IP 10.0.130.80.56547 > 10.0.130.70.1514: UDP, length 73 >> 18:22:00.197843 IP 10.0.130.70.1514 > 10.0.130.80.56547: UDP, length 73 >> 18:22:01.191213 IP 10.0.130.80.56547 > 10.0.130.70.1514: UDP, length 105 >> 18:22:01.191703 IP 10.0.130.80.56547 > 10.0.130.70.1514: UDP, length 137 >> 18:22:01.192152 IP 10.0.130.80.56547 > 10.0.130.70.1514: UDP, length 153 >> 18:22:01.198877 IP 10.0.130.80.56547 > 10.0.130.70.1514: UDP, length 713 >> 18:22:01.199373 IP 10.0.130.70.1514 > 10.0.130.80.56547: UDP, length 73 >> 18:22:42.240830 IP 10.0.130.80.56547 > 10.0.130.70.1514: UDP, length 137 >> >> and yet after that restart - nothing at all written into ossec.log: >> >> root@saratoga logs)# tail ossec.log >> 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/tomcat5/catalina.out'. >> 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/httpd/error_log'. >> 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/httpd/mrepo-access_log'. >> 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/httpd/mrepo-error_log'. >> 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/httpd/ssl_access_log'. >> 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/httpd/ssl_error_log'. >> 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/httpd/ssl_request_log'. >> 2014/08/07 18:14:59 ossec-logcollector: INFO: Started (pid: 2793). >> 2014/08/07 18:16:00 ossec-syscheckd: INFO: Starting syscheck scan >> (forwarding database). >> 2014/08/07 18:16:00 ossec-syscheckd: INFO: Starting syscheck database >> (pre-scan). >> >> >> Log permissions are >> >> rw-r--r-- 1 ossec ossec 8159 Aug 7 18:26 ossec.log >> >> and any pointers appreciated - hard to debug a problem if I can't see >> logs. Thanks.... >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
