Hello everyone,
I have a problem with security/ossec-hids-server where the Agent is not sending any data to MySQL.
Host_ip: 192.168.1.185
Jail_ip: 192.168.1.125
I installed OSSEC on the the host and the agent in the jail. Both the OSSEC server and the OSSEC agent are up and running and I have no error in the logs.
As I have my web server in another jail, I have decided to send all the OSSEC data to a MySQL database. This was done because I couldn't think of how to get the data sent from the jail to the host in any other way.
When I look at the database, it is obvious that the server is sending some data to the database but nothing sent from the agent has been recorded
Here is the log from the OSSEC server's /ossec-hids/logs/ossec.log:
I have a problem with security/ossec-hids-server where the Agent is not sending any data to MySQL.
Host_ip: 192.168.1.185
Jail_ip: 192.168.1.125
I installed OSSEC on the the host and the agent in the jail. Both the OSSEC server and the OSSEC agent are up and running and I have no error in the logs.
As I have my web server in another jail, I have decided to send all the OSSEC data to a MySQL database. This was done because I couldn't think of how to get the data sent from the jail to the host in any other way.
When I look at the database, it is obvious that the server is sending some data to the database but nothing sent from the agent has been recorded
Code:
mysql> select * from agent;
Empty set (0.00 sec)
mysql> show tables;
+----------------------------+
| Tables_in_ossec |
+----------------------------+
| agent |
| alert |
| category |
| data |
| location |
| server |
| signature |
| signature_category_mapping |
+----------------------------+
8 rows in set (0.00 sec)
mysql> select * from agent;
Empty set (0.00 sec)
mysql> select * from alert;
+----+-----------+---------+------------+-------------+-----------+--------+----------+----------+-----------------+
| id | server_id | rule_id | timestamp | location_id | src_ip | dst_ip | src_port | dst_port | alertid |
+----+-----------+---------+------------+-------------+-----------+--------+----------+----------+-----------------+
| 1 | 1 | 502 | 1417014593 | 1 | 0 | 0 | 0 | 0 | 1417014592.2516 |
| 2 | 1 | 1002 | 1417024802 | 2 | 0 | 0 | 0 | 0 | 1417024800.3018 |
| 3 | 1 | 5715 | 1417028982 | 3 | 168301574 | 0 | 0 | 0 | 1417028981.3301 |
| 4 | 1 | 5303 | 1417028992 | 4 | 0 | 0 | 0 | 0 | 1417028992.3654 |
| 5 | 1 | 5302 | 1417029028 | 4 | 0 | 0 | 0 | 0 | 1417029028.3901 |
| 6 | 1 | 5303 | 1417029044 | 4 | 0 | 0 | 0 | 0 | 1417029040.4169 |
| 7 | 1 | 503 | 1417032907 | 5 | 0 | 0 | 0 | 0 | 1417032905.4416 |
| 8 | 1 | 550 | 1417032907 | 6 | 0 | 0 | 0 | 0 | 1417032905.4606 |
| 9 | 1 | 591 | 1417046418 | 7 | 0 | 0 | 0 | 0 | 1417046415.0 |
| 10 | 1 | 591 | 1417046444 | 8 | 0 | 0 | 0 | 0 | 1417046443.199 |
+----+-----------+---------+------------+-------------+-----------+--------+----------+----------+-----------------+
26 rows in set (0.00 sec)
mysql> select * from data;
Empty set (0.00 sec)
mysql> select * from location;
+----+-----------+----------------------------------------------+
| id | server_id | name |
+----+-----------+----------------------------------------------+
| 1 | 1 | trinity->ossec-monitord |
| 2 | 1 | trinity->/var/log/maillog |
| 3 | 1 | trinity->/var/log/auth.log |
| 4 | 1 | trinity->/var/log/messages |
| 5 | 1 | (webagent) 192.168.1.125->ossec |
| 6 | 1 | (webagent) 192.168.1.125->syscheck |
| 7 | 1 | (webagent) 192.168.1.125->ossec-logcollector |
| 8 | 1 | trinity->ossec-logcollector |
+----+-----------+----------------------------------------------+
8 rows in set (0.00 sec)
Code:
97 2014/11/27 11:20:37 ossec-execd: INFO: Started (pid: 9095).
98 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading local decoder file.
