subject:"\[ossec\-list\] Debugging Unprocessed Log Entries"

Re: [ossec-list] Debugging Unprocessed Log Entries

2017-02-23 Thread dan (ddp)

On Fri, Feb 10, 2017 at 3:04 AM, Quintin Beukes  wrote:
> Thanks Dan. Is there a way to get OSSEC to provide more details on the
> messages it actually processes? I'd like to gain a better understanding of
> this application because it has a lot of seemingly random behaviour.
>

What information do you want? Other than what's provided by turning on
debug, I can't think of anything off hand.

> On Thursday, February 9, 2017 at 9:59:24 PM UTC+2, dan (ddpbsd) wrote:
>>
>> On Thu, Feb 9, 2017 at 9:48 AM, Quintin Beukes 
>> wrote:
>> > Hi group,
>> >
>> > Server uname: Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11
>> > 20:56:24
>> > UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
>> > Agent uname: Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11 20:56:24
>> > UTC
>> > 2017 x86_64 x86_64 x86_64 GNU/Linux
>> >
>> > I am generating 5 log messages at 2 second intervals to trigger rule
>> > 1002.
>> > 16:40:43 [quintinb@ho-pri-vm-quintindev ~]$ for x in {11..15}; do logger
>> > test error$x; date; sleep 2; done
>> > Thu Feb  9 16:40:48 SAST 2017
>> > Thu Feb  9 16:40:50 SAST 2017
>> > Thu Feb  9 16:40:52 SAST 2017
>> > Thu Feb  9 16:40:54 SAST 2017
>> > Thu Feb  9 16:40:56 SAST 2017
>> > A tcpdump on the server indicates all 5 are received:
>> > 16:40:49.197974 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length
>> > 121
>> > 16:40:51.200118 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length
>> > 121
>> > 16:40:53.202224 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length
>> > 121
>> > 16:40:55.204480 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length
>> > 121
>> > 16:40:57.206407 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length
>> > 121
>> >
>> > Though alerts.log only shows 3 of the 5.
>> > ** Alert 1486651295.2432248: mail  - syslog,errors,
>> > 2017 Feb 09 16:41:35 (quintindev) 10.10.10.100->/var/log/messages
>> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
>> > Feb  9 16:40:48 ho-pri-vm-quintindev quintinb: test error11
>> >
>> > ** Alert 1486651298.2432494: mail  - syslog,errors,
>> > 2017 Feb 09 16:41:38 (quintindev) 10.10.10.100->/var/log/messages
>> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
>> > Feb  9 16:40:52 ho-pri-vm-quintindev quintinb: test error13
>> >
>> > ** Alert 1486651305.2432740: mail  - syslog,errors,
>> > 2017 Feb 09 16:41:45 (quintindev) 10.10.10.100->/var/log/messages
>> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
>> > Feb  9 16:40:56 ho-pri-vm-quintindev quintinb: test error15
>> >
>> >
>> > Sometimes it alerts on all 5. Though upon inspection it seems OSSEC
>> > misses
>> > 50%+ of my messages, even though I see the packets delivered to the
>> > server.
>> >
>> > Is there an explanation for this?  Any way I can get more verbose
>> > logging on
>> > this to investigate deeper?
>> >
>>
>> OSSEC does discard some duplicate messages, and I'm not sure if the
>> timestamp is taken into account or not off hand.
>>
>> > Quintin
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Debugging Unprocessed Log Entries

2017-02-10 Thread Quintin Beukes

Thanks Dan. Is there a way to get OSSEC to provide more details on the 
messages it actually processes? I'd like to gain a better understanding of 
this application because it has a lot of seemingly random behaviour.

On Thursday, February 9, 2017 at 9:59:24 PM UTC+2, dan (ddpbsd) wrote:
>
> On Thu, Feb 9, 2017 at 9:48 AM, Quintin Beukes  > wrote: 
> > Hi group, 
> > 
> > Server uname: Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11 
> 20:56:24 
> > UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 
> > Agent uname: Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11 20:56:24 
> UTC 
> > 2017 x86_64 x86_64 x86_64 GNU/Linux 
> > 
> > I am generating 5 log messages at 2 second intervals to trigger rule 
> 1002. 
> > 16:40:43 [quintinb@ho-pri-vm-quintindev ~]$ for x in {11..15}; do logger 
> > test error$x; date; sleep 2; done 
> > Thu Feb  9 16:40:48 SAST 2017 
> > Thu Feb  9 16:40:50 SAST 2017 
> > Thu Feb  9 16:40:52 SAST 2017 
> > Thu Feb  9 16:40:54 SAST 2017 
> > Thu Feb  9 16:40:56 SAST 2017 
> > A tcpdump on the server indicates all 5 are received: 
> > 16:40:49.197974 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length 
> 121 
> > 16:40:51.200118 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length 
> 121 
> > 16:40:53.202224 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length 
> 121 
> > 16:40:55.204480 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length 
> 121 
> > 16:40:57.206407 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length 
> 121 
> > 
> > Though alerts.log only shows 3 of the 5. 
> > ** Alert 1486651295.2432248: mail  - syslog,errors, 
> > 2017 Feb 09 16:41:35 (quintindev) 10.10.10.100->/var/log/messages 
> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' 
> > Feb  9 16:40:48 ho-pri-vm-quintindev quintinb: test error11 
> > 
> > ** Alert 1486651298.2432494: mail  - syslog,errors, 
> > 2017 Feb 09 16:41:38 (quintindev) 10.10.10.100->/var/log/messages 
> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' 
> > Feb  9 16:40:52 ho-pri-vm-quintindev quintinb: test error13 
> > 
> > ** Alert 1486651305.2432740: mail  - syslog,errors, 
> > 2017 Feb 09 16:41:45 (quintindev) 10.10.10.100->/var/log/messages 
> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' 
> > Feb  9 16:40:56 ho-pri-vm-quintindev quintinb: test error15 
> > 
> > 
> > Sometimes it alerts on all 5. Though upon inspection it seems OSSEC 
> misses 
> > 50%+ of my messages, even though I see the packets delivered to the 
> server. 
> > 
> > Is there an explanation for this?  Any way I can get more verbose 
> logging on 
> > this to investigate deeper? 
> > 
>
> OSSEC does discard some duplicate messages, and I'm not sure if the 
> timestamp is taken into account or not off hand. 
>
> > Quintin 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Debugging Unprocessed Log Entries

