[ossec-list] Re: ossec local logfile ignored

[Jacob Mcgrath]

I ended up moving this bash script to the Security Onion server then with 
help her wrote basic decoders and rules to trigger alerts.  Still going to
play with the agent custom log file issue off and on.

On Friday, June 10, 2016 at 11:12:02 AM UTC-5, Jacob Mcgrath wrote:
>
> ANy have a issue like this The Ossec server says its not available and 
> ignores it.  But it is thereweird ?
>
> root@alamo:/home/mis/admin-tools/logs# tail \ ping-domain.log
> System Check Domain Cluster - A appears to be down 06092016 
> 09:50:01
> System Check Domain Cluster - A appears to be down 06092016 
> 09:52:01
> System Check Domain Cluster - A appears to be down 06092016 
> 09:54:01
>
>
>
> root@alamo:/home/mis/admin-tools/logs# tail \ ping-game.log
> System Check Gaming Cluster -  appears to be down for 5 minutes 06102016 
> 10:52:01
> System Check Gaming Cluster -  appears to be down for 5 minutes 06102016 
> 10:54:01
> System Check Gaming Cluster -  appears to be down for 5 minutes 06102016 
> 10:56:01
>
>
>
>
>
> 2016/06/10 10:49:06 ossec-logcollector(1904): INFO: File not available, 
> ignoring it: '/home/mis/admin-tools/logs/ping-domain.log   
>  '.
> 2016/06/10 10:49:06 ossec-logcollector(1904): INFO: File not available, 
> ignoring it: '/home/mis/admin-tools/logs/ping-games.log'   
>  .
> root@alamo:/var/ossec/logs/alerts# ls -la /home/mis/admin-tools/logs/
> total 76
> drwxrwxr-x 2 mis  mis   4096 Jun  8 13:10 .
> drwxrwxr-x 4 mis  mis   4096 Jun  8 08:13 ..
> -rw-r--r-- 1 root root  7337 Jun  9 10:08  ping-domain.log
> -rw-r--r-- 1 root root 52452 Jun 10 10:52  ping-game.log
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: ossec local logfile ignored

[dan (ddp)]

On Fri, Jun 10, 2016 at 6:26 PM, Jacob Mcgrath
 wrote:
> The script will write each line as the bash script as the check fails.  This
> log is deleted if first creation is older than 7 days( since the record
> would remain in Ossec archive).
>
> I thought it may be already accessed by the script as it runs every 3-5 mins
> but do not think this is the cause ( i removed the cron job in control of it
> and the problem continues.
>
> Wonder if it is a issue with adding additional  logs to monitor
> on the server its self.  Was Trying running route checks and other serving
> core ping checks from the Ossec server its self instead of firing up other
> VM's to run these lesser checks.
>

Something like nagios probably makes more sense for this.
But regarding the log file problem, do you have selinux enabled? Is it
blocking access to the log file?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: ossec local logfile ignored

[Jacob Mcgrath]

The script will write each line as the bash script as the check fails. 
 This log is deleted if first creation is older than 7 days( since the 
record would remain in Ossec archive).

I thought it may be already accessed by the script as it runs every 3-5 
mins but do not think this is the cause ( i removed the cron job in control 
of it and the problem continues.

Wonder if it is a issue with adding additional  logs to monitor 
on the server its self.  Was Trying running route checks and other serving 
core ping checks from the Ossec server its self instead of firing up other 
VM's to run these lesser checks.

