Louis Bohm
2018-10-26 13:38:07 UTC
I am running:
ossec-hids-agent-3.0.1-5667.el7.art.x86_64
ossec-hids-3.0.1-5667.el7.art.x86_64
From what I can tell I do not have any errors in my config files. I start up ossec and all logs good on the agent in the logs. I then use metasploite on a different host to attack ssh on the agent. Very quickly I set the following in the log file:
2018/10/26 13:10:34 ossec-logcollector: INFO: (unix_domain) Maximum send buffer set to: '212992'.
2018/10/26 13:10:34 ossec-logcollector: DEBUG: Entering LogCollectorStart().
2018/10/26 13:10:34 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'.
2018/10/26 13:10:34 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'.
2018/10/26 13:10:34 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'.
2018/10/26 13:10:34 ossec-logcollector: WARN: Duplicated log file given: '/var/log/messages'.
2018/10/26 13:10:34 ossec-logcollector: WARN: Duplicated log file given: '/var/log/secure'.
2018/10/26 13:10:34 ossec-logcollector: WARN: Duplicated log file given: '/var/log/maillog'.
2018/10/26 13:10:34 ossec-logcollector: INFO: Started (pid: 30071).
2018/10/26 13:10:42 ossec-logcollector: DEBUG: Reading syslog message: 'Oct 26 13:10:41 ip-10-100-17-186 sshd[30077]: Invalid user 3d from 10.100.17.49 port 38783'
2018/10/26 13:10:42 ossec-logcollector: WARN: Process locked. Waiting for permission...
2018/10/26 13:11:34 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2018/10/26 13:11:34 ossec-syscheckd: WARN: Process locked. Waiting for permissionâŠ
I get the same result if I start up ossec-logcollector with -ddd -f.
I saw an old post saying stop all OSSEC and then remove /var/ossec/queue/ossec/.wait. So I did that. Then started up OSSEC.
[***@ip-10-100-17-186 ossec]# ls -al /var/ossec/queue/ossec/.wait
-rw-r--r-- 1 ossec ossec 1 Oct 26 13:34 /var/ossec/queue/ossec/.wait
Before I could even start up metasploit I found the following in the logs:
[***@ip-10-100-17-186 ossec]# tail -f logs/ossec.log
2018/10/26 13:34:07 ossec-syscheckd: INFO: Directory set for real time monitoring: '/data'.
2018/10/26 13:34:09 ossec-logcollector: INFO: (unix_domain) Maximum send buffer set to: '212992'.
2018/10/26 13:34:09 ossec-logcollector: DEBUG: Entering LogCollectorStart().
2018/10/26 13:34:09 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'.
2018/10/26 13:34:09 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'.
2018/10/26 13:34:09 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'.
2018/10/26 13:34:09 ossec-logcollector: WARN: Duplicated log file given: '/var/log/messages'.
2018/10/26 13:34:09 ossec-logcollector: WARN: Duplicated log file given: '/var/log/secure'.
2018/10/26 13:34:09 ossec-logcollector: WARN: Duplicated log file given: '/var/log/maillog'.
2018/10/26 13:34:09 ossec-logcollector: INFO: Started (pid: 30292).
2018/10/26 13:34:53 ossec-logcollector: DEBUG: Reading syslog message: 'Oct 26 13:34:53 ip-10-100-17-186 dhclient[2226]: XMT: Solicit on eth0, interval 117890ms.'
2018/10/26 13:34:53 ossec-logcollector: WARN: Process locked. Waiting for permission...
2018/10/26 13:35:09 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2018/10/26 13:35:09 ossec-syscheckd: WARN: Process locked. Waiting for permissionâŠ
So clearly its something else. Any clue what is causing the issue?
Thanks,
Louis
ossec-hids-agent-3.0.1-5667.el7.art.x86_64
ossec-hids-3.0.1-5667.el7.art.x86_64
From what I can tell I do not have any errors in my config files. I start up ossec and all logs good on the agent in the logs. I then use metasploite on a different host to attack ssh on the agent. Very quickly I set the following in the log file:
2018/10/26 13:10:34 ossec-logcollector: INFO: (unix_domain) Maximum send buffer set to: '212992'.
2018/10/26 13:10:34 ossec-logcollector: DEBUG: Entering LogCollectorStart().
2018/10/26 13:10:34 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'.
2018/10/26 13:10:34 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'.
2018/10/26 13:10:34 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'.
2018/10/26 13:10:34 ossec-logcollector: WARN: Duplicated log file given: '/var/log/messages'.
2018/10/26 13:10:34 ossec-logcollector: WARN: Duplicated log file given: '/var/log/secure'.
2018/10/26 13:10:34 ossec-logcollector: WARN: Duplicated log file given: '/var/log/maillog'.
2018/10/26 13:10:34 ossec-logcollector: INFO: Started (pid: 30071).
2018/10/26 13:10:42 ossec-logcollector: DEBUG: Reading syslog message: 'Oct 26 13:10:41 ip-10-100-17-186 sshd[30077]: Invalid user 3d from 10.100.17.49 port 38783'
2018/10/26 13:10:42 ossec-logcollector: WARN: Process locked. Waiting for permission...
2018/10/26 13:11:34 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2018/10/26 13:11:34 ossec-syscheckd: WARN: Process locked. Waiting for permissionâŠ
I get the same result if I start up ossec-logcollector with -ddd -f.
I saw an old post saying stop all OSSEC and then remove /var/ossec/queue/ossec/.wait. So I did that. Then started up OSSEC.
[***@ip-10-100-17-186 ossec]# ls -al /var/ossec/queue/ossec/.wait
-rw-r--r-- 1 ossec ossec 1 Oct 26 13:34 /var/ossec/queue/ossec/.wait
Before I could even start up metasploit I found the following in the logs:
[***@ip-10-100-17-186 ossec]# tail -f logs/ossec.log
2018/10/26 13:34:07 ossec-syscheckd: INFO: Directory set for real time monitoring: '/data'.
2018/10/26 13:34:09 ossec-logcollector: INFO: (unix_domain) Maximum send buffer set to: '212992'.
2018/10/26 13:34:09 ossec-logcollector: DEBUG: Entering LogCollectorStart().
2018/10/26 13:34:09 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'.
2018/10/26 13:34:09 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'.
2018/10/26 13:34:09 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'.
2018/10/26 13:34:09 ossec-logcollector: WARN: Duplicated log file given: '/var/log/messages'.
2018/10/26 13:34:09 ossec-logcollector: WARN: Duplicated log file given: '/var/log/secure'.
2018/10/26 13:34:09 ossec-logcollector: WARN: Duplicated log file given: '/var/log/maillog'.
2018/10/26 13:34:09 ossec-logcollector: INFO: Started (pid: 30292).
2018/10/26 13:34:53 ossec-logcollector: DEBUG: Reading syslog message: 'Oct 26 13:34:53 ip-10-100-17-186 dhclient[2226]: XMT: Solicit on eth0, interval 117890ms.'
2018/10/26 13:34:53 ossec-logcollector: WARN: Process locked. Waiting for permission...
2018/10/26 13:35:09 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2018/10/26 13:35:09 ossec-syscheckd: WARN: Process locked. Waiting for permissionâŠ
So clearly its something else. Any clue what is causing the issue?
Thanks,
Louis
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.