[ossec-list] OSSEC-DBD in Version 2.7
Hello, since I've updated my ossec-server to Version 2.7 the Database-Logging has two problems which i think i fixed in my local version. The first problem is that the last two signs of each message are cut of, which is fixed simply by editing two lines in src/os_dbd/alert.c the len+2 counting is done for creating the templog but not when actually coppying the message?! original line 194: snprintf(templog, len, %s\n, al_data-log[i]); my line 194: snprintf(templog, len+2, %s\n, al_data-log[i]); original line 197: snprintf(templog, len, %s, al_data-log[i]); my line 197: snprintf(templog, len+2, %s, al_data-log[i]); The second problem was a touch more difficult. In the new Version are new variables defined for al_data like old_md5 and new_md5 when any of those finding matches the rest of the message (espacially the multiline ones) gets cut of. so I edited src/shared/read-alert.c original line 465: else if(log_size 20) my line 465: if(log_size 20) to avoid that the alertheader is shown in the message itself as well i added at line 481 the if-clause used to find the rule_begin line 479: issyscheck=0; line 480:} line 481: if(strncmp(RULE_BEGIN, str, RULE_BEGIN_SZ) == 0) line 482:{} line 483: else line 484: { line 485 (482 in orig): os_realloc(log, (log_size+2)*sizeof(char *), log); line 486 (483 in orig): os_strdup(str, log[log_size]); line 487 (484 in orig): log_size++; line 488 (485 in orig): log[log_size] = NULL; line 489: } In my understanding, this change leaves the original rule message untouched, but cuts of the message head. Could you include these fixes in the original 2.7 or later Version of OSSEC ? Do you need anything else from me? Best regards, Robert Gruber -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Dell server on RAID 1 -- Kernel messages regarding RAID degraded status. [mptscsih]
Hello everyone, One of our servers has been having issues recently ( sudden OS lockups) and I noticed a bunch of kernel errors regarding failed actions reported by mptscsih and mptbase. These weren't caught by OSSEC so I decided to create a decoder and rules to catch any future events. I'm sharing this with everyone as I was unable to find any related posts about this and consider it is something critical to know about. ( the server was not monitored by openmanage) Log examples: Feb 13 12:27:17 DellServer kernel: [ 5008.286043] mptscsih: ioc0: attempting task abort! (sc=88007a8a9f00) Feb 13 12:27:17 DellServer kernel: [ 5008.286050] sd 4:1:0:0: [sda] CDB: Write(10): 2a 00 08 0f 99 00 00 02 48 00 Feb 13 12:27:17 DellServer kernel: [ 5008.286061] mptscsih: ioc0: task abort: FAILED (rv=2003) (sc=88007a8a9f00) Feb 13 12:27:17 DellServer kernel: [ 5008.286073] mptscsih: ioc0: attempting target reset! (sc=88007a8a9f00) Feb 13 12:27:17 DellServer kernel: [ 5008.286076] sd 4:1:0:0: [sda] CDB: Write(10): 2a 00 08 0f 99 00 00 02 48 00 Feb 13 12:27:18 DellServer kernel: [ 5009.300970] mptbase: ioc0: LogInfo(0x3114): Originator={PL}, Code={IO Executed}, SubCode(0x) cb_idx mptscsih_io_done Feb 13 12:27:18 DellServer kernel: [ 5009.301545] mptscsih: ioc0: target reset: SUCCESS (sc=88007a8a9f00) Feb 13 12:52:08 DellServer kernel: [ 6498.769248] mptbase: ioc0: RAID STATUS CHANGE for PhysDisk 1 id=8 Feb 13 12:52:08 DellServer kernel: [ 6498.769252] mptbase: ioc0: PhysDisk is now failed, out of sync Feb 13 12:52:08 DellServer kernel: [ 6498.775783] mptbase: ioc0: RAID STATUS CHANGE for VolumeID 0 Feb 13 12:52:08 DellServer kernel: [ 6498.775788] mptbase: ioc0: volume is now degraded, enabled Feb 13 12:52:08 DellServer kernel: [ 6498.781886] end_device-4:2: mptsas: ioc0: removing ssp device: fw_channel 0, fw_id 8, phy 0,sas_addr 0x5000c50016c01335 