cdb logtest and analysisd not returning the same data. about ossec-hids HOT 4 CLOSED

ok I have used ossec-vagrant to repo reproduce your set and here is what i get in my alerts:

** Alert 1395434447.14224: mail  - local,syslog,
2014 Mar 21 20:40:47 precise32->/var/log/auth.log
Rule: 100126 (level 10) -> 'Unexpected user logged into a Secure machine'
Src IP: 10.0.2.2
User: vagrant
Mar 21 20:40:46 precise32 sshd[8698]: Accepted publickey for vagrant from 10.0.2.2 port 55963 ssh2

Now I made a mistake the first time in testing and just want to make sure you have restarted the ossec master ? This would explain why log test is working and the server is not. I have read the code paths and they are the same for both programs.

from ossec-hids.

Sorry just finished redoing this test and still get the expect test working. You made sure to restart which i missed on my first read.

Given this I would like to see a more complete view of the setup. I know you might not want to post this on the interview so you can send it directly if you would like http://github.com/jrossi has how to email me.

Could you send the following:

1. Full contacts of master servers /var/ossec/etc/* /var/ossec/rules/* /var/ossec/lists/
2. Full contacts of A agents servers /var/ossec/etc/*
3. Anything else you think I could use
4. OS Name and versions

from ossec-hids.

Closing this as I could not reproduce. See my questions above if you are still having this problem. Thank you

from ossec-hids.

Hi had the same problem yesterday. I also wanted to use a hostname match.
After debugging a little bit, I figured out, that in src/analysisd/analysisd.c the hostname (the cdb key)
lf->hostname had different values in logtest and analysisd.
So in logtest it was "myhost"
but in analysisd it was "(myhost.mydomain) myip->/var/log/auth.log"

Sebastian

from ossec-hids.