UDP 514 receive queue unusually high
203 views
Skip to first unread message
PECKENPAUGH, DEREK R
Dec 16, 2009, 9:50:01 AM12/16/09
to ossec...@ossec.net
We're seeing a lot of bytes NOT written to syslog. We see traffic on the firewall, but /var/log/messages is pretty quiet. A netstat shows a large amount of bytes in a receive queue for port 514:
[root@<xxxxxxxxxxxx>]# netstat -anu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 106488 0 0.0.0.0:514 0.0.0.0:*
udp 0 0 0.0.0.0:55692 0.0.0.0:*
udp 0 0 0.0.0.0:821 0.0.0.0:*
udp 0 0 0.0.0.0:824 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
udp 0 0 127.0.0.1:123 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*
udp 0 0 :::47893 :::*
udp 0 0 :::5353 :::*
udp 0 0 :123 :::*
udp 0 0 ::1:123 :::*
udp 0 0 :::123 :::*
Is there a way to determine why these bytes are not writing to /var/log/messages -- or to clear this queue to see if writes do begin to occur - short of reinstalling Ossec??
Thanks,
Doc
This e-mail contains Omaha Public Power District's confidential and proprietary information and is for use only by the intended recipient. Unless explicitly stated otherwise, this e-mail is not a contract offer, amendment, nor acceptance. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
[root@<xxxxxxxxxxxx>]# netstat -anu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 106488 0 0.0.0.0:514 0.0.0.0:*
udp 0 0 0.0.0.0:55692 0.0.0.0:*
udp 0 0 0.0.0.0:821 0.0.0.0:*
udp 0 0 0.0.0.0:824 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
udp 0 0 127.0.0.1:123 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*
udp 0 0 :::47893 :::*
udp 0 0 :::5353 :::*
udp 0 0 :123 :::*
udp 0 0 ::1:123 :::*
udp 0 0 :::123 :::*
Is there a way to determine why these bytes are not writing to /var/log/messages -- or to clear this queue to see if writes do begin to occur - short of reinstalling Ossec??
Thanks,
Doc
This e-mail contains Omaha Public Power District's confidential and proprietary information and is for use only by the intended recipient. Unless explicitly stated otherwise, this e-mail is not a contract offer, amendment, nor acceptance. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
Jeremy Lee
Dec 16, 2009, 11:25:45 AM12/16/09
to ossec...@googlegroups.com
Run a TCPDump to see what's coming across.
Also try 'netstat -suc' if you want to see a live count of UDP data just to help with analysis.
Also try 'netstat -suc' if you want to see a live count of UDP data just to help with analysis.
William Maddler
Dec 16, 2009, 12:28:37 PM12/16/09
to ossec...@googlegroups.com
Hello Doc,
First of all check you firewall rules and verify that a logging rule is
present.
UDP port 514 is, usually, used by syslogd. Is any other system on your
network configured to send data to this server?
Have you tried to sniff and see what's going on?
Bye,
William
First of all check you firewall rules and verify that a logging rule is
present.
UDP port 514 is, usually, used by syslogd. Is any other system on your
network configured to send data to this server?
Have you tried to sniff and see what's going on?
Bye,
William
PECKENPAUGH, DEREK R
Dec 16, 2009, 1:00:35 PM12/16/09
to ossec...@googlegroups.com
Yes, we've done a dump. And when we move a system from this ossec server to another, we get alerts written like we want. I'm trying not to reinstall ossec on this box, but that might be the answer. We can't figure out how to drain that queue.
Thanks,
Doc
Thanks,
Doc
dan (ddp)
Dec 16, 2009, 2:35:36 PM12/16/09
to ossec...@googlegroups.com
Are the two systems (ossec server that worked and the server that does
not) different? Which syslog software is running on each? Is there a
software firewall on the server that doesn't work? Have you tried
restarting the syslog daemon?
not) different? Which syslog software is running on each? Is there a
software firewall on the server that doesn't work? Have you tried
restarting the syslog daemon?
PECKENPAUGH, DEREK R
Dec 17, 2009, 2:06:24 PM12/17/09
to ossec...@googlegroups.com
Thanks for the reply. No, the systems are the same, and the syslog software is the default installed. I don't think we've got any software firewall issues, but I'll check further into that. After restarting the syslog daemon it only took seconds to ramp up the queue again, and at the moment it's 10 times what it was before.
__________________________________
Derek R. Peckenpaugh
Information Protection
636.2372
-----Original Message-----
From: ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] On Behalf Of dan (ddp)
Sent: Wednesday, December 16, 2009 1:36 PM
To: ossec...@googlegroups.com
Subject: Re: [ossec-list] UDP 514 receive queue unusually high
__________________________________
Derek R. Peckenpaugh
Information Protection
636.2372
-----Original Message-----
From: ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] On Behalf Of dan (ddp)
Sent: Wednesday, December 16, 2009 1:36 PM
To: ossec...@googlegroups.com
Subject: Re: [ossec-list] UDP 514 receive queue unusually high
Jeremy Lee
Dec 17, 2009, 2:38:13 PM12/17/09
to ossec...@googlegroups.com
Make sure there are no hardware firewall restrictions either. Do you have ACLs setup? I had issues with this previously because OSSEC requires the session state. If there are any firewall rules (software OR hardware). It's probably best to allow all between the OSSEC server and agent(s) at least temporarily for testing to see if that might be where the bottleneck is.
Reply all
Reply to author
Forward
0 new messages