99 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml'
100 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml'
101 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml'
102 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml'
103 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml'
104 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml'
105 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml'
106 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'symantec-ws_rules.xml'
107 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml'
108 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml'
109 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml'
110 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml'
111 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'pure-ftpd_rules.xml'
112 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml'
113 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml'
114 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml'
115 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml'
116 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'roundcube_rules.xml'
117 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'wordpress_rules.xml'
118 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'cimserver_rules.xml'
119 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml'
120 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'vmpop3d_rules.xml'
121 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'courier_rules.xml'
122 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml'
123 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'web_appsec_rules.xml'
124 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'apache_rules.xml'
125 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'nginx_rules.xml'
126 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'php_rules.xml'
127 2014/11/27 11:20:37 ossec-remoted: INFO: Started (pid: 14366).
128 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml'
129 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'postgresql_rules.xml'
130 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml'
131 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml'
132 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml'
133 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'cisco-ios_rules.xml'
134 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml'
135 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'sonicwall_rules.xml'
136 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml'
137 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'sendmail_rules.xml'
138 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml'
139 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'mailscanner_rules.xml'
140 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'dovecot_rules.xml'
141 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'ms-exchange_rules.xml'
142 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'racoon_rules.xml'
143 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'vpn_concentrator_rules.xml'
144 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'spamd_rules.xml'
145 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'msauth_rules.xml'
146 2014/11/27 11:20:37 ossec-rootcheck: System audit file not configured.
147 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'mcafee_av_rules.xml'
148 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'trend-osce_rules.xml'
149 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'ms-se_rules.xml'
150 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'zeus_rules.xml'
151 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'solaris_bsm_rules.xml'
152 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'vmware_rules.xml'
153 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'ms_dhcp_rules.xml'
154 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'asterisk_rules.xml'
155 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml'
156 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'attack_rules.xml'
157 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'local_rules.xml'
158 2014/11/27 11:20:37 ossec-analysisd: INFO: Total rules enabled: '1258'
159 2014/11/27 11:20:37 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
160 2014/11/27 11:20:37 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
161 2014/11/27 11:20:37 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics'
162 2014/11/27 11:20:37 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
163 2014/11/27 11:20:37 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
164 2014/11/27 11:20:37 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
165 2014/11/27 11:20:42 ossec-syscheckd: INFO: Started (pid: 16957).
166 2014/11/27 11:20:42 ossec-rootcheck: INFO: Started (pid: 16957).
167 2014/11/27 11:20:42 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
168 2014/11/27 11:20:42 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
169 2014/11/27 11:20:42 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.
170 2014/11/27 11:20:42 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
171 2014/11/27 11:20:42 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
172 2014/11/27 11:20:43 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'.
173 2014/11/27 11:20:43 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/auth.log'.
174 2014/11/27 11:20:43 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/security'.
175 2014/11/27 11:20:43 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/xferlog'.
176 2014/11/27 11:20:43 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'.
177 2014/11/27 11:20:43 ossec-logcollector: INFO: Started (pid: 12471).
178 2014/11/27 11:20:53 ossec-dbd: Connected to database 'ossec' at '192.168.1.130'.
179 2014/11/27 11:21:45 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
180 2014/11/27 11:21:45 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
181 2014/11/27 11:24:55 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).
182 2014/11/27 11:25:07 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database).
183 2014/11/27 11:25:27 ossec-rootcheck: INFO: Starting rootcheck scan.
184 2014/11/27 11:28:22 ossec-rootcheck: INFO: Ending rootcheck scan.
185 2014/11/27 11:58:24 ossec-syscheckd: INFO: Starting syscheck scan.
186 2014/11/27 12:02:00 ossec-syscheckd: INFO: Ending syscheck scan.
187 2014/11/27 12:32:01 ossec-syscheckd: INFO: Starting syscheck scan.
188 2014/11/27 12:35:37 ossec-syscheckd: INFO: Ending syscheck scan.
189 2014/11/27 13:10:38 ossec-syscheckd: INFO: Starting syscheck scan.
190 2014/11/27 13:14:14 ossec-syscheckd: INFO: Ending syscheck scan.
191 2014/11/27 13:44:15 ossec-syscheckd: INFO: Starting syscheck scan.
192 2014/11/27 13:47:50 ossec-syscheckd: INFO: Ending syscheck scan.
193 2014/11/27 14:17:51 ossec-syscheckd: INFO: Starting syscheck scan.
194 2014/11/27 14:21:26 ossec-syscheckd: INFO: Ending syscheck scan.
195 2014/11/27 14:51:27 ossec-syscheckd: INFO: Starting syscheck scan.
196 2014/11/27 14:55:01 ossec-syscheckd: INFO: Ending syscheck scan.