Re: [ossec-list] Loop on opensuse
Hi, I installed it. In the meantime I solved the problem with help from Google: https://unix.stackexchange.com/questions/200280/systemd-kills-service-immediately-after-start Thanks for your help! Best regards from Germany Burkhard Am 17.01.2020 um 13:12 schrieb dan (ddp): On Mon, Jan 13, 2020 at 9:04 AM Schultheis Burkhard wrote: Some weeks ago I've installed Ossec on on three servers. One is running CentOS 6.10, the others Opensuse 15.1. The CentOS installation behaves as expected, but the opensuse installations behave very different, although the configurations are as close as possible. From the CentOS server we get emails as expected, from the opensuse servers not (other programs send us emails as expected from all servers). The opensuse servers write tons of ossec logs, because it's in a start-terminate loop. Excerpt: How did you install OSSEC (package, source, etc)? You could check the /var/log/audit/audit.log to see if it mentions anything about it. I have an OpenSuse VM where it worked fine, but I installed from source. I haven't powered it up in a while though. 2020/01/13 13:45:25 ossec-testrule: INFO: Reading local decoder file. 2020/01/13 13:45:25 ossec-testrule: INFO: Started (pid: 28499). 2020/01/13 13:45:25 ossec-maild: INFO: Started (pid: 28516). 2020/01/13 13:45:25 ossec-execd: INFO: Started (pid: 28520). 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading local decoder file. 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'symantec-ws_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'pure-ftpd_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'roundcube_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'wordpress_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'cimserver_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'vmpop3d_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'courier_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'web_appsec_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'apache_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'nginx_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'php_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'postgresql_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'apparmor_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'cisco-ios_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'sonicwall_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'sendmail_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'mailscanner_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'dovecot_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'ms-exchange_rules.xml
Re: [ossec-list] Loop on opensuse
On Mon, Jan 13, 2020 at 9:04 AM Schultheis Burkhard wrote: > > Some weeks ago I've installed Ossec on on three servers. One is running > CentOS 6.10, the others Opensuse 15.1. The CentOS installation behaves > as expected, but the opensuse installations behave very different, > although the configurations are as close as possible. > > From the CentOS server we get emails as expected, from the opensuse > servers not (other programs send us emails as expected from all > servers). The opensuse servers write tons of ossec logs, because it's in > a start-terminate loop. Excerpt: > How did you install OSSEC (package, source, etc)? You could check the /var/log/audit/audit.log to see if it mentions anything about it. I have an OpenSuse VM where it worked fine, but I installed from source. I haven't powered it up in a while though. > 2020/01/13 13:45:25 ossec-testrule: INFO: Reading local decoder file. > 2020/01/13 13:45:25 ossec-testrule: INFO: Started (pid: 28499). > 2020/01/13 13:45:25 ossec-maild: INFO: Started (pid: 28516). > 2020/01/13 13:45:25 ossec-execd: INFO: Started (pid: 28520). > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading local decoder file. > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'rules_config.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'pam_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'sshd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'telnetd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'syslog_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'arpwatch_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'symantec-av_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'symantec-ws_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'pix_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'named_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'smbd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'vsftpd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'pure-ftpd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'proftpd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'ms_ftpd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'ftpd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'hordeimp_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'roundcube_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'wordpress_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'cimserver_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'vpopmail_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'vmpop3d_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'courier_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'web_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'web_appsec_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'apache_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'nginx_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'php_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'mysql_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'postgresql_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'ids_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'squid_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'firewall_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'apparmor_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'cisco-ios_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'netscreenfw_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'sonicwall_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'postfix_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'sendmail_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'imapd_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'mailscanner_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'dovecot_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'ms-exchange_rules.xml' > 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: > 'racoon_rules.
[ossec-list] Loop on opensuse
Some weeks ago I've installed Ossec on on three servers. One is running CentOS 6.10, the others Opensuse 15.1. The CentOS installation behaves as expected, but the opensuse installations behave very different, although the configurations are as close as possible. From the CentOS server we get emails as expected, from the opensuse servers not (other programs send us emails as expected from all servers). The opensuse servers write tons of ossec logs, because it's in a start-terminate loop. Excerpt: 2020/01/13 13:45:25 ossec-testrule: INFO: Reading local decoder file. 2020/01/13 13:45:25 ossec-testrule: INFO: Started (pid: 28499). 2020/01/13 13:45:25 ossec-maild: INFO: Started (pid: 28516). 2020/01/13 13:45:25 ossec-execd: INFO: Started (pid: 28520). 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading local decoder file. 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'symantec-ws_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'pure-ftpd_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'roundcube_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'wordpress_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'cimserver_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'vmpop3d_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'courier_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'web_appsec_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'apache_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'nginx_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'php_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'postgresql_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'apparmor_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'cisco-ios_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'sonicwall_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'sendmail_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'mailscanner_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'dovecot_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'ms-exchange_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'racoon_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'vpn_concentrator_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'spamd_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'msauth_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'mcafee_av_rules.xml' 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file: 'trend-osce_rules.xml' 2020/01/13 13:45:25 ossec-analysi