On Thu, Feb 9, 2017 at 9:48 AM, Quintin Beukes <quin...@skywalk.co.za> wrote:
> Hi group,
>
> Server uname: Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11 20:56:24
> UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
> Agent uname: Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11 20:56:24 UTC
> 2017 x86_64 x86_64 x86_64 GNU/Linux
>
> I am generating 5 log messages at 2 second intervals to trigger rule 1002.
> 16:40:43 [quintinb@ho-pri-vm-quintindev ~]$ for x in {11..15}; do logger
> test error$x; date; sleep 2; done
> Thu Feb 9 16:40:48 SAST 2017
> Thu Feb 9 16:40:50 SAST 2017
> Thu Feb 9 16:40:52 SAST 2017
> Thu Feb 9 16:40:54 SAST 2017
> Thu Feb 9 16:40:56 SAST 2017
> A tcpdump on the server indicates all 5 are received:
> 16:40:49.197974 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length 121
> 16:40:51.200118 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length 121
> 16:40:53.202224 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length 121
> 16:40:55.204480 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length 121
> 16:40:57.206407 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length 121
>
> Though alerts.log only shows 3 of the 5.
> ** Alert 1486651295.2432248: mail - syslog,errors,
> 2017 Feb 09 16:41:35 (quintindev) 10.10.10.100->/var/log/messages
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> Feb 9 16:40:48 ho-pri-vm-quintindev quintinb: test error11
>
> ** Alert 1486651298.2432494: mail - syslog,errors,
> 2017 Feb 09 16:41:38 (quintindev) 10.10.10.100->/var/log/messages
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> Feb 9 16:40:52 ho-pri-vm-quintindev quintinb: test error13
>
> ** Alert 1486651305.2432740: mail - syslog,errors,
> 2017 Feb 09 16:41:45 (quintindev) 10.10.10.100->/var/log/messages
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> Feb 9 16:40:56 ho-pri-vm-quintindev quintinb: test error15
>
>
> Sometimes it alerts on all 5. Though upon inspection it seems OSSEC misses
> 50%+ of my messages, even though I see the packets delivered to the server.
>
> Is there an explanation for this? Any way I can get more verbose logging on
> this to investigate deeper?
>
OSSEC does discard some duplicate messages, and I'm not sure if the
timestamp is taken into account or not off hand.
> Quintin
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
