Thanks Dan. Is there a way to get OSSEC to provide more details on the
messages it actually processes? I'd like to gain a better understanding of
this application because it has a lot of seemingly random behaviour.
On Thursday, February 9, 2017 at 9:59:24 PM UTC+2, dan (ddpbsd) wrote:
>
> On Thu, Feb 9, 2017 at 9:48 AM, Quintin Beukes <qui...@skywalk.co.za
> <javascript:>> wrote:
> > Hi group,
> >
> > Server uname: Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11
> 20:56:24
> > UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
> > Agent uname: Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11 20:56:24
> UTC
> > 2017 x86_64 x86_64 x86_64 GNU/Linux
> >
> > I am generating 5 log messages at 2 second intervals to trigger rule
> 1002.
> > 16:40:43 [quintinb@ho-pri-vm-quintindev ~]$ for x in {11..15}; do logger
> > test error$x; date; sleep 2; done
> > Thu Feb 9 16:40:48 SAST 2017
> > Thu Feb 9 16:40:50 SAST 2017
> > Thu Feb 9 16:40:52 SAST 2017
> > Thu Feb 9 16:40:54 SAST 2017
> > Thu Feb 9 16:40:56 SAST 2017
> > A tcpdump on the server indicates all 5 are received:
> > 16:40:49.197974 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length
> 121
> > 16:40:51.200118 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length
> 121
> > 16:40:53.202224 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length
> 121
> > 16:40:55.204480 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length
> 121
> > 16:40:57.206407 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length
> 121
> >
> > Though alerts.log only shows 3 of the 5.
> > ** Alert 1486651295.2432248: mail - syslog,errors,
> > 2017 Feb 09 16:41:35 (quintindev) 10.10.10.100->/var/log/messages
> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> > Feb 9 16:40:48 ho-pri-vm-quintindev quintinb: test error11
> >
> > ** Alert 1486651298.2432494: mail - syslog,errors,
> > 2017 Feb 09 16:41:38 (quintindev) 10.10.10.100->/var/log/messages
> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> > Feb 9 16:40:52 ho-pri-vm-quintindev quintinb: test error13
> >
> > ** Alert 1486651305.2432740: mail - syslog,errors,
> > 2017 Feb 09 16:41:45 (quintindev) 10.10.10.100->/var/log/messages
> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> > Feb 9 16:40:56 ho-pri-vm-quintindev quintinb: test error15
> >
> >
> > Sometimes it alerts on all 5. Though upon inspection it seems OSSEC
> misses
> > 50%+ of my messages, even though I see the packets delivered to the
> server.
> >
> > Is there an explanation for this? Any way I can get more verbose
> logging on
> > this to investigate deeper?
> >
>
> OSSEC does discard some duplicate messages, and I'm not sure if the
> timestamp is taken into account or not off hand.
>
> > Quintin
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to ossec-list+...@googlegroups.com <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
