Re: [ossec-list] Re: OSSEC Server 2.7 - Active Responses intermittent
Hi Dan, I enabled debugging and I dont seem to get a whole lot more logs out of it. I had a few examples happen over the weekend. The issue is always for a particular rule number that I have set to null route 30 minutes. I did enable debugging from ossec-control enable debug. I reviewed the ossec.log and the only commonality I see so far is that there are a lot of these messages at the time of the issue for both cases. 2013/03/16 04:38:13 ossec-remoted: DEBUG Sending file 'merged.mg' to agent. I do have 373 agents talking to the server. Any idea how to enable execd debug logging? On Wednesday, March 13, 2013 4:49:10 PM UTC-7, dan (ddpbsd) wrote: On Wed, Mar 13, 2013 at 6:47 PM, BP9906 craz...@gmail.com javascript: wrote: Well thats the problem, I dont get any log entry on the OSSEC server AR log so I think I need a debug config enabled to verify it is triggering an AR. What config setting do I set to see that? You can run /var/ossec/bin/ossec-control enable debug on the server, and I think setting debug values to 2 in internal_options.conf might work as well. But if you know it's working intermittently, you have to know what log events are not triggering AR and which ones are. On Wednesday, March 13, 2013 2:40:40 PM UTC-7, dan (ddpbsd) wrote: On Wed, Mar 13, 2013 at 4:43 PM, BP9906 craz...@gmail.com wrote: Good point. For clarity, my AR is set for server execution. It then launches a shell script that then loops through a set of servers in a LB pool to do a null route on those servers. I would then see the AR in the Ossec Server AR log and client AR log. I dont even see the AR log entry on the Ossec Server AR log. Can you provide your configuration, log samples that do work, and log samples that do not work? On Wednesday, March 13, 2013 1:20:06 PM UTC-7, Kat wrote: are you checking the right logs and do you have the ARs set for the right place? Sometimes people forget the log entries will be in agents log files, not the SERVER. On Wednesday, March 13, 2013 10:56:34 AM UTC-7, BP9906 wrote: Hello, I recently upgraded my ossec server to 2.7 and everything is working great. The weird issue I'm having is that the active responses sometimes dont fire. Its very intermittent because I get email spam for my Rule that is supposed to trigger a null-route. I check the server's active-responses.log and it shows no entries, though previously in the same day (couple hours ago) I see entries for the same rule number. Any suggestions on helping determine why the ossec server couldnt spawn my active response for the rule? Thank you, Brian -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Re: OSSEC Server 2.7 - Active Responses intermittent
are you checking the right logs and do you have the ARs set for the right place? Sometimes people forget the log entries will be in agents log files, not the SERVER. On Wednesday, March 13, 2013 10:56:34 AM UTC-7, BP9906 wrote: Hello, I recently upgraded my ossec server to 2.7 and everything is working great. The weird issue I'm having is that the active responses sometimes dont fire. Its very intermittent because I get email spam for my Rule that is supposed to trigger a null-route. I check the server's active-responses.log and it shows no entries, though previously in the same day (couple hours ago) I see entries for the same rule number. Any suggestions on helping determine why the ossec server couldnt spawn my active response for the rule? Thank you, Brian -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Re: OSSEC Server 2.7 - Active Responses intermittent
Good point. For clarity, my AR is set for server execution. It then launches a shell script that then loops through a set of servers in a LB pool to do a null route on those servers. I would then see the AR in the Ossec Server AR log and client AR log. I dont even see the AR log entry on the Ossec Server AR log. On Wednesday, March 13, 2013 1:20:06 PM UTC-7, Kat wrote: are you checking the right logs and do you have the ARs set for the right place? Sometimes people forget the log entries will be in agents log files, not the SERVER. On Wednesday, March 13, 2013 10:56:34 AM UTC-7, BP9906 wrote: Hello, I recently upgraded my ossec server to 2.7 and everything is working great. The weird issue I'm having is that the active responses sometimes dont fire. Its very intermittent because I get email spam for my Rule that is supposed to trigger a null-route. I check the server's active-responses.log and it shows no entries, though previously in the same day (couple hours ago) I see entries for the same rule number. Any suggestions on helping determine why the ossec server couldnt spawn my active response for the rule? Thank you, Brian -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Re: OSSEC Server 2.7 - Active Responses intermittent
