On Tue, Oct 8, 2019 at 11:42 AM Jerry Lowry <michaiah2...@gmail.com> wrote: > > Dan, > Well my test system has been running since last Thursday without any database > problems. I install MariaDB 13.4. Still not getting email to work but will > continue to check on that. > So, If the Mysql database has an agent table and you don't add any agents to > it, Why is it there? >
I can't say for sure (I didn't write it). But my assumption is that this was for a planned feature that never materialized. My "never" response wasn't quite right. I guess it should have been "whenever someone adds that feature." I'd like to do some work in dbd, but I don't have a lot of time. I feel like the time I do have would be better spent elsewhere right now. > jerry > > On Thu, Oct 3, 2019 at 10:12 AM dan (ddp) <ddp...@gmail.com> wrote: >> >> On Thu, Oct 3, 2019 at 12:09 PM Jerry Lowry <michaiah2...@gmail.com> wrote: >> > >> > Dan, >> > trying to add the agent I get this: >> > *************************************** >> > * OSSEC HIDS v3.3.0 Agent manager. * >> > * The following options are available: * >> > **************************************** >> > (I)mport key from the server (I). >> > (Q)uit. >> > Choose your action: I or Q: i >> > >> > * Provide the Key generated by the server. >> > * The best approach is to cut and paste it. >> > *** OBS: Do not include spaces or new lines. >> > >> > Paste it here (or '\q' to quit): <key from server> >> > Agent information: >> > ID:002 >> > Name:tcpdiag >> > IP Address:10.10.10.29 >> > >> > Confirm adding it?(y/n): y >> > Not Adding. >> > >> >> That's very odd, haven't seen that. I only see 2 places in the source >> for that, and both assume the user didn't type y or Y. >> >> > Also, when does the agent get added to the database? If it's done on the >> > server the manage_agents is not working! >> >> The mysql database? Never. >> >> > jerry >> > >> > On Wed, Oct 2, 2019 at 4:55 PM dan (ddp) <ddp...@gmail.com> wrote: >> >> >> >> On Wed, Oct 2, 2019 at 6:32 PM Jerry Lowry <michaiah2...@gmail.com> wrote: >> >> > >> >> > Well, I have the agent running and the server running but they are not >> >> > talking. From the agent log file : >> >> > Started ossec-agentd... >> >> > 2019/10/02 15:24:23 ossec-logcollector: Remote commands are not >> >> > accepted from the manager. Ignoring it on the agent.conf >> >> > 2019/10/02 15:24:23 ossec-logcollector(1202): ERROR: Configuration >> >> > error at '/var/ossec/etc/shared/agent.conf'. Exiting. >> >> > Started ossec-logcollector... >> >> >> >> Start removing configurations from the agent.conf until you find the >> >> right one. >> >> >> >> > 2019/10/02 15:11:34 ossec-agentd: INFO: Trying to connect to server >> >> > 10.10.10.108, port 1514. >> >> > 2019/10/02 15:11:34 INFO: Connected to 10.10.10.108 at address >> >> > 10.10.10.108, port 1514 >> >> > 2019/10/02 15:11:44 ossec-agentd(1218): ERROR: Unable to send message >> >> > to 'server'. >> >> > 2019/10/02 15:11:56 ossec-agentd(1218): ERROR: Unable to send message >> >> > to 'server'. >> >> > 2019/10/02 15:11:57 ossec-agentd(4101): WARN: Waiting for server reply >> >> > (not started). Tried: '10.10.10.108'. >> >> > >> >> > I get this message but it does not say what the error is? >> >> > >> >> > How do they communicate? >> >> > >> >> >> >> UDP port 1514. This needs to be not blocked by iptables on the server >> >> side. >> >> >> >> > From the server log file: >> >> > >> >> > 2019/10/02 15:21:42 INFO: Connected to >> >> > west.smtp.exch083.serverdata.net. at address 199.193.205.130, port 25 >> >> > 2019/10/02 15:21:42 os_sendmail(1765): WARN: RCPT TO not accepted by >> >> > server - 'jlo...@edt.com'. >> >> > 2019/10/02 15:21:42 ossec-maild(1223): ERROR: Error Sending email to >> >> > west.smtp.exch083.serverdata.net. (smtp server) >> >> > >> >> > How can you specify the smtp port and connection security? >> >> > >> >> >> >> ossec-maild doesn't do tls, auth, or custom ports. I usually use the >> >> local mail server to relay the emails. >> >> >> >> > thanks >> >> > >> >> > On Wed, Oct 2, 2019 at 10:08 AM Jerry Lowry <michaiah2...@gmail.com> >> >> > wrote: >> >> >> >> >> >> Dan, >> >> >> I have noticed that when the application is started and there are >> >> >> errors like : >> >> >> 2019/10/02 10:03:15 ossec-maild(1235): ERROR: Invalid value for >> >> >> element 'format': sms. >> >> >> 019/10/02 10:03:15 ossec-dbd(5202): ERROR: Error connecting to >> >> >> database '10.10.10.108'(ossec): ERROR: Access denied for user >> >> >> ''@'ossec' to database 'ossec'. >> >> >> >> >> >> When you stop ossec it does NOT kill the ossec-dbd process. Also, the >> >> >> book specifies the use of 'format' sms for email alerts but it says >> >> >> its and invalid value. >> >> >> >> >> >> jerry >> >> >> >> >> >> On Wed, Oct 2, 2019 at 9:00 AM Jerry Lowry <michaiah2...