On Thu, Feb 5, 2015 at 8:21 AM, John Luko <[email protected]> wrote: > Basically looking for when a hash in a monitored directory on computer1 > changes, I'd like to see what it was on server1. Thus how it is viewed on > server2 (old hash, new hash) is what I was hoping to see on server1. >
If the hashes aren't sent in the syslog message, there isn't much you can do. You could try older versions of OSSEC as the agent installed at /var/ossec/ossec-agent and see if they work reading alerts.log (and if they do, please let us know!). > I'm not a coder by trade, but if there is a program or command that would be > helpful to run to see where the stoppage is occurring I'd be more then > willing to help. > > On Thursday, February 5, 2015 at 7:53:44 AM UTC-5, dan (ddpbsd) wrote: >> >> On Wed, Feb 4, 2015 at 11:29 PM, John Luko <[email protected]> wrote: >> > Ok. I did a local setup and after sometime I was finally able to >> > recreate >> > the issue. Setup was as follows: >> > >> > server1 (server mode) --> server 2 (hybrid mode) ---> computer1 (agent >> > only) >> > >> > I made a series of changes to files on computer1 and it reported those >> > changes to server 2, which were reflected on server 1 (it did not show >> > what >> > the hashes were). I changed the file a bunch of times for a few minutes >> > and >> > everything was reporting just fine. It wasn't until I performed several >> > sudo -i commands on server2 that it reported the following: >> > >> > 2015/02/04 23:16:58 ossec-logcollector(1904): INFO: File not available, >> > ignoring it: '/var/ossec/logs/alerts/alerts.log'. >> > >> > It stayed connected for almost 20 minutes before the above happened, but >> > in >> > production environments I am getting around 4 minutes before it starts >> > ignoring that alerts.log. >> > >> > 2015/02/04 22:53:21 ossec-agentd(4102): INFO: Connected to the server >> > (192.168.1.2:1514) >> > >> > So, at least for now, it appears that it is related to the sudo commands >> > being run. Anything else I can provide to help with troubleshooting? >> > Also, >> > is it possible for the hashes to be sent as well? >> > >> >> I've setup test environments, I need help tracking down the bug in the >> code. >> >> You want what hashes to be sent when? >> >> > Thanks! >> > >> > >> > On Wednesday, February 4, 2015 at 12:42:12 PM UTC-5, John Luko wrote: >> >> >> >> I'll install it locally and see what comes up in all the logs within >> >> the >> >> system. I'll report back with anything I find! >> >> >> >> On Wednesday, February 4, 2015 at 7:48:36 AM UTC-5, dan (ddpbsd) wrote: >> >>> >> >>> On Tue, Feb 3, 2015 at 11:25 AM, John Luko <[email protected]> wrote: >> >>> > Any thoughts on removing hybrid mode and then setting up output to >> >>> > syslog? >> >>> > Thus the provider still gets their OSSEC alerts how they currently >> >>> > receive >> >>> > them and we in turn get the same thing, but via syslog? >> >>> > >> >>> >> >>> If you have a syslog listener on the higher tier manager, sure that >> >>> could work. Any help fixing the bug would be great too. >> >>> >> >>> > On Tuesday, February 3, 2015 at 10:56:15 AM UTC-5, dan (ddpbsd) >> >>> > wrote: >> >>> >> >> >>> >> On Tue, Feb 3, 2015 at 10:45 AM, John Luko <[email protected]> >> >>> >> wrote: >> >>> >> > Morning: >> >>> >> > >> >>> >> > We're receiving the following error when using hybrid mode: >> >>> >> > >> >>> >> > File not available, ignoring it: >> >>> >> > '/var/ossec/logs/alerts/alerts.log'. >> >>> >> > >> >>> >> > Happens after about three minutes of being on. I know there is a >> >>> >> > bug >> >>> >> > attached to this (#442 I believe), any progress on this? We're >> >>> >> > running >> >>> >> > 2.7 >> >>> >> > so I don't know if upgrading to 2.8 would correct the issue? >> >>> >> > >> >>> >> >> >>> >> I don't see any updates in the issue on github. I know I wasn't >> >>> >> able >> >>> >> to figure it out, and there didn't appear to be much interest in >> >>> >> fixing it. >> >>> >> >> >>> >> > Thanks! >> >>> >> > >> >>> >> > -- >> >>> >> > >> >>> >> > --- >> >>> >> > You received this message because you are subscribed to the >> >>> >> > Google >> >>> >> > Groups >> >>> >> > "ossec-list" group. >> >>> >> > To unsubscribe from this group and stop receiving emails from it, >> >>> >> > send >> >>> >> > an >> >>> >> > email to [email protected]. >> >>> >> > For more options, visit https://groups.google.com/d/optout. >> >>> > >> >>> > -- >> >>> > >> >>> > --- >> >>> > You received this message because you are subscribed to the Google >> >>> > Groups >> >>> > "ossec-list" group. >> >>> > To unsubscribe from this group and stop receiving emails from it, >> >>> > send >> >>> > an >> >>> > email to [email protected]. >> >>> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
