Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Zimbra 6.0.2 with OSSEC

  1. #1
    Centro is offline Senior Member
    Join Date
    May 2009
    Location
    Schrobenhausen - Germany
    Posts
    54
    Rep Power
    6

    Default Zimbra 6.0.2 with OSSEC

    Hi,

    i was just upgrading my Zimbra 5.0.18 to the new version 6.0.2.
    I run ossec on my server to watch my logs and ids.

    I got many messages from my ossec with the following text. I dont know what this log means, ossec just say "to long" . Do anybody know something about it?
    All of Zimbra runs good, so i cant see any problem!

    Code:
    OSSEC HIDS Notification.
    2009 Nov 22 10:05:02
    
    Received From: xchange->/var/log/messages
    Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)."
    Portion of the log(s):
    
    Nov 22 10:05:01 xchange zimbramon[9386]: 9386:info: :::1D9485B6-D746-11DE-8015-622D2623AED0:::, Com_purge_before_date, Com_rename_table, Com_repair, Com_replace, Com_replace_select, Com_reset, Com_restore_table, Com_revoke, Com_revoke_all, Com_rollback, Com_savepoint, Com_select, Com_set_option, Com_show_binlog_events, Com_show_binlogs, Com_show_charsets, Com_show_collations, Com_show_column_types, Com_show_create_db, Com_show_create_table, Com_show_databases, Com_show_errors, Com_show_fields, Com_show_grants, Com_show_innodb_status, Com_show_keys, Com_show_logs, Com_show_master_status, Com_show_ndb_status, Com_show_new_master, Com_show_open_tables, Com_show_privileges, Com_show_processlist, Com_show_slave_hosts, Com_show_slave_status, Com_show_status, Com_show_storage_engines, Com_show_tables, Com_show_triggers, Com_show_variables, Com_show_warnings, Com_slave_start, Com_slave_sto:::1D949CAE-D746-11DE-8015-622D2623AED0:::
    Greetz Centro

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    Have a look in the OSSEC configuration files, I guess it's complaining about the length of the line in the log file.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Centro is offline Senior Member
    Join Date
    May 2009
    Location
    Schrobenhausen - Germany
    Posts
    54
    Rep Power
    6

    Default

    yes, sure, but what would this message say?

    at the old version there was only the status of service written, but this message will nobody help!

  4. #4
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    Quote Originally Posted by Centro View Post
    yes, sure, but what would this message say?
    Yes, but can't you change the config in OSSEC to accept longer log file lines and the type of message it displays?

    Quote Originally Posted by Centro View Post
    at the old version there was only the status of service written, but this message will nobody help!
    This would be better asked on the OSSEC mailing list, it's not a Zimbra problem.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Centro is offline Senior Member
    Join Date
    May 2009
    Location
    Schrobenhausen - Germany
    Posts
    54
    Rep Power
    6

    Default

    Quote Originally Posted by phoenix View Post
    This would be better asked on the OSSEC mailing list, it's not a Zimbra problem.
    i dont think so. Its a message what is produced by zimbra server. Ossec is just to generate the email message with the output of zimbra´s log.

    The old zimbra log was like
    Code:
    zmmail status ok 
    zmspam status ok
    .. and so on
    The new one is like the above message! - THIS was my question.

    Is it an error or is it the simular to the old message?

    Thx for your replies

    Greetz Centro

  6. #6
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Have you checked the ossec rule to see why it is triggering ?

  7. #7
    Centro is offline Senior Member
    Join Date
    May 2009
    Location
    Schrobenhausen - Germany
    Posts
    54
    Rep Power
    6

    Default

    I checked Ossec, but i cant find anything for fix this. I choose to disable the message to move it to a lower level.

    The message is on a new logfile from systat in V6.
    the log is zimbra-stats.log

    Thx for your replys. I think its no error message.

    Greetz Centro

  8. #8
    ArcaneMagus's Avatar
    ArcaneMagus is offline Moderator
    Join Date
    Feb 2007
    Location
    Portland, OR
    Posts
    1,147
    Rep Power
    10

    Default

    Quote Originally Posted by Centro View Post
    i dont think so. Its a message what is produced by zimbra server. Ossec is just to generate the email message with the output of zimbra´s log.
    The systems syslog implementation can handle the messages of that size (in fact most implementations can handle much larger messages), and Zimbra can handle the message (since it wrote it). In fact Zimbra splits the lines that would go over the limit for older syslog implementations into multiple lines.

    So... the only part of your setup that is having problems is OSSEC, so how exactly is it Zimbra's problem that OSSEC can't handle log lines properly?

    Quote Originally Posted by Centro View Post
    The new one is like the above message! - THIS was my question.

    Is it an error or is it the simular to the old message?
    The line that triggered this rule is part of the new statistics backend in 6.0.x, it is a perfectly normal line to be written to that log in 6.0.x.

  9. #9
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Re-opened this as I believe those messages should not be written to /var/log/messages and should go to /var/log/zimbra.log. Are they being generated from SQLlite ? for the time being I have suppressed from OSSEC but would like to understand what they are.

  10. #10
    ArcaneMagus's Avatar
    ArcaneMagus is offline Moderator
    Join Date
    Feb 2007
    Location
    Portland, OR
    Posts
    1,147
    Rep Power
    10

    Default

    The fact that the messages were going to /var/log/messages was a bug that was supposedly fixed in 6.0.5: Bug 43541 - rsyslog: exclude local1 and local0 from logging to /var/log/messages.
    The messages like the one in the OP are actually only supposed to be showing in /var/log/zimbra-stats.log and are all of the statistics about cpu, disk, vm usage and the like.

    The size of the messages is perfectly valid, the fact that OSSEC can't handle the messages, or thinks they are too large is a bug in OSSEC.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. /tmp filling
    By Nutz in forum Administrators
    Replies: 8
    Last Post: 02-22-2008, 02:00 AM
  2. [SOLVED] Clamav problem ? What's happening ?
    By aNt1X in forum Installation
    Replies: 23
    Last Post: 02-14-2008, 05:43 AM
  3. Zimbra shutdowns every n hours.
    By Andrewb in forum Administrators
    Replies: 13
    Last Post: 08-14-2007, 08:55 AM
  4. Can't start Zimbra!
    By zibra in forum Administrators
    Replies: 5
    Last Post: 03-22-2007, 11:34 AM
  5. zmtlsctl give LDAP error
    By sourcehound in forum Administrators
    Replies: 5
    Last Post: 03-11-2007, 03:48 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •