[ossec-list] OSSEC-DBD in Version 2.7
Hello,
since I've updated my ossec-server to Version 2.7 the Database-Logging has
two problems which i think i fixed in my local version.
The first problem is that the last two signs of each message are cut of,
which is fixed simply by editing two lines in src/os_dbd/alert.c
the len+2 counting is done for creating the templog but not when actually
coppying the message?!
original line 194: snprintf(templog, len, %s\n, al_data-log[i]);
my line 194: snprintf(templog, len+2, %s\n, al_data-log[i]);
original line 197: snprintf(templog, len, %s, al_data-log[i]);
my line 197: snprintf(templog, len+2, %s, al_data-log[i]);
The second problem was a touch more difficult. In the new Version are new
variables defined for al_data like old_md5 and new_md5
when any of those finding matches the rest of the message (espacially the
multiline ones) gets cut of.
so I edited src/shared/read-alert.c
original line 465: else if(log_size 20)
my line 465: if(log_size 20)
to avoid that the alertheader is shown in the message itself as well i
added at line 481 the if-clause used to find the rule_begin
line 479: issyscheck=0;
line 480:}
line 481: if(strncmp(RULE_BEGIN, str, RULE_BEGIN_SZ) == 0)
line 482:{}
line 483: else
line 484: {
line 485 (482 in orig): os_realloc(log, (log_size+2)*sizeof(char *), log);
line 486 (483 in orig): os_strdup(str, log[log_size]);
line 487 (484 in orig): log_size++;
line 488 (485 in orig): log[log_size] = NULL;
line 489: }
In my understanding, this change leaves the original rule message
untouched, but cuts of the message head.
Could you include these fixes in the original 2.7 or later Version of OSSEC
?
Do you need anything else from me?
Best regards,
Robert Gruber
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Dell server on RAID 1 -- Kernel messages regarding RAID degraded status. [mptscsih]
Hello everyone,
One of our servers has been having issues recently ( sudden OS lockups) and
I noticed a bunch of kernel errors regarding failed actions reported by
mptscsih and mptbase. These weren't caught by OSSEC so I decided to create
a decoder and rules to catch any future events.
I'm sharing this with everyone as I was unable to find any related posts
about this and consider it is something critical to know about. ( the
server was not monitored by openmanage)
Log examples:
Feb 13 12:27:17 DellServer kernel: [ 5008.286043] mptscsih: ioc0:
attempting task abort! (sc=88007a8a9f00)
Feb 13 12:27:17 DellServer kernel: [ 5008.286050] sd 4:1:0:0: [sda] CDB:
Write(10): 2a 00 08 0f 99 00 00 02 48 00
Feb 13 12:27:17 DellServer kernel: [ 5008.286061] mptscsih: ioc0: task
abort: FAILED (rv=2003) (sc=88007a8a9f00)
Feb 13 12:27:17 DellServer kernel: [ 5008.286073] mptscsih: ioc0:
attempting target reset! (sc=88007a8a9f00)
Feb 13 12:27:17 DellServer kernel: [ 5008.286076] sd 4:1:0:0: [sda] CDB:
Write(10): 2a 00 08 0f 99 00 00 02 48 00
Feb 13 12:27:18 DellServer kernel: [ 5009.300970] mptbase: ioc0:
LogInfo(0x3114): Originator={PL}, Code={IO Executed}, SubCode(0x)
cb_idx mptscsih_io_done
Feb 13 12:27:18 DellServer kernel: [ 5009.301545] mptscsih: ioc0: target
reset: SUCCESS (sc=88007a8a9f00)
Feb 13 12:52:08 DellServer kernel: [ 6498.769248] mptbase: ioc0: RAID
STATUS CHANGE for PhysDisk 1 id=8
Feb 13 12:52:08 DellServer kernel: [ 6498.769252] mptbase: ioc0: PhysDisk
is now failed, out of sync
Feb 13 12:52:08 DellServer kernel: [ 6498.775783] mptbase: ioc0: RAID
STATUS CHANGE for VolumeID 0
Feb 13 12:52:08 DellServer kernel: [ 6498.775788] mptbase: ioc0: volume
is now degraded, enabled
Feb 13 12:52:08 DellServer kernel: [ 6498.781886] end_device-4:2: mptsas:
ioc0: removing ssp device: fw_channel 0, fw_id 8, phy 0,sas_addr
0x5000c50016c01335
Feb 13 12:52:08 DellServer kernel: [ 6498.781893] phy-4:0: mptsas: ioc0:
delete phy 0, phy-obj (0x880128387800)
Feb 13 12:52:08 DellServer kernel: [ 6498.781902] port-4:2: mptsas: ioc0:
delete port 2, sas_addr (0x5000c50016c01335)
Feb 13 12:52:08 DellServer kernel: [ 6498.782590] scsi target4:0:2: mptsas:
ioc0: delete device: fw_channel 0, fw_id 8, phy 0, sas_addr
0x5000c50016c01335
Feb 13 12:57:18 DellServer kernel: [ 6807.699750] CIFS VFS: sends on sock
880036217300 stuck for 15 seconds
Feb 13 12:57:18 DellServer kernel: [ 6807.733342] CIFS VFS: Error -11
sending data on socket to server
Kernel msgs are caught by the iptables parent decoder so I used it on my
decoders. Didn't know what else to do.
