OSSEC Agent Seems to Stop Parsing and/or reporting localfile entry

Support/Development for OSSEC
scotsie
New Forum User
New Forum User
Posts: 1
Joined: Fri May 14, 2021 7:23 pm

OSSEC Agent Seems to Stop Parsing and/or reporting localfile entry

Unread post by scotsie »

I have 2 servers with ossec-hids-agent and identical configuration files.
OS - CentOS release 6.10 (Final)
OSSEC Version - OSSEC HIDS v3.6.0 - OSSEC Foundation

In the local server ossec-agent.conf. I added a custom localfile entry for tomcat log files that rotate frequently and use a down to the second creation naming convention.
e.g. access_log.2021.03.05-07.13.40.txt

Code: Select all

<localfile>
  <log_format>apache</log_format>
  <location>/vendor/application/logs/tomcat/access_log*.txt</location>
  <only-future-events>yes</only-future-events>
</localfile>
After adding this and using ./ossec-control restart, it seems to work normally and logfiles are processed. The server receives events and active responses are generated as expected.
ServerA
I see it continue to pickup new log files and complain or missing (rotated) log files as expected The server continues to receive alerts.
ServerB
It seems to stop processing the tomcat access_log*.txt files once it reports the first missing file (due to rotation).

Code: Select all

2021/03/09 07:25:05 ossec-logcollector(1103): ERROR: Could not open file '/vendor/application/logs/tomcat/access_log.2021.03.04-08.12.32.txt' due to [(2)-(No such file or directory)].
When this happens, logcollector is still running and processing other less chatty log files.
Initially there was a version difference with the problematic server using ossec-hids 3.3 however, I removed it, removed the installed directory and files and installed the 3.6 release as an initial 'fix'.
I also removed the <only-future-events> as a test and it didn't seem to make a difference.
I've enabled debug level 2 on both servers but do not see much more information than I had before.

Guidance or pointers appreciated for further troubleshooting.
This is a repost from a google ossec-list so I apologize for the duplication but hope to get more traction here. Thank you for your time.
scotsie
New Forum User
New Forum User
Posts: 1
Joined: Fri May 14, 2021 7:23 pm

Re: OSSEC Agent Seems to Stop Parsing and/or reporting localfile entry

Unread post by scotsie »

As a follow up to this post for anyone that might run into a similar problem.
My issue turned out to be missing the line that the wildcard only supports files that exist on startup.
The example documentation didn't reference this particular info however some older version documentation configuration guides did.

Given that the file names also rapidly changed and strftime format did not seem to work with the minute second naming of logs AND strftime plus wildcards don't work, a workaround was required.

We solved this by using a crontab job that sorted the directory by date/time and created/updated the link.

Code: Select all

*/1 * * * * ln -sf `ls /vendor/application/logs/tomcat/access_log*txt | sort -n  | tail -n 1` /var/ossec/logs/tomcat/access_log.ossec
ossec-agent.conf was then modified to monitor that link and seems to follow when the file changes periodically.

Code: Select all

  <localfile>
    <log_format>apache</log_format>
    <location>/vendor/application/logs/tomcat/access_log.ossec</location>
  </localfile>
A much more experienced coworker came up with this workaround so I can't take any credit other than execution but I hope it helps the next person.
Last edited by scotsie on Tue Aug 31, 2021 7:01 pm, edited 1 time in total.
Post Reply