Feb 13 12:52:08 DellServer kernel: [ 6498.781893] phy-4:0: mptsas: ioc0: delete phy 0, phy-obj (0x880128387800) Feb 13 12:52:08 DellServer kernel: [ 6498.781902] port-4:2: mptsas: ioc0: delete port 2, sas_addr (0x5000c50016c01335) Feb 13 12:52:08 DellServer kernel: [ 6498.782590] scsi target4:0:2: mptsas: ioc0: delete device: fw_channel 0, fw_id 8, phy 0, sas_addr 0x5000c50016c01335 Feb 13 12:57:18 DellServer kernel: [ 6807.699750] CIFS VFS: sends on sock 880036217300 stuck for 15 seconds Feb 13 12:57:18 DellServer kernel: [ 6807.733342] CIFS VFS: Error -11 sending data on socket to server Kernel msgs are caught by the iptables parent decoder so I used it on my decoders. Didn't know what else to do. !-- mptscsih \ mptbase decoder Description: module for SCSI controllers. Examples: [ 5008.286061] mptscsih: ioc0: task abort: FAILED (rv=2003) (sc=88007a8a9f00) [ 6498.769248] mptbase: ioc0: RAID STATUS CHANGE for PhysDisk 1 id=8 [ 6498.769252] mptbase: ioc0: PhysDisk is now failed, out of sync [ 6498.775783] mptbase: ioc0: RAID STATUS CHANGE for VolumeID 0 [ 6498.775788] mptbase: ioc0: volume is now degraded, enabled -- decoder name=mptscsih-1 parentiptables/parent prematch^[\s\d+.\d+] mptscsih: /prematch regex^[\s\d+.\d+] (\w+): (\w+): task abort: (\w+)/regex orderid,data,status/order /decoder decoder name=mptbase-1 parentiptables/parent prematch^[\s\d+.\d+] mptbase: /prematch regex^[\s\d+.\d+] (\w+): (\w+):\s+\w+ is now (\w+)\p\s(\D+)$/regex orderid,data,action,status/order /decoder RULES: !-- SCSI CONTROLLER -- rule id=100106 level=0 noalert=1 if_sid5100/if_sid idmptscsih/id descriptionGrouping for the mptscrih rules./description /rule rule id=100107 level=0 noalert=1 if_sid5100/if_sid idmptbase/id descriptionGrouping for the mptbase rules./description /rule rule id=100108 level=12 if_sid100106/if_sid statusFAILED/status descriptionPosible Disk failure. SCSI controller error./description /rule rule id=100109 level=12 if_sid100107/if_sid actionfailed/action descriptionSCSI RAID ARRAY ERROR, drive failed./description /rule rule id=100110 level=12 if_sid100107/if_sid actiondegraded/action descriptionSCSI RAID is now in a degraded status./description /rule -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] recover SERVER keys?
Well - it happened - I lost a server (hardware raid failure and corrupted drives). So here is the question - all the agents have keys, but I lost the other end - is there ANY way to rebuild a server from this sort of thing and recover? I can't think of anything, since it is all built around the original server key (lost), but it never hurts to ask.. And before you all yell at me about backups -- yes, I know. All my other systems are backed up, just not this one. :-( -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] recover SERVER keys?
Yes, just get the client.keys from all the agents and make a single client.keys file on the server with all of them. The issue is the remote message ids, that you will need to clear on each agent (delete the rids directory) or the agents will not accept the messages from the manager. thanks, -- Daniel B. Cid http://dcid.me On Thu, Feb 14, 2013 at 2:13 PM, Kat uncommon...@gmail.com wrote: Well - it happened - I lost a server (hardware raid failure and corrupted drives). So here is the question - all the agents have keys, but I lost the other end - is there ANY way to rebuild a server from this sort of thing and recover? I can't think of anything, since it is all built around the original server key (lost), but it never hurts to ask.. And before you all yell at me about backups -- yes, I know. All my other systems are backed up, just not this one. :-( -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.