@gmail.com> >> >> >> wrote: >> >> >>> >> >> >>> thanks Dan! >> >> >>> That was the problem. Rebuilt Pcre with --enable-jit=no and it is off >> >> >>> and running. This is my test VM where I installed MariaDB. I will >> >> >>> add an agent to it and see if it has the same problem as my physical >> >> >>> server. >> >> >>> >> >> >>> jerry >> >> >>> >> >> >>> On Wed, Oct 2, 2019 at 4:00 AM dan (ddp) <ddp...@gmail.com> wrote: >> >> >>>> >> >> >>>> On Tue, Oct 1, 2019 at 1:13 PM Jerry Lowry <michaiah2...@gmail.com> >> >> >>>> wrote: >> >> >>>> > >> >> >>>> > List, >> >> >>>> > >> >> >>>> > I just installed a test VM running Centos 7 and installed ossec >> >> >>>> > 3.3.0. Ran through the script and took all the default questions >> >> >>>> > except for the email. When I try to start ossec these are the >> >> >>>> > errors I get in the log: >> >> >>>> > 019/09/27 16:21:53 ossec-analysisd(1450): ERROR: Syntax error on >> >> >>>> > regex: '(pam_unix)$': 9. >> >> >>>> > 2019/09/27 16:21:53 ossec-testrule(1202): ERROR: Configuration >> >> >>>> > error at '/etc/decoder.xml'. Exiting. >> >> >>>> > 2019/09/27 16:29:41 ossec-analysisd(1450): ERROR: Syntax error on >> >> >>>> > regex: '(pam_unix)$': 9. >> >> >>>> > 2019/09/27 16:29:41 ossec-testrule(1202): ERROR: Configuration >> >> >>>> > error at '/etc/decoder.xml'. Exiting. >> >> >>>> > 2019/09/30 08:49:07 ossec-analysisd(1450): ERROR: Syntax error on >> >> >>>> > regex: '(pam_unix)$': 9. >> >> >>>> > 2019/09/30 08:49:07 ossec-testrule(1202): ERROR: Configuration >> >> >>>> > error at '/etc/decoder.xml'. Exiting. >> >> >>>> > 2019/09/30 09:37:55 ossec-analysisd(1450): ERROR: Syntax error on >> >> >>>> > regex: '(pam_unix)$': 9. >> >> >>>> > 2019/09/30 09:37:55 ossec-testrule(1202): ERROR: Configuration >> >> >>>> > error at '/etc/decoder.xml'. Exiting. >> >> >>>> > I have not touched any of the rules or configuration files as they >> >> >>>> > were setup based on the question in the installation script. >> >> >>>> > >> >> >>>> > so, what I am I missing. Shouldn't this run with a default >> >> >>>> > install? >> >> >>>> > >> >> >>>> >> >> >>>> I think this is a pcre2 issue. I ran into it a bunch of times when I >> >> >>>> didn't disable JIT on a system that didn't support the JIT. >> >> >>>> >> >> >>>> > jerry >> >> >>>> > >> >> >>>> > ps....no errors during the installation/compilation >> >> >>>> > >> >> >>>> > -- >> >> >>>> > >> >> >>>> > --- >> >> >>>> > You received this message because you are subscribed to the Google >> >> >>>> > Groups "ossec-list" group. >> >> >>>> > To unsubscribe from this group and stop receiving emails from it, >> >> >>>> > send an email to ossec-list+unsubscr...@googlegroups.com. >> >> >>>> > To view this discussion on the web visit >> >> >>>> > https://groups.google.com/d/msgid/ossec-list/c9a3f10d-b29c-444c-a678-0bb0d18f7b38%40googlegroups.com. >> >> >>>> >> >> >>>> -- >> >> >>>> >> >> >>>> --- >> >> >>>> You received this message because you are subscribed to the Google >> >> >>>> Groups "ossec-list" group. >> >> >>>> To unsubscribe from this group and stop receiving emails from it, >> >> >>>> send an email to ossec-list+unsubscr...@googlegroups.com. >> >> >>>> To view this discussion on the web visit >> >> >>>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMo4L5rb6Jgsm3tOnyLt7OX9Yn9huZp9FNKwm%3D_ey1L%2BTQ%40mail.gmail.com. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, send >> >> > an email to ossec-list+unsubscr...@googlegroups.com. >> >> > To view this discussion on the web visit >> >> > https://groups.google.com/d/msgid/ossec-list/CAKP%3DcB5i%2Bn6OWH2wo%3DPQsj62jo3E2fCv4o4SC%3DdF5ukawbh_0g%40mail.gmail.com. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send an >> >> email to ossec-list+unsubscr...@googlegroups.com. >> >> To view this discussion on the web visit >> >> https://groups.google.com/d/msgid/ossec-list/CAMyQvMp9Mma%2Bk6mdb8UtBR8s49DwOhn401S9PfheJbd39p3T3w%40mail.gmail.com. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to ossec-list+unsubscr...@googlegroups.com. >> > To view this discussion on the web visit >> > https://groups.google.com/d/msgid/ossec-list/CAKP%3DcB5NpZbQgYxM2S6a0FWP06WUa_SyCp0m94PbaARhbN8qKw%40mail.gmail.com. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/CAMyQvMqODduFcw73i3gpmG3gD%2Bp6wnqQSHDGh7RBvkZjQCsFBA%40mail.gmail.com. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/CAKP%3DcB5otYDbHekazm-vu_3WG%2BLJXGzea%3D82pWX5uOb-iy8FdA%40mail.gmail.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMp%3DvOhe-vgFqqzf3XC2uoQ2kXA337r-cZ0mvxq4vK04ew%40mail.gmail.com.