On Mon, Jan 13, 2020 at 9:04 AM Schultheis Burkhard <burkhard.schulth...@gmail.com> wrote: > > Some weeks ago I've installed Ossec on on three servers. One is running > CentOS 6.10, the others Opensuse 15.1. The CentOS installation behaves > as expected, but the opensuse installations behave very different, > although the configurations are as close as possible. > > From the CentOS server we get emails as expected, from the opensuse > servers not (other programs send us emails as expected from all > servers). The opensuse servers write tons of ossec logs, because it's in > a start-terminate loop. Excerpt: >
How did you install OSSEC (package, source, etc)? You could check the /var/log/audit/audit.log to see if it mentions anything about it. I have an OpenSuse VM where it worked fine, but I installed from source. I haven't powered it up in a while though. > 2020/01/13 13:45:25 ossec-testrule: INFO: Reading local decoder file. > 2020/01/13 13:45:25 ossec-testrule: INFO: Started (pid: 28499). > 2020/01/13 13:45:25 ossec-maild: INFO: Started (pid: 28516). > 2020/01/13 13:45:25 ossec-execd: INFO: Started (pid: 28520). > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading local decoder file. > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'rules_config.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'pam_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'sshd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'telnetd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'syslog_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'arpwatch_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'symantec-av_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'symantec-ws_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'pix_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'named_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'smbd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'vsftpd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'pure-ftpd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'proftpd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'ms_ftpd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'ftpd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'hordeimp_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'roundcube_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'wordpress_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'cimserver_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'vpopmail_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'vmpop3d_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'courier_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'web_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'web_appsec_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'apache_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'nginx_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'php_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'mysql_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'postgresql_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'ids_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'squid_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'firewall_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'apparmor_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'cisco-ios_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'netscreenfw_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'sonicwall_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'postfix_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'sendmail_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'imapd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'mailscanner_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'dovecot_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'ms-exchange_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'racoon_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'vpn_concentrator_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'spamd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'msauth_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'mcafee_av_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'trend-osce_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'ms-se_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'zeus_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'solaris_bsm_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'vmware_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'ms_dhcp_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'asterisk_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'ossec_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'attack_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'openbsd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'clam_av_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'dropbear_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'sysmon_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'opensmtpd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'exim_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'openbsd-dhcpd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'dnsmasq_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'nsd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'local_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Total rules enabled: '1603' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: > '/etc/mail/statistics' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: > '/etc/svc/volatile' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/System32/LogFiles' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Debug' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/WindowsUpdate.log' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/iis6.log' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/system32/wbem/Logs' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/system32/wbem/Repository' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/Prefetch' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/SoftwareDistribution' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Temp' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/system32/config' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/system32/spool' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/system32/CatRoot' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Allow listing IP: '127.0.0.1' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Allow listing IP: 'xxxx' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Allow listing IP: 'xxxx' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Allow listing IP: 'xxxx' > 2020/01/13 13:45:25 ossec-analysisd: INFO: 4 IPs in the allow list for > active response. > 2020/01/13 13:45:25 ossec-analysisd: INFO: Allow listing Hostname: '::1' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Allow listing Hostname: > 'localhost.localdomain' > 2020/01/13 13:45:25 ossec-analysisd: INFO: 2 Hostname(s) in the allow > list for active response. > 2020/01/13 13:45:25 ossec-analysisd: INFO: Started (pid: 28524). > 2020/01/13 13:45:26 ossec-monitord: INFO: Started (pid: 28536). > 2020/01/13 13:45:28 ossec-monitord(1225): INFO: SIGNAL > [(15)-(Terminated)] Received. Exit Cleaning... > 2020/01/13 13:45:28 ossec-logcollector(1225): INFO: SIGNAL > [(15)-(Terminated)] Received. Exit Cleaning... > 2020/01/13 13:45:28 ossec-analysisd(1225): INFO: SIGNAL > [(15)-(Terminated)] Received. Exit Cleaning... > 2020/01/13 13:45:28 ossec-maild(1225): INFO: SIGNAL [(15)-(Terminated)] > Received. Exit Cleaning... > 2020/01/13 13:45:28 ossec-execd(1314): INFO: Shutdown received. Deleting > responses. > 2020/01/13 13:45:28 ossec-execd(1225): INFO: SIGNAL [(15)-(Terminated)] > Received. Exit Cleaning... > > Where should I look what could terminate the process? > > Best regards > Burkhard > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/2f6a0b29-db32-1a1a-8a67-e031ce24bab3%40gmail.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMqAwuJRNcozJniYYqGBVzu9aeCx7XtJm3qiarD-KPepeQ%40mail.gmail.com.