On Friday, June 10, 2016 at 11:12:02 AM UTC-5, Jacob Mcgrath wrote:
>
> ANy have a issue like this The Ossec server says its not available and 
> ignores it.  But it is thereweird ?
>
> root@alamo:/home/mis/admin-tools/logs# tail \ ping-domain.log
> System Check Domain Cluster - A appears to be down 06092016 
> 09:50:01
> System Check Domain Cluster - A appears to be down 06092016 
> 09:52:01
> System Check Domain Cluster - A appears to be down 06092016 
> 09:54:01
>
>
>
> root@alamo:/home/mis/admin-tools/logs# tail \ ping-game.log
> System Check Gaming Cluster -  appears to be down for 5 minutes 06102016 
> 10:52:01
> System Check Gaming Cluster -  appears to be down for 5 minutes 06102016 
> 10:54:01
> System Check Gaming Cluster -  appears to be down for 5 minutes 06102016 
> 10:56:01
>
>
>
>
>
> 2016/06/10 10:49:06 ossec-logcollector(1904): INFO: File not available, 
> ignoring it: '/home/mis/admin-tools/logs/ping-domain.log   
>  '.
> 2016/06/10 10:49:06 ossec-logcollector(1904): INFO: File not available, 
> ignoring it: '/home/mis/admin-tools/logs/ping-games.log'   
>  .
> root@alamo:/var/ossec/logs/alerts# ls -la /home/mis/admin-tools/logs/
> total 76
> drwxrwxr-x 2 mis  mis   4096 Jun  8 13:10 .
> drwxrwxr-x 4 mis  mis   4096 Jun  8 08:13 ..
> -rw-r--r-- 1 root root  7337 Jun  9 10:08  ping-domain.log
> -rw-r--r-- 1 root root 52452 Jun 10 10:52  ping-game.log
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: ossec local logfile ignored

[Jacob Mcgrath]

on restart  end of log
On Friday, June 10, 2016 at 11:12:02 AM UTC-5, Jacob Mcgrath wrote:
>
> ANy have a issue like this The Ossec server says its not available and 
> ignores it.  But it is thereweird ?
>
> root@alamo:/home/mis/admin-tools/logs# tail \ ping-domain.log
> System Check Domain Cluster - A appears to be down 06092016 
> 09:50:01
> System Check Domain Cluster - A appears to be down 06092016 
> 09:52:01
> System Check Domain Cluster - A appears to be down 06092016 
> 09:54:01
>
>
>
> root@alamo:/home/mis/admin-tools/logs# tail \ ping-game.log
> System Check Gaming Cluster -  appears to be down for 5 minutes 06102016 
> 10:52:01
> System Check Gaming Cluster -  appears to be down for 5 minutes 06102016 
> 10:54:01
> System Check Gaming Cluster -  appears to be down for 5 minutes 06102016 
> 10:56:01
>
>
>
>
>
> 2016/06/10 10:49:06 ossec-logcollector(1904): INFO: File not available, 
> ignoring it: '/home/mis/admin-tools/logs/ping-domain.log   
>  '.
> 2016/06/10 10:49:06 ossec-logcollector(1904): INFO: File not available, 
> ignoring it: '/home/mis/admin-tools/logs/ping-games.log'   
>  .
> root@alamo:/var/ossec/logs/alerts# ls -la /home/mis/admin-tools/logs/
> total 76
> drwxrwxr-x 2 mis  mis   4096 Jun  8 13:10 .
> drwxrwxr-x 4 mis  mis   4096 Jun  8 08:13 ..
> -rw-r--r-- 1 root root  7337 Jun  9 10:08  ping-domain.log
> -rw-r--r-- 1 root root 52452 Jun 10 10:52  ping-game.log
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: ossec local logfile ignored

[Victor Fernandez]

Hi Jacob.

When does that message appear? I mean, does it happen on OSSEC start, or 
after a while?

Can you see a message like the following, when OSSEC starts?

ossec-logcollector(1950): INFO: Analyzing file: 
> '/home/mis/admin-tools/logs/ping-domain.log`

ossec-logcollector(1950): ERROR: Could not open file 
> '/home/mis/admin-tools/logs/ping-domain.log'


I think the message "File not available, ignoring it" appears when OSSEC 
opens successfully the file but fails on reading it, maybe due to a 
rotation.

Kind regards. 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.