What is the log_format for Horde IMP log files?

16 views
Skip to first unread message

Peter M. Abraham

unread,
Dec 10, 2009, 2:09:28 PM12/10/09
to ossec-list
Greetings:

What <log_format> do I use for Horde IMP log files?

Is it syslog or is there a specific one for Horde IMP?

Thank you.

Kirk Frankovich

unread,
Dec 10, 2009, 5:19:04 PM12/10/09
to ossec...@googlegroups.com
I filed a report on the uservoice site, but I wanted to post this to the
mailing list to see if anyone else has seen this or knows of this.

This morning I deployed OSSEC live for the first time. I installed the
server and connected two agents.

Once everything was up and communicating, I ran ./agent_control -r -u
001 and ./agent_control -r -u 002 from the server to kick off a scan on
my two agents (I disable scan at startup).

Within a minute or two, agent 001 was running a scan, but 002 was not.
After 30 minutes, 002 still had not kicked off a scan, so I reran the
agent_control command. The second command didn't appear to do anything
either (though I only waited a minute or two). So I ran it about five
times in a row. Finally agent 002 kicked off a scan.

This afternoon I added some additional agents and ran into the same
thing.

Can anyone help with this?

--
Confidentiality Notice: This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution, copying or taking any action in reliance upon this information is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
This message was scanned by ESVA and is believed to be clean.


ddp...@gmail.com

unread,
Dec 10, 2009, 9:10:38 PM12/10/09
to ossec...@googlegroups.com
Anything in the logs on the server or misbehaving agents? Is active reponse enabled on the agents? Did agent 002 successfully connect to the server?
dan

Sent from my Nokia phone

Kirk Frankovich

unread,
Dec 11, 2009, 9:49:34 AM12/11/09
to ossec...@googlegroups.com
Dan,

No, nothing that I can see. Both logs (the agent that starts and the agent that doesn't) look normal from what I can tell. Active Response is enabled and all agents show as connected and active. If I tail the agent logs, I see what I normally would expect, I just have to reissue the agent_control command a few times.

Is there any debugging I can turn on to see what is actually happening when I issue the command?

Thank you,
Kirk
--

ddp...@gmail.com

unread,
Dec 12, 2009, 4:11:28 PM12/12/09
to ossec...@googlegroups.com
I think most of the ossec processes accept "-d" for debugging. I'd run both the server and agent processes in debug mode to see if the extra logs provide any more information.

Daniel Cid

unread,
Dec 16, 2009, 2:14:46 PM12/16/09
to ossec...@googlegroups.com
Hi Peter,

Just use "syslog". In fact, for most applications that log one event
per line, "syslog" is fine
to use (and iis, squid, apache and a few other log_formats are just a
link to syslog).

You only need a different format when the logs can be combined in more
than one line per
event (like Snort-full, mysql and postgresql).

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

Daniel Cid

unread,
Dec 16, 2009, 2:02:29 PM12/16/09
to ossec...@googlegroups.com
Hi Kirk,

It can be two things: Packet loss or the scan was already running on
that agent when you issued the command.
How busy are these servers? Can you try running tcpdump (on both the
manager and agent) while you run it? Just to check if the agent is
receiving the message...

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

Reply all
Reply to author
Forward
0 new messages