2017-02-09 Thread dan (ddp)

On Thu, Feb 9, 2017 at 9:48 AM, Quintin Beukes  wrote:
> Hi group,
>
> Server uname: Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11 20:56:24
> UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
> Agent uname: Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11 20:56:24 UTC
> 2017 x86_64 x86_64 x86_64 GNU/Linux
>
> I am generating 5 log messages at 2 second intervals to trigger rule 1002.
> 16:40:43 [quintinb@ho-pri-vm-quintindev ~]$ for x in {11..15}; do logger
> test error$x; date; sleep 2; done
> Thu Feb  9 16:40:48 SAST 2017
> Thu Feb  9 16:40:50 SAST 2017
> Thu Feb  9 16:40:52 SAST 2017
> Thu Feb  9 16:40:54 SAST 2017
> Thu Feb  9 16:40:56 SAST 2017
> A tcpdump on the server indicates all 5 are received:
> 16:40:49.197974 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length 121
> 16:40:51.200118 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length 121
> 16:40:53.202224 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length 121
> 16:40:55.204480 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length 121
> 16:40:57.206407 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length 121
>
> Though alerts.log only shows 3 of the 5.
> ** Alert 1486651295.2432248: mail  - syslog,errors,
> 2017 Feb 09 16:41:35 (quintindev) 10.10.10.100->/var/log/messages
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> Feb  9 16:40:48 ho-pri-vm-quintindev quintinb: test error11
>
> ** Alert 1486651298.2432494: mail  - syslog,errors,
> 2017 Feb 09 16:41:38 (quintindev) 10.10.10.100->/var/log/messages
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> Feb  9 16:40:52 ho-pri-vm-quintindev quintinb: test error13
>
> ** Alert 1486651305.2432740: mail  - syslog,errors,
> 2017 Feb 09 16:41:45 (quintindev) 10.10.10.100->/var/log/messages
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> Feb  9 16:40:56 ho-pri-vm-quintindev quintinb: test error15
>
>
> Sometimes it alerts on all 5. Though upon inspection it seems OSSEC misses
> 50%+ of my messages, even though I see the packets delivered to the server.
>
> Is there an explanation for this?  Any way I can get more verbose logging on
> this to investigate deeper?
>

OSSEC does discard some duplicate messages, and I'm not sure if the
timestamp is taken into account or not off hand.

> Quintin
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Debugging Unprocessed Log Entries

2017-02-09 Thread Quintin Beukes

Hi group,

Server uname: Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11 20:56:24 
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Agent uname: Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11 20:56:24 
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

I am generating 5 log messages at 2 second intervals to trigger rule 1002.
16:40:43 [quintinb@ho-pri-vm-quintindev ~]$ for x in {11..15}; do logger 
test error$x; date; sleep 2; done 
Thu Feb  9 16:40:48 SAST 2017 
Thu Feb  9 16:40:50 SAST 2017 
Thu Feb  9 16:40:52 SAST 2017 
Thu Feb  9 16:40:54 SAST 2017 
Thu Feb  9 16:40:56 SAST 2017   


A tcpdump on the server indicates all 5 are received:
16:40:49.197974 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length 121 
16:40:51.200118 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length 121 
16:40:53.202224 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length 121 
16:40:55.204480 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length 121 
16:40:57.206407 IP 10.10.10.100.41074 > 10.10.12.171.1514: UDP, length 121
 
Though alerts.log only shows 3 of the 5.
** Alert 1486651295.2432248: mail  - syslog,errors, 
2017 Feb 09 16:41:35 (quintindev) 10.10.10.100->/var/log/messages 
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' 
Feb  9 16:40:48 ho-pri-vm-quintindev quintinb: test error11 

** Alert 1486651298.2432494: mail  - syslog,errors, 
2017 Feb 09 16:41:38 (quintindev) 10.10.10.100->/var/log/messages 
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' 
Feb  9 16:40:52 ho-pri-vm-quintindev quintinb: test error13 

** Alert 1486651305.2432740: mail  - syslog,errors, 
2017 Feb 09 16:41:45 (quintindev) 10.10.10.100->/var/log/messages 
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' 
Feb  9 16:40:56 ho-pri-vm-quintindev quintinb: test error15 


Sometimes it alerts on all 5. Though upon inspection it seems OSSEC misses 
50%+ of my messages, even though I see the packets delivered to the server.

Is there an explanation for this?  Any way I can get more verbose logging 
on this to investigate deeper?

Quintin

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Debugging Unprocessed Log Entries

Re: [ossec-list] Debugging Unprocessed Log Entries

Re: [ossec-list] Debugging Unprocessed Log Entries

[ossec-list] Debugging Unprocessed Log Entries

4 matches

Site Navigation

Mail list logo

Footer information