Atomicorp

Security for Everyone
https://forums.atomicorp.com/

Security Events logging stops after update

https://forums.atomicorp.com/viewtopic.php?t=7717

Page 1 of 1

Security Events logging stops after update

Posted: Wed Jul 02, 2014 4:08 am
by imadsani
I've noticed that events stop being logged every time I update ASL, I usually need to reboot to get it to work again.

Re: Security Events logging stops after update

Posted: Wed Jul 02, 2014 5:17 am
by prupert
Is ossec-dbd running after the update (service ossec-hids status)?
Any errors in /var/ossec/logs/ossec.log?
Is your event database OK (mysqlcheck tortix)?

Re: Security Events logging stops after update

Posted: Wed Jul 02, 2014 1:32 pm
by imadsani
I tried posting the output from the log but ASL on the forum kicked me out

I've removed parts from the error log which I thought may get blocked again
Output from /var/ossec/logs/ossec.log says:

Code: Select all

ERROR: Queue '/queue/alerts/ar' not accessible: 'Connection refused'.
 ossec-analysisd(1301): ERROR: Unable to connect to active response queue.
ossec-dbd(5203): ERROR: Error executing query ... Error: 'Unknown column 'tld' in 'NEW''.
ossec-dbd(5209): INFO: Closing connection to database.
ossec-dbd(5210): INFO: Attempting to reconnect to database.
ossec-dbd: Connected to database 'tortix' at '127.0.0.1'.
ossec-dbd(5204): ERROR: Database error. Unable to run query.

mysqlcheck tortix

Code: Select all

Warning: Using a password on the command line interface can be insecure.
tortix.ARCHIVE_201406                              OK
tortix.agent                                       OK
tortix.alert                                       OK
tortix.aslw_archive_tmp                            OK
tortix.aslw_blocklist                              OK
tortix.aslw_domain_block                           OK
tortix.aslw_geo_range                              OK
tortix.aslw_log                                    OK
tortix.aslw_mtimes                                 OK
tortix.aslw_rules                                  OK
tortix.aslw_rules_build                            OK
tortix.aslw_saved_search                           OK
tortix.aslw_stat_dow_hod                           OK
tortix.aslw_stat_geo                               OK
tortix.aslw_stat_ip                                OK
tortix.aslw_stat_rule                              OK
tortix.aslw_user                                   OK
tortix.aslw_user_group                             OK
tortix.aslw_user_settings                          OK
tortix.category                                    OK
tortix.location                                    OK
tortix.pgui_bl_reason                              OK
tortix.pgui_hids_cat                               OK
tortix.pgui_rule_def                               OK
tortix.pgui_waf_cat                                OK
tortix.pgui_waf_cat_rule_map                       OK
tortix.pgui_waf_rules                              OK
tortix.server                                      OK
tortix.signature                                   OK
tortix.signature_category_mapping                  OK
service ossec-hids status

Code: Select all

ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted: Process 13110 not used by ossec, removing ..
ossec-remoted not running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...
ossec-dbd is running...

Re: Security Events logging stops after update

Posted: Thu Jul 03, 2014 6:31 am
by prupert
You can try to reinstall your ASL database.

Code: Select all

/var/asl/bin/database-setup
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited