Re: [ossec-list] [SOLVED]: ossec-reportd: How to get full Log dump in the report
36 views
Skip to first unread message
Christopher Moraes
Dec 15, 2010, 4:08:06 PM12/15/10
to ossec...@googlegroups.com
Hi Dan,
I figured this out. There seems to be a bug in the source code for ossec-reportd.
Short explanation: The structure r_filter is not initialized in reports.c
Detailed explanation:
In the file 'report.c' a call is made to os_ReportdStart() passing in the struct 'r_filter'.
r_filter has a 'show_alerts' flag which determines whether the log dump is generated in the report.
The r_filter structure is initialized in reports-config.c:Read_CReports().
Read_CReports is called from ReadConfig() which is called by monitord (and a few other binaries).
It seems that r_filter is only initialized if there is a reporting configuration set in the ossec.conf file and that too only from monitord.
The reason we're seeing it work on some machines and not others is that the uninitialized variable may be equating to true in some cases.
To temporarily fix the issue, I have added the line
r_filter->show_alerts=1;
to report.c at line 194, that is just above the line
/* the real stuff now */
os_ReportdStart(&r_filter);
I've tested and this works now on my test env.
Regards,
Chris
On Wed, Dec 15, 2010 at 11:03 AM, dan (ddp) <ddp...@gmail.com> wrote:
The only debug idea I had was strace, but that's a lot of information
that I don't know how to read.
On Wed, Dec 15, 2010 at 10:57 AM, Christopher Moraes
<cmora...@gmail.com> wrote:
> Hi Dan,
> I ran a few more tests, this time on 3 servers.
> I first tested by copying the same alert file to the machines. Then I
> noticed that each alert points to the full path of the original log file.
> Since that path was valid only on 1 machine, I then tested by generating
> the alert file on each machine and running the reportd command.
> Results -
> 1. RHEL 5.4 running ossec 2.4.1 with user 'root' - Report contains full log
> dump
> 2. Ubuntu 10.10 running ossec 2.5.1 with user 'root' - Report contains full
> log dump
> 3. RHEL 5.5 running ossec 2.5.1 with user 'root' or with sudo - Report
> contains only the summary.
> The only other difference is #3 is a 'production' box. I'm wondering if it
> could have some additional security that is preventing the log dump being
> generated.
> Is there any way to debug what reportd is doing? I can't find a debug log
> level for reportd in internal_ossec.conf.
>
>
> On Wed, Dec 15, 2010 at 10:37 AM, dan (ddp) <ddp...@gmail.com> wrote:
>>
>> I'm having the opposite issue, centos 5 works fine and the ubuntu
>> system doesn't show the log dump. The log file was created on the
>> centos machine, and I transferred it to the ubuntu.
>> I'm not sure what else to do at the moment. Definitely odd.
>>
>
dan (ddp)
Dec 15, 2010, 4:40:13 PM12/15/10
to ossec...@googlegroups.com, osse...@googlegroups.com
Interesting. I'll give that a shot tomorrow to see if it works for me.
*also cc'ing ossec-dev so the information makes it there as well
*also cc'ing ossec-dev so the information makes it there as well
On Wed, Dec 15, 2010 at 4:08 PM, Christopher Moraes
dan (ddp)
Dec 16, 2010, 9:30:23 AM12/16/10
to ossec...@googlegroups.com
On Wed, Dec 15, 2010 at 4:08 PM, Christopher Moraes
<cmora...@gmail.com> wrote:
> Hi Dan,
> I figured this out. There seems to be a bug in the source code for
> ossec-reportd.
> Short explanation: The structure r_filter is not initialized in reports.c
> Detailed explanation:
> In the file 'report.c' a call is made to os_ReportdStart() passing in the
> struct 'r_filter'.
> r_filter has a 'show_alerts' flag which determines whether the log dump is
> generated in the report.
> The r_filter structure is initialized in reports-config.c:Read_CReports().
> Read_CReports is called from ReadConfig() which is called by monitord (and a
> few other binaries).
> It seems that r_filter is only initialized if there is a reporting
> configuration set in the ossec.conf file and that too only from monitord.
> The reason we're seeing it work on some machines and not others is that the
> uninitialized variable may be equating to true in some cases.
> To temporarily fix the issue, I have added the line
> r_filter->show_alerts=1;
> to report.c at line 194, that is just above the line
> /* the real stuff now */
> os_ReportdStart(&r_filter);
> I've tested and this works now on my test env.
> Regards,
> Chris
>
<cmora...@gmail.com> wrote:
> Hi Dan,
> I figured this out. There seems to be a bug in the source code for
> ossec-reportd.
> Short explanation: The structure r_filter is not initialized in reports.c
> Detailed explanation:
> In the file 'report.c' a call is made to os_ReportdStart() passing in the
> struct 'r_filter'.
> r_filter has a 'show_alerts' flag which determines whether the log dump is
> generated in the report.
> The r_filter structure is initialized in reports-config.c:Read_CReports().
> Read_CReports is called from ReadConfig() which is called by monitord (and a
> few other binaries).
> It seems that r_filter is only initialized if there is a reporting
> configuration set in the ossec.conf file and that too only from monitord.
> The reason we're seeing it work on some machines and not others is that the
> uninitialized variable may be equating to true in some cases.
> To temporarily fix the issue, I have added the line
> r_filter->show_alerts=1;
> to report.c at line 194, that is just above the line
> /* the real stuff now */
> os_ReportdStart(&r_filter);
> I've tested and this works now on my test env.
> Regards,
> Chris
>
This wouldn't compile for me, but r_filter.show_alerts=1; did. And it
seems to have fixed the issue for me too.
Christopher Moraes
Dec 16, 2010, 10:19:07 AM12/16/10
to ossec...@googlegroups.com
A small correction -
On Wed, Dec 15, 2010 at 4:08 PM, Christopher Moraes <cmora...@gmail.com> wrote:
Hi Dan,
I figured this out. There seems to be a bug in the source code for ossec-reportd.Short explanation: The structure r_filter is not initialized in reports.c
r_filter is initialized in reports.c (lines 55-69). However the element "show_alerts" is not initialized.
Christopher Moraes
Dec 16, 2010, 10:09:53 AM12/16/10
to ossec...@googlegroups.com
Hi Dan,
Sorry that was a typo in my mail. Yes it is
r_filter.show_alerts=1
I think a better place to put this line in, is with the other initializations up in the main method - at line 70 in report.c just after the line
r_filter.report_name = NULL;
Reply all
Reply to author
Forward
0 new messages