Hi everyone, I have been testing OSSEC for 2 weeks now and I have done a lot of effort to make it work and to understand it. Also, I have seen many people impressed by this application and satisfied with what it delivers - I see that Daniel Cid is active over the mail list as well as many other of you who already have experience with OSSEC so I have to assume that there must be something in my setup that is making OSSEC behave strange for my understanding:
1. I send the appropriate command from server to clients to start syscheck and rootcheck but nothing happens... for at least 10-15 minutes - I saw no point in waiting more - the client are active and I can retrieve info abot last run 2. I was watching the run times for both syscheck and rootcheck to see if my frequency value is considered; even if I set it to 1800sec the processes started to run at about 40 minutes distance; is this considered normal? 3. I used <scan_day> and <scan_time> to control the moment syscheck and rootcheck run but with no effect what so ever.... 4. I saw alerts coming from parsing the /var/log/secure logfile and I understand OSSEC can also send alert if log files size in droping... I oppened the file with vim and deleted the last approximately 15 lines; OSSEC considered the file as a new file added to the system and sent a few alerts like: OSSEC HIDS Notification. 2010 May 20 17:28:09 Received From: localhost->/var/log/secure Rule: 5902 fired (level 8) -> "New user added to the system" Portion of the log(s): 2010-02-07T21:53:49.212229+02:00 localhost useradd[4791]: new user: name=cluster, UID=65, GID=65, home=/var/lib/heartbeat, shell=/dev/null --END OF NOTIFICATION which has nothing to do with anything that happened on the system at that time!?.... 5. I tried using the example Daniel Cid gave on the blog about parsing the output of a command: nestat -ptnle | grep LISTEN; everything worked until sending the alerts which were abot 3-4 alerts containing parts of the ouput that changed.... 6. I have configured OSSEC to insert alerts in a MySQL database located on the same machine as the OSSEC server; at every syscheck run at least one error of mysql connection appears (the same server is working without problems with other databases that keeps logs received from rsyslog): 2010/05/20 09:05:02 ossec-dbd(5203): ERROR: Error executing query 'SELECT id FROM location WHERE name = '(client0) 10.5.5.203->/var/log/secure' AND server_id = '1' LIMIT 1'. Error: 'MySQL server has gone away'. 2010/05/20 09:05:02 ossec-dbd(5209): INFO: Closing connection to database. 2010/05/20 09:05:02 ossec-dbd(5210): INFO: Attempting to reconnect to database. 2010/05/20 09:05:02 ossec-dbd: Connected to database 'ossecdb' at '127.0.0.1'. 7. After each syscheck run on clients I have the following errors in ossec.log file: 2010/05/20 14:48:44 ossec-syscheckd: INFO: Starting syscheck scan. 2010/05/20 14:51:49 ossec-syscheckd: Invalid entry in the integrity check database. 2010/05/20 14:51:49 ossec-syscheckd: Invalid entry in the integrity check database. Sometimes it appears on server log file too. I wa not able to determine why... Don't take this as a critic to OSSEC development efforts or anything like that; I am only saying this after I spent a lot of time testing it and after I have been searching solutions to some of the problems even on this mail list. So I would kindly ask: Has anyone encountered these problems ? Maybe even found a solution to them? Has anyone actually managed to realy control this application? Thank you very much for the help so far and for any future help that you may offer; I still want to make it work for my infrastructure too. Adi