On Wed, Mar 13, 2013 at 4:43 PM, BP9906 crazi...@gmail.com wrote: Good point. For clarity, my AR is set for server execution. It then launches a shell script that then loops through a set of servers in a LB pool to do a null route on those servers. I would then see the AR in the Ossec Server AR log and client AR log. I dont even see the AR log entry on the Ossec Server AR log. Can you provide your configuration, log samples that do work, and log samples that do not work? On Wednesday, March 13, 2013 1:20:06 PM UTC-7, Kat wrote: are you checking the right logs and do you have the ARs set for the right place? Sometimes people forget the log entries will be in agents log files, not the SERVER. On Wednesday, March 13, 2013 10:56:34 AM UTC-7, BP9906 wrote: Hello, I recently upgraded my ossec server to 2.7 and everything is working great. The weird issue I'm having is that the active responses sometimes dont fire. Its very intermittent because I get email spam for my Rule that is supposed to trigger a null-route. I check the server's active-responses.log and it shows no entries, though previously in the same day (couple hours ago) I see entries for the same rule number. Any suggestions on helping determine why the ossec server couldnt spawn my active response for the rule? Thank you, Brian -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Re: OSSEC Server 2.7 - Active Responses intermittent
Well thats the problem, I dont get any log entry on the OSSEC server AR log so I think I need a debug config enabled to verify it is triggering an AR. What config setting do I set to see that? On Wednesday, March 13, 2013 2:40:40 PM UTC-7, dan (ddpbsd) wrote: On Wed, Mar 13, 2013 at 4:43 PM, BP9906 craz...@gmail.com javascript: wrote: Good point. For clarity, my AR is set for server execution. It then launches a shell script that then loops through a set of servers in a LB pool to do a null route on those servers. I would then see the AR in the Ossec Server AR log and client AR log. I dont even see the AR log entry on the Ossec Server AR log. Can you provide your configuration, log samples that do work, and log samples that do not work? On Wednesday, March 13, 2013 1:20:06 PM UTC-7, Kat wrote: are you checking the right logs and do you have the ARs set for the right place? Sometimes people forget the log entries will be in agents log files, not the SERVER. On Wednesday, March 13, 2013 10:56:34 AM UTC-7, BP9906 wrote: Hello, I recently upgraded my ossec server to 2.7 and everything is working great. The weird issue I'm having is that the active responses sometimes dont fire. Its very intermittent because I get email spam for my Rule that is supposed to trigger a null-route. I check the server's active-responses.log and it shows no entries, though previously in the same day (couple hours ago) I see entries for the same rule number. Any suggestions on helping determine why the ossec server couldnt spawn my active response for the rule? Thank you, Brian -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Re: OSSEC Server 2.7 - Active Responses intermittent
On Wed, Mar 13, 2013 at 6:47 PM, BP9906 crazi...@gmail.com wrote: Well thats the problem, I dont get any log entry on the OSSEC server AR log so I think I need a debug config enabled to verify it is triggering an AR. What config setting do I set to see that? You can run /var/ossec/bin/ossec-control enable debug on the server, and I think setting debug values to 2 in internal_options.conf might work as well. But if you know it's working intermittently, you have to know what log events are not triggering AR and which ones are. On Wednesday, March 13, 2013 2:40:40 PM UTC-7, dan (ddpbsd) wrote: On Wed, Mar 13, 2013 at 4:43 PM, BP9906 craz...@gmail.com wrote: Good point. For clarity, my AR is set for server execution. It then launches a shell script that then loops through a set of servers in a LB pool to do a null route on those servers. I would then see the AR in the Ossec Server AR log and client AR log. I dont even see the AR log entry on the Ossec Server AR log. Can you provide your configuration, log samples that do work, and log samples that do not work? On Wednesday, March 13, 2013 1:20:06 PM UTC-7, Kat wrote: are you checking the right logs and do you have the ARs set for the right place? Sometimes people forget the log entries will be in agents log files, not the SERVER. On Wednesday, March 13, 2013 10:56:34 AM UTC-7, BP9906 wrote: Hello, I recently upgraded my ossec server to 2.7 and everything is working great. The weird issue I'm having is that the active responses sometimes dont fire. Its very intermittent because I get email spam for my Rule that is supposed to trigger a null-route. I check the server's active-responses.log and it shows no entries, though previously in the same day (couple hours ago) I see entries for the same rule number. Any suggestions on helping determine why the ossec server couldnt spawn my active response for the rule? Thank you, Brian -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
