The only debug idea I had was strace, but that's a lot of information
that I don't know how to read.
On Wed, Dec 15, 2010 at 10:57 AM, Christopher Moraes
<cmora...@gmail.com> wrote:
> Hi Dan,
> I ran a few more tests, this time on 3 servers.
> I first tested by copying the same alert file to the machines. Then I
> noticed that each alert points to the full path of the original log file.
> Since that path was valid only on 1 machine, I then tested by generating
> the alert file on each machine and running the reportd command.
> Results -
> 1. RHEL 5.4 running ossec 2.4.1 with user 'root' - Report contains full log
> dump
> 2. Ubuntu 10.10 running ossec 2.5.1 with user 'root' - Report contains full
> log dump
> 3. RHEL 5.5 running ossec 2.5.1 with user 'root' or with sudo - Report
> contains only the summary.
> The only other difference is #3 is a 'production' box. I'm wondering if it
> could have some additional security that is preventing the log dump being
> generated.
> Is there any way to debug what reportd is doing? I can't find a debug log
> level for reportd in internal_ossec.conf.
>
>
> On Wed, Dec 15, 2010 at 10:37 AM, dan (ddp) <ddp...@gmail.com> wrote:
>>
>> I'm having the opposite issue, centos 5 works fine and the ubuntu
>> system doesn't show the log dump. The log file was created on the
>> centos machine, and I transferred it to the ubuntu.
>> I'm not sure what else to do at the moment. Definitely odd.
>>
>
On Wed, Dec 15, 2010 at 4:08 PM, Christopher Moraes
This wouldn't compile for me, but r_filter.show_alerts=1; did. And it
seems to have fixed the issue for me too.
Hi Dan,
I figured this out. There seems to be a bug in the source code for ossec-reportd.Short explanation: The structure r_filter is not initialized in reports.c