date:20130322

[ossec-list] Re: Agents are disconnected and the Maximun agent setting keeps reverting back to ‘254’

2013-03-22 Thread T. Case

Hi Jb Cheng - Thanks for reply, much appreciated. 
 
 
 /etc/client.keys -  664 entries the lagest agent ID is 664
 
/root/ossec-hids-2.7/src 
CEXTRA= -DDEFAULTDIR=\"/var/ossec\"
DEXTRA=-DUSE_OPENSSL
OPENSSLCMD=-lssl -lcrypto
EEXTRA=-DUSEINOTIFY
TEXTRA=-lpthread
HEXTRA=-DMAX_AGENTS=2048
HEXTRA=-DMAX_AGENTS=2048
HEXTRA=-DMAX_AGENTS=2048
 
I do not think we restarted ossec-remoted, thought that was included in the 
"ossec-control start" after running "ossec-control status" I see its not 
running, how do I restart it? 
[root@waossec ~]#  /var/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted not running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd not running...
ossec-csyslogd is running...
 
No we did not restart ossec between the two points in time for "Maximun 
number..."


On Thursday, March 21, 2013 12:11:45 PM UTC-7, T. Case wrote:

> *This could be more than one issue but couple days ago ossec showed all 
> our agents Disconnected (previsouly worked fine), we stopped and restarted 
> the service and then server, updated from ossec 2.6 to 2.7 and turned on 
> debugging. From Logs it seems to be issue with the maximum agent setting 
> '2048' keeps reverting back to '254' default setting.   Lots of posts on 
> agent size limits but cannot find anything simular to this. *
>
> * *
>
> *3/20/13 - Agents  “Disconnected” stopped working*
>
> [root@waossec bin]# /var/ossec/bin/syscheck_control -l
>
> OSSEC HIDS syscheck_control. List of available agents:
>
>ID: 000, Name: OUROSSEC_SERVER.com (server), IP: 127.0.0.1, 
> Active/Local
>
>ID: 001, Name: AGENT_COMPUTER1, IP: 10.X.0.XX, Disconnected
>
>ID: 002, Name: AGENT_COMPUTER2, IP: 10.X.0.XX, Disconnected
>
>ID: 003, Name: AGENT_COMPUTER3, IP: 10.X.0.XX, Disconnected
>
> <>
>
>ID: 660, Name: AGENT_COMPUTER660, IP: 10.X.50.XX, Never connected
>
>ID: 661, Name: AGENT_COMPUTER661: 10.X.50.XX, Never connected
>
>ID: 662, Name: AGENT_COMPUTER662, IP: 10.X.20.XX, Never connected
>
>ID: 663, Name: AGENT_COMPUTER663, IP: 10.X.20.XX, Never connected
>
> List of agentless devices:
>
> [root@waossec bin]#
>
>  
>
> *03/20/13 - Checked ossec.log and saw that there was max agents error*
>
> 2013/03/20 17:09:55 ossec-remoted(4111): INFO: Maximum number of agents 
> allowed: '256'.
>
> 2013/03/20 17:09:55 ossec-remoted(4110): ERROR: Maximum number of agents 
> '254' reached.
>
>  
>
>  
>
> *03/20/13 - Stopped and restated OSSEC service with same results*
>
> *03/21/13 – log showed Maximun number of agetns “254’ reached*
>
> *03/21/13 – Updated to OSSEC version 2.7 and increased agents to ‘2048’ 
> when we did the make*
>
> *03/21/13 - Agents are still disconnected and the Maximun agent setting 
> of ‘2048’ reverts back to ‘254’*
>
>  
>
> [root@waossec logs]# tail -2000 ossec.log |egrep -v 
> "Buf|Pattern|pt_result|pattern"
>
> 2013/03/21 10:29:06 checking file: /etc/inittab
>
> 2013/03/21 10:29:06  starting new file: /etc/inittab
>
> 2013/03/21 10:29:06 alerting file /etc/inittab on line id:5:initdefault:
>
> 2013/03/21 10:29:06 ossec-rootcheck: DEBUG: found file.
>
> <>
>
> 2013/03/21 10:29:06  starting new file: /etc/shadow
>
> 2013/03/21 10:29:06 checking file: /etc/passwd
>
> 2013/03/21 10:29:06  starting new file: /etc/passwd
>
> 2013/03/21 10:29:06 ossec-rootcheck: DEBUG: Going into check_rc_dev
>
> 2013/03/21 10:29:06 ossec-rootcheck: DEBUG: Starting on check_rc_dev
>
> <>
>
> 2013/03/21 10:35:54 ossec-rootcheck: DEBUG: Going into check_rc_if
>
> 2013/03/21 10:35:54 ossec-rootcheck: DEBUG: Completed with all checks.
>
> 2013/03/21 10:35:59 ossec-rootcheck: INFO: Ending rootcheck scan.
>
> 2013/03/21 10:35:59 ossec-rootcheck: DEBUG: Leaving run_rk_check
>
> 2013/03/21 10:41:33 agent_control(4110): ERROR: Maximum number of agents 
> '254' reached.
>
> 2013/03/21 10:41:33 agent_control(1202): ERROR: Configuration error at 
> '/etc/client.keys'. Exiting.
>
>  
>
> *MAX Agent errors*
>
> [root@waossec logs]# cat ossec.log |grep 2013/03/21 |grep Maximum
>
> 2013/03/21 08:25:17 ossec-remoted(4111): INFO: Maximum number of agents 
> allowed: '2048'.
>
> 2013/03/21 08:29:58 ossec-remoted(4111): INFO: Maximum number of agents 
> allowed: '2048'.
>
> 2013/03/21 08:37:37 ossec-remoted(4111): INFO: Maximum number of agents 
> allowed: '256'.
>
> 2013/03/21 08:37:37 ossec-remoted(4110): ERROR: Maximum number of agents 
> '254' reached.
>
> 2013/03/21 10:16:46 ossec-remoted: INFO: (unix_domain) Maximum send buffer 
> set to: '129024'.
>
> 2013/03/21 10:16:46 ossec-remoted(4111): INFO: Maximum number of agents 
> allowed: '256'.
>
> 2013/03/21 10:16:46 ossec-syscheckd: INFO: (unix_domain) Maximum send 
> buffer set to: '129024'.
>
> 2013/03/21 10:16:46 ossec-remoted(4110): ERROR: Maximum number of agents 
> '254' reached.
>
> 2013/03/21 10:16:50 ossec-syscheckd: INFO: (unix_domain) Maximum send 
> buffer set to: '129024'.
>
> 2013/03/21 10:

