I have a 3 web server setup behind a load-balancer. 2 are linux apache, where as a 3rd that was just added is running enginx. On the nginx server, we are getting OSSEC notification emails on all our LOG_INFO through syslog. This does not occur on our other apache servers. Can someone please help debug and resolve this issue? Please let me know what details I can provide to further assist in determining the problem.
Thank you.
OSSEC Notifications catches SYSLOG::LOG_INFO
-
mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4155
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: OSSEC Notifications catches SYSLOG::LOG_INFO
What version of ASL are you using?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: OSSEC Notifications catches SYSLOG::LOG_INFO
Hi,
We are using version 4.0
We are using version 4.0
-
mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4155
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: OSSEC Notifications catches SYSLOG::LOG_INFO
Thank you. Can you tell me the exact version (4.0.1, 4.0.5, etc.)
Can you provide an example of the alerts your seeing in syslog, it'll help us to understand more clearly what might be going on so we can help you debug your system. the short answer is that ASL doesnt do that, but I'm not totally clear on what you're seeing .
Also, are there any other differences between those systems?
Can you provide an example of the alerts your seeing in syslog, it'll help us to understand more clearly what might be going on so we can help you debug your system. the short answer is that ASL doesnt do that, but I'm not totally clear on what you're seeing .
Also, are there any other differences between those systems?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: OSSEC Notifications catches SYSLOG::LOG_INFO
Hi the exact version number is actually, version 4.0.4-15.el5.art: U
This is how the notification looks like. Some t hings have been masked with xxx. These syslogs appear the same in all other servers but only from our nginx server are they caught by the OSSEC notifications.
Hope this helps and let me know if I can provide anything more details.
OSSEC HIDS Notification.
2014 Jul 30 10:00:16
Received From: proceng2->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
2014-07-30T10:00:15-07:00 proceng2 ool www: Jul 30 10:00:08 proceng2.intranet maxp: TP Response #xxx(200): ERROR:1406739615:Init failed: init_dms for MOTO not implemented:
--END OF NOTIFICATION
OSSEC HIDS Notification.
2014 Jul 30 10:00:56
Received From: proceng2->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
2014-07-30T10:00:31-07:00 proceng2 ool www: Jul 30 10:00:23 proceng2.intranet maxp: TP Response #xxx(200): ID:xxx~Status:Failed~MerchantID:xxx~Terminal:xxx-xxx-xxx~ResultCode:xxx~ApprovalCode:-xxx
--END OF NOTIFICATION
This is how the notification looks like. Some t hings have been masked with xxx. These syslogs appear the same in all other servers but only from our nginx server are they caught by the OSSEC notifications.
Hope this helps and let me know if I can provide anything more details.
OSSEC HIDS Notification.
2014 Jul 30 10:00:16
Received From: proceng2->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
2014-07-30T10:00:15-07:00 proceng2 ool www: Jul 30 10:00:08 proceng2.intranet maxp: TP Response #xxx(200): ERROR:1406739615:Init failed: init_dms for MOTO not implemented:
--END OF NOTIFICATION
OSSEC HIDS Notification.
2014 Jul 30 10:00:56
Received From: proceng2->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
2014-07-30T10:00:31-07:00 proceng2 ool www: Jul 30 10:00:23 proceng2.intranet maxp: TP Response #xxx(200): ID:xxx~Status:Failed~MerchantID:xxx~Terminal:xxx-xxx-xxx~ResultCode:xxx~ApprovalCode:-xxx
--END OF NOTIFICATION
-
scott
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: OSSEC Notifications catches SYSLOG::LOG_INFO
Ok in ASL web can you pull up those 1002(s) and hit the "Report False Negative" button for me. Thanks!