• Support
  • Forums
  • Blogs

OSSEC running Agents on servers connected but NO events are logging??

jgraysongstesjgraysongstes

Entry Level
edited December 2012 in AlienVault USM Appliance > Sensor
During one of the last updates OSSEC stopped collecting from the servers it is installed on.   I checked all agents and they have connection to server.   Network is working fine.   I also restarted the system and also the various agents on each server.   Connection is establlished but it is only sending keep alive on agent side and logging NOTHING on the Alienvault side.   Any ideas???   I just ran the verify-agent-config and it comes back with agent.conf not found.   Checked directory and agent.conf is not there.   Is that the cause??  if so is there a generic or backup version that I can put in without having to redo all the servers?

Share post:

Answers

  • Hello,

    Fresh installation and I can confirm the same issue. Ran a vulnerability scan against a host with the OSSEC HIDS installed. Despite the OSSEC alarms log containing thousands of entries, there are no SIEM events. I restarted OSSEC on the server.. and also restarted OSSIM to no avail. Here is examples of logs that should have raised events (xxx's added by me)

    V - Alert - "1413541721" --> RID: "31151"; RL: "10"; RG: "web,accesslog,web_scan,recon,"; RC: "Multiple web server 400 error codes from same source ip."; USER: "None"; SRCIP: "10.128.32.243"; HOSTNAME: "(xxxx) 10.128.xxx.xxx->/var/log/httpd/access_log"; LOCATION: "(xxxxx) xxx.xxx.xxx.xxx->/var/log/httpd/access_log"; EVENT: "[INIT]xxx.xxx.xxx.xxx - - [17/Oct/2014:12:24:50 +0200] "GET /scripts/default.aspx HTTP/1.1" 404 297 "-" "Mozilla/5.0 (X11; Linux; rv:17.0) Gecko/17.0 Firefox/17.0 OpenVAS/6.0.2"[END]"; 

    AV - Alert - "1413541721" --> RID: "31101"; RL: "5"; RG: "web,accesslog,"; RC: "Web server 400 error code."; USER: "None"; SRCIP: "10.128.32.243"; HOSTNAME: "(xxxxx) xxx.xxx.xxx.xxx ->/var/log/httpd/access_log"; LOCATION: "(dcp1jump) 10.128.32.242->/var/log/httpd/access_log"; EVENT: "[INIT]10.128.32.243 - - [17/Oct/2014:12:24:50 +0200] "GET //default.aspx HTTP/1.1" 404 289 "-" "Mozilla/5.0 (X11; Linux; rv:17.0) Gecko/17.0 Firefox/17.0 OpenVAS/6.0.2"[END]"; 

    AV - Alert - "1413541721" --> RID: "31104"; RL: "6"; RG: "web,accesslog,attack,"; RC: "Common web attack."; USER: "None"; SRCIP: "10.128.32.243"; HOSTNAME: "(xxxx) xxx.xxx.xxx->/var/log/httpd/access_log"; LOCATION: "(xxxx) xxx.xxx.xxx ->/var/log/httpd/access_log"; EVENT: "[INIT]10.128.32.243 - - [17/Oct/2014:12:24:50 +0200] "GET /ignition/page.php?page=../../../../../../../../../etc/passwd%00 HTTP/1.1" 404 294 "-" "Mozilla/5.0 (X11; Linux; rv:17.0) Gecko/17.0 Firefox/17.0 OpenVAS/6.0.2"[END]"; 

    AV - Alert - "1413541721" --> RID: "31153"; RL: "10"; RG: "web,accesslog,attack,"; RC: "Multiple common web attacks from same souce ip."; USER: "None"; SRCIP: "10.128.32.243"; HOSTNAME: "(xxxxxx.xxx.xxx->/var/log/httpd/access_log"; LOCATION: "(xxxxx) xxx.xxx.xxx->/var/log/httpd/access_log"; EVENT: "[INIT]1xxx.xxx.xxx - - [17/Oct/2014:12:24:50 +0200] "GET /cgi-bin/page.php?page=../../../../../../../../../etc/passwd%00 HTTP/1.1" 404 293 "-" "Mozilla/5.0 (X11; Linux; rv:17.0) Gecko/17.0 Firefox/17.0 OpenVAS/6.0.2"[END]"; 

  • Which version are you using? I'm on 4.12.1 and the events show up in my SIEM view when I used your example logs. 
  • Hello Whuang,

    Ah - the .iso was 4.12.0. Running the update to 4.12.1 resolved the issue.

    - thanks for checking
Sign In or Register to comment.