[ossec-list] aix 6.1 install failure

2013-03-22 Thread Rikk

If this has been addressed already, I must have missed it in my search. I 
am having the following issue while trying to install the agent on aix 6.1:
 
5- Installing the system
 - Running the Makefile
 *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
gcc -c -g -Wall -I../../ -I../../headers  
-DDEFAULTDIR=\"/var/ossec\" -DCLIENT -DUSE_OPENSSL -DAIX -DHIGHFIRST
-DARGV0=\"zlib\" -DXML_VAR=\"var\" -DOSSECHIDS *.c
ar cru libz.a *.o
ranlib libz.a
cp -pr zlib.h zconf.h ../../headers/
cp -pr libz.a ../
 
 *** Making os_xml ***
gcc -DXML_VAR=\"var\" -g -Wall -I../ -I../headers  
-DDEFAULTDIR=\"/var/ossec\" -DCLIENT -DUSE_OPENSSL -DAIX -DHIGHFIRST
-DARGV0=\"os_xml\" -DXML_VAR=\"var\" -DOSSECHIDS -c os_xml.c 
os_xml_access.c os_xml_node_access.c os_xml_variables.c os_xml_writer.c
In file included from ../headers/shared.h:64,
 from os_xml.c:17:
/usr/include/unistd.h:924: error: expected ')' before '[' token
/usr/include/unistd.h:925: error: expected declaration specifiers or '...' 
before 'rid_t'
In file included from ../headers/shared.h:64,
 from os_xml_writer.c:18:
/usr/include/unistd.h:924: error: expected ')' before '[' token
/usr/include/unistd.h:925: error: expected declaration specifiers or '...' 
before 'rid_t'
make: The error code from the last command is 1.