!--
mptscsih \ mptbase decoder
Description: module for SCSI controllers.
Examples:
[ 5008.286061] mptscsih: ioc0: task abort: FAILED (rv=2003)
(sc=88007a8a9f00)
[ 6498.769248] mptbase: ioc0: RAID STATUS CHANGE for PhysDisk 1 id=8
[ 6498.769252] mptbase: ioc0: PhysDisk is now failed, out of sync
[ 6498.775783] mptbase: ioc0: RAID STATUS CHANGE for VolumeID 0
[ 6498.775788] mptbase: ioc0: volume is now degraded, enabled
--
decoder name=mptscsih-1
parentiptables/parent
prematch^[\s\d+.\d+] mptscsih: /prematch
regex^[\s\d+.\d+] (\w+): (\w+): task abort: (\w+)/regex
orderid,data,status/order
/decoder
decoder name=mptbase-1
parentiptables/parent
prematch^[\s\d+.\d+] mptbase: /prematch
regex^[\s\d+.\d+] (\w+): (\w+):\s+\w+ is now (\w+)\p\s(\D+)$/regex
orderid,data,action,status/order
/decoder
RULES:
!-- SCSI CONTROLLER --
rule id=100106 level=0 noalert=1
if_sid5100/if_sid
idmptscsih/id
descriptionGrouping for the mptscrih rules./description
/rule
rule id=100107 level=0 noalert=1
if_sid5100/if_sid
idmptbase/id
descriptionGrouping for the mptbase rules./description
/rule
rule id=100108 level=12
if_sid100106/if_sid
statusFAILED/status
descriptionPosible Disk failure. SCSI controller error./description
/rule
rule id=100109 level=12
if_sid100107/if_sid
actionfailed/action
descriptionSCSI RAID ARRAY ERROR, drive failed./description
/rule
rule id=100110 level=12
if_sid100107/if_sid
actiondegraded/action
descriptionSCSI RAID is now in a degraded status./description
/rule
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] recover SERVER keys?
Well - it happened - I lost a server (hardware raid failure and corrupted drives). So here is the question - all the agents have keys, but I lost the other end - is there ANY way to rebuild a server from this sort of thing and recover? I can't think of anything, since it is all built around the original server key (lost), but it never hurts to ask.. And before you all yell at me about backups -- yes, I know. All my other systems are backed up, just not this one. :-( -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] recover SERVER keys?
Yes, just get the client.keys from all the agents and make a single client.keys file on the server with all of them. The issue is the remote message ids, that you will need to clear on each agent (delete the rids directory) or the agents will not accept the messages from the manager. thanks, -- Daniel B. Cid http://dcid.me On Thu, Feb 14, 2013 at 2:13 PM, Kat uncommon...@gmail.com wrote: Well - it happened - I lost a server (hardware raid failure and corrupted drives). So here is the question - all the agents have keys, but I lost the other end - is there ANY way to rebuild a server from this sort of thing and recover? I can't think of anything, since it is all built around the original server key (lost), but it never hurts to ask.. And before you all yell at me about backups -- yes, I know. All my other systems are backed up, just not this one. :-( -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
