Page 1 of 1
OSSEC Notifications catches SYSLOG::LOG_INFO
Posted: Mon Jul 28, 2014 11:32 am
by ProcLee
I have a 3 web server setup behind a load-balancer. 2 are linux apache, where as a 3rd that was just added is running enginx. On the nginx server, we are getting OSSEC notification emails on all our LOG_INFO through syslog. This does not occur on our other apache servers. Can someone please help debug and resolve this issue? Please let me know what details I can provide to further assist in determining the problem.
Thank you.
Re: OSSEC Notifications catches SYSLOG::LOG_INFO
Posted: Tue Jul 29, 2014 7:37 am
by mikeshinn
What version of ASL are you using?
Re: OSSEC Notifications catches SYSLOG::LOG_INFO
Posted: Tue Jul 29, 2014 12:15 pm
by ProcLee
Hi,
We are using version 4.0
Re: OSSEC Notifications catches SYSLOG::LOG_INFO
Posted: Tue Jul 29, 2014 5:00 pm
by mikeshinn
Thank you. Can you tell me the exact version (4.0.1, 4.0.5, etc.)
Can you provide an example of the alerts your seeing in syslog, it'll help us to understand more clearly what might be going on so we can help you debug your system. the short answer is that ASL doesnt do that, but I'm not totally clear on what you're seeing .
Also, are there any other differences between those systems?
Re: OSSEC Notifications catches SYSLOG::LOG_INFO
Posted: Wed Jul 30, 2014 2:18 pm
by ProcLee
Hi the exact version number is actually, version 4.0.4-15.el5.art: U
This is how the notification looks like. Some t hings have been masked with xxx. These syslogs appear the same in all other servers but only from our nginx server are they caught by the OSSEC notifications.
Hope this helps and let me know if I can provide anything more details.
OSSEC HIDS Notification.
2014 Jul 30 10:00:16
Received From: proceng2->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
2014-07-30T10:00:15-07:00 proceng2 ool www: Jul 30 10:00:08 proceng2.intranet maxp: TP Response #xxx(200): ERROR:1406739615:Init failed: init_dms for MOTO not implemented:
--END OF NOTIFICATION
OSSEC HIDS Notification.
2014 Jul 30 10:00:56
Received From: proceng2->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
2014-07-30T10:00:31-07:00 proceng2 ool www: Jul 30 10:00:23 proceng2.intranet maxp: TP Response #xxx(200): ID:xxx~Status:Failed~MerchantID:xxx~Terminal:xxx-xxx-xxx~ResultCode:xxx~ApprovalCode:-xxx
--END OF NOTIFICATION
Re: OSSEC Notifications catches SYSLOG::LOG_INFO
Posted: Wed Jul 30, 2014 4:38 pm
by scott
Ok in ASL web can you pull up those 1002(s) and hit the "Report False Negative" button for me. Thanks!