Stop.
Error Making os_xml
make: The error code from the last command is 1.

Stop.
 Error 0x5.
 Building error. Unable to finish the installation.
And here is the output from rpm -qa:
 
cdrecord-1.9-7
mkisofs-1.13-4
bzip2-1.0.5-1
expat-devel-2.0.1-2
flex-2.5.4a-6
pkg-config-0.23-1
glib-1.2.10-3
gcc-4.2.0-3
gcc-c++-4.2.0-3
gcc-java-4.2.0-3
gcc-locale-4.2.0-3
readline-6.0-2
libgcrypt-1.4.4-1
libjpeg-6b-6
libjpeg-devel-6b-6
libpng-1.2.32-2
libpng-devel-1.2.32-2
libstdc++-4.2.0-3
libstdc++-devel-4.2.0-3
libxml2-2.6.23-3
libxml2-devel-2.6.23-3
expat-2.0.1-2
freetype2-2.3.9-1
bash-3.0-1
python-docs-2.6.2-1
bash-doc-3.0-1
AIX-rpm-6.1.6.0-6
python-2.6.2-1
python-devel-2.6.2-1
python-tools-2.6.2-1
binutils-2.19.1-1
info-5.0-1
freetype2-devel-2.3.9-1
glib-devel-1.2.10-3
gettext-0.17-1
pcre-8.00-1
readline-devel-6.0-2
gmp-4.3.1-1
libgcc-4.2.4-1
libffi-3.0.11-2
libiconv-1.14-2
glib2-2.30.3-2
libgpg-error-1.7-1
libtasn1-2.2-1
lzo-2.03-1
gnutls-2.8.5-1
xorg-compat-aix-1.0-1
libXpm-3.5.8-1
libXpm-devel-3.5.8-1
zlib-1.2.3-6
zlib-devel-1.2.3-6
 
Thanks,
 
Rikk
 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] Decoder Field Limitation?

2013-03-22 Thread Chris Decker

All,

I'm trying to decode a log that is tab-delimited.  When I paste my sample log 
into logtest I'm seeing what appears to be a limitation in the number of fields 
that can be extracted - notice how the field that should have went into 
'extra_data' actually went into 'dstuser'.

Did I discover a bug, a known limitation, or is there something I am doing 
incorrectly?


  \d*\t
  
\d*\t(\w+)\t(\d*.\d*.\d*.\d*)\t(\d*)\t(\d*.\d*.\d*.\d*)\t(\d*)\t\.*\t(\w*)\t(\.*)\t(\.*)\t(\.*)\t
  
id,srcip,srcport,dstip,dstport,action,url,extra_data,extra_data,status,user


log: '1363971591.501387 dQ8eQftYbig 1.2.3.4 34483   1.2.3.4 80  1   
GET somewebsite.com/blahhttps://www.google.com/ SomeBrowser 0   
10837   200 OK  -   -   1.pdf   application/pdf'

**Phase 2: Completed decoding.
   decoder: 'bro_http_log2'
   id: 'dQ8eQftYbig'
   srcip: '1.2.3.4'
   srcport: '34483'
   dstip: '1.2.3.4'
   dstport: '80'
   action: 'GET'
   url: 'somewebsite.com/blah'
   dstuser: 'https://www.google.com/'



Thanks,
Chris

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Decoder Field Limitation?

2013-03-22 Thread anthony kasza

I haven't tested anything on an installation, so I don't know if this
is the cause of your issue or not, but your regex looks overly
complex.
Have you tried reducing the number of captured fields?

-Anthony

On Fri, Mar 22, 2013 at 2:29 PM, Chris Decker  wrote:
> All,
>
> I'm trying to decode a log that is tab-delimited.  When I paste my sample
> log into logtest I'm seeing what appears to be a limitation in the number of
> fields that can be extracted - notice how the field that should have went
> into 'extra_data' actually went into 'dstuser'.
>
> Did I discover a bug, a known limitation, or is there something I am doing
> incorrectly?
>
> 
>   \d*\t
>
> \d*\t(\w+)\t(\d*.\d*.\d*.\d*)\t(\d*)\t(\d*.\d*.\d*.\d*)\t(\d*)\t\.*\t(\w*)\t(\.*)\t(\.*)\t(\.*)\t
>
> id,srcip,srcport,dstip,dstport,action,url,extra_data,extra_data,status,user
> 
>
> log: '1363971591.501387 dQ8eQftYbig 1.2.3.4 34483 1.2.3.4 80 1 GET
> somewebsite.com/blah https://www.google.com/ SomeBrowser 0 10837 200 OK - -
> 1.pdf application/pdf'
>
> **Phase 2: Completed decoding.
>decoder: 'bro_http_log2'
>id: 'dQ8eQftYbig'
>srcip: '1.2.3.4'
>srcport: '34483'
>dstip: '1.2.3.4'
>dstport: '80'
>action: 'GET'
>url: 'somewebsite.com/blah'
>dstuser: 'https://www.google.com/'
>
>
>
>
> Thanks,
> Chris
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Decoder Field Limitation?

2013-03-22 Thread Christopher Decker

I actually have more fields I want to pull out, but this "bug" is preventing me 
from doing so.  Has anyone else run into this?  I can always use matches in my 
rules, but I like the flexibility of normalizing and writing rules that way. 

Sent from my iPhone

On Mar 22, 2013, at 4:05 PM, anthony kasza  wrote:

> I haven't tested anything on an installation, so I don't know if this
> is the cause of your issue or not, but your regex looks overly
> complex.
> Have you tried reducing the number of captured fields?
> 
> -Anthony
> 
> On Fri, Mar 22, 2013 at 2:29 PM, Chris Decker  wrote:
>> All,
>> 
>> I'm trying to decode a log that is tab-delimited.  When I paste my sample
>> log into logtest I'm seeing what appears to be a limitation in the number of
>> fields that can be extracted - notice how the field that should have went
>> into 'extra_data' actually went into 'dstuser'.
>> 
>> Did I discover a bug, a known limitation, or is there something I am doing
>> incorrectly?
>> 
>> 
>>  \d*\t
>> 
>> \d*\t(\w+)\t(\d*.\d*.\d*.\d*)\t(\d*)\t(\d*.\d*.\d*.\d*)\t(\d*)\t\.*\t(\w*)\t(\.*)\t(\.*)\t(\.*)\t
>> 
>> id,srcip,srcport,dstip,dstport,action,url,extra_data,extra_data,status,user
>> 
>> 
>> log: '1363971591.501387 dQ8eQftYbig 1.2.3.4 34483 1.2.3.4 80 1 GET
>> somewebsite.com/blah https://www.google.com/ SomeBrowser 0 10837 200 OK - -
>> 1.pdf application/pdf'
>> 
>> **Phase 2: Completed decoding.
>>   decoder: 'bro_http_log2'
>>   id: 'dQ8eQftYbig'
>>   srcip: '1.2.3.4'
>>   srcport: '34483'
>>   dstip: '1.2.3.4'
>>   dstport: '80'
>>   action: 'GET'
>>   url: 'somewebsite.com/blah'
>>   dstuser: 'https://www.google.com/'
>> 
>> 
>> 
>> 
>> Thanks,
>> Chris
>> 
>> --
>> 
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/groups/opt_out.
> 
> -- 
> 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
> 
> 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] Re: aix 6.1 install failure

2013-03-22 Thread Jb Cheng

Found a related link:   
http://osdir.com/ml/ossec-list/2009-10/msg00041.html  (thanks to Daniel 
Cid).

It seems a bug caused in gcc that can't compile some AIX headers. 
The suggestion was to use the "xlc" compiler instead of gcc.
OSSEC was compiled fine with AIX 5.2 and 5.3..


On Friday, March 22, 2013 12:10:33 PM UTC-7, Rikk wrote:
>
> If this has been addressed already, I must have missed it in my search. I 
> am having the following issue while trying to install the agent on aix 6.1:
>  
> 5- Installing the system
>  - Running the Makefile
>  *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
> gcc -c -g -Wall -I../../ -I../../headers  
> -DDEFAULTDIR=\"/var/ossec\" -DCLIENT -DUSE_OPENSSL -DAIX -DHIGHFIRST
> -DARGV0=\"zlib\" -DXML_VAR=\"var\" -DOSSECHIDS *.c
> ar cru libz.a *.o
> ranlib libz.a
> cp -pr zlib.h zconf.h ../../headers/
> cp -pr libz.a ../
>  
>  *** Making os_xml ***
> gcc -DXML_VAR=\"var\" -g -Wall -I../ -I../headers  
> -DDEFAULTDIR=\"/var/ossec\" -DCLIENT -DUSE_OPENSSL -DAIX -DHIGHFIRST
> -DARGV0=\"os_xml\" -DXML_VAR=\"var\" -DOSSECHIDS -c os_xml.c 
> os_xml_access.c os_xml_node_access.c os_xml_variables.c os_xml_writer.c
> In file included from ../headers/shared.h:64,
>  from os_xml.c:17:
> /usr/include/unistd.h:924: error: expected ')' before '[' token
> /usr/include/unistd.h:925: error: expected declaration specifiers or '...' 
> before 'rid_t'
> In file included from ../headers/shared.h:64,
>  from os_xml_writer.c:18:
> /usr/include/unistd.h:924: error: expected ')' before '[' token
> /usr/include/unistd.h:925: error: expected declaration specifiers or '...' 
> before 'rid_t'
> make: The error code from the last command is 1.
>
> Stop.
> Error Making os_xml
> make: The error code from the last command is 1.
>
> Stop.
>  Error 0x5.
>  Building error. Unable to finish the installation.
> And here is the output from rpm -qa:
>  
> cdrecord-1.9-7
> mkisofs-1.13-4
> bzip2-1.0.5-1
> expat-devel-2.0.1-2
> flex-2.5.4a-6
> pkg-config-0.23-1
> glib-1.2.10-3
> gcc-4.2.0-3
> gcc-c++-4.2.0-3
> gcc-java-4.2.0-3
> gcc-locale-4.2.0-3
> readline-6.0-2
> libgcrypt-1.4.4-1
> libjpeg-6b-6
> libjpeg-devel-6b-6
> libpng-1.2.32-2
> libpng-devel-1.2.32-2
> libstdc++-4.2.0-3
> libstdc++-devel-4.2.0-3
> libxml2-2.6.23-3
> libxml2-devel-2.6.23-3
> expat-2.0.1-2
> freetype2-2.3.9-1
> bash-3.0-1
> python-docs-2.6.2-1
> bash-doc-3.0-1
> AIX-rpm-6.1.6.0-6
> python-2.6.2-1
> python-devel-2.6.2-1
> python-tools-2.6.2-1
> binutils-2.19.1-1
> info-5.0-1
> freetype2-devel-2.3.9-1
> glib-devel-1.2.10-3
> gettext-0.17-1
> pcre-8.00-1
> readline-devel-6.0-2
> gmp-4.3.1-1
> libgcc-4.2.4-1
> libffi-3.0.11-2
> libiconv-1.14-2
> glib2-2.30.3-2
> libgpg-error-1.7-1
> libtasn1-2.2-1
> lzo-2.03-1
> gnutls-2.8.5-1
> xorg-compat-aix-1.0-1
> libXpm-3.5.8-1
> libXpm-devel-3.5.8-1
> zlib-1.2.3-6
> zlib-devel-1.2.3-6
>  
> Thanks,
>  
> Rikk
>  
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] Re: Agents are disconnected and the Maximun agent setting keeps reverting back to ‘254’

[ossec-list] aix 6.1 install failure

[ossec-list] Decoder Field Limitation?

Re: [ossec-list] Decoder Field Limitation?

Re: [ossec-list] Decoder Field Limitation?

[ossec-list] Re: aix 6.1 install failure

6 matches

Site Navigation

Mail list logo

Footer information