| Welcome to the Zimbra :: Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | | 
11-22-2009, 02:27 AM
| | |  Zimbra 6.0.2 with OSSEC
Hi,
i was just upgrading my Zimbra 5.0.18 to the new version 6.0.2.
I run ossec on my server to watch my logs and ids.
I got many messages from my ossec with the following text. I dont know what this log means, ossec just say "to long" . Do anybody know something about it?
All of Zimbra runs good, so i cant see any problem! Code: OSSEC HIDS Notification.
2009 Nov 22 10:05:02
Received From: xchange->/var/log/messages
Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)."
Portion of the log(s):
Nov 22 10:05:01 xchange zimbramon[9386]: 9386:info: :::1D9485B6-D746-11DE-8015-622D2623AED0:::, Com_purge_before_date, Com_rename_table, Com_repair, Com_replace, Com_replace_select, Com_reset, Com_restore_table, Com_revoke, Com_revoke_all, Com_rollback, Com_savepoint, Com_select, Com_set_option, Com_show_binlog_events, Com_show_binlogs, Com_show_charsets, Com_show_collations, Com_show_column_types, Com_show_create_db, Com_show_create_table, Com_show_databases, Com_show_errors, Com_show_fields, Com_show_grants, Com_show_innodb_status, Com_show_keys, Com_show_logs, Com_show_master_status, Com_show_ndb_status, Com_show_new_master, Com_show_open_tables, Com_show_privileges, Com_show_processlist, Com_show_slave_hosts, Com_show_slave_status, Com_show_status, Com_show_storage_engines, Com_show_tables, Com_show_triggers, Com_show_variables, Com_show_warnings, Com_slave_start, Com_slave_sto:::1D949CAE-D746-11DE-8015-622D2623AED0::: Greetz Centro  |
11-22-2009, 02:39 AM
| | Zimbra Consultant & Moderator | |
Posts: 19,653
| |
Have a look in the OSSEC configuration files, I guess it's complaining about the length of the line in the log file.
__________________
Regards
Bill
|
11-22-2009, 02:45 AM
| | |
yes, sure, but what would this message say?
at the old version there was only the status of service written, but this message will nobody help!  |
11-22-2009, 02:49 AM
| | Zimbra Consultant & Moderator | |
Posts: 19,653
| |
Quote:
Originally Posted by Centro  yes, sure, but what would this message say? | Yes, but can't you change the config in OSSEC to accept longer log file lines and the type of message it displays? Quote:
Originally Posted by Centro at the old version there was only the status of service written, but this message will nobody help! | This would be better asked on the OSSEC mailing list, it's not a Zimbra problem.
__________________
Regards
Bill
|
11-22-2009, 04:34 AM
| | |
Quote:
Originally Posted by phoenix This would be better asked on the OSSEC mailing list, it's not a Zimbra problem. |  i dont think so. Its a message what is produced by zimbra server. Ossec is just to generate the email message with the output of zimbra´s log.
The old zimbra log was like Code: zmmail status ok
zmspam status ok
.. and so on The new one is like the above message! - THIS was my question.
Is it an error or is it the simular to the old message?
Thx for your replies
Greetz Centro |
11-23-2009, 01:56 AM
| | |
Have you checked the ossec rule to see why it is triggering ?
__________________  |
11-23-2009, 02:08 AM
| | |
I checked Ossec, but i cant find anything for fix this. I choose to disable the message to move it to a lower level.
The message is on a new logfile from systat in V6.
the log is zimbra-stats.log
Thx for your replys. I think its no error message.
Greetz Centro |
11-24-2009, 04:19 PM
| | |
Quote:
Originally Posted by Centro i dont think so. Its a message what is produced by zimbra server. Ossec is just to generate the email message with the output of zimbra´s log. | The systems syslog implementation can handle the messages of that size (in fact most implementations can handle much larger messages), and Zimbra can handle the message (since it wrote it). In fact Zimbra splits the lines that would go over the limit for older syslog implementations into multiple lines.
So... the only part of your setup that is having problems is OSSEC, so how exactly is it Zimbra's problem that OSSEC can't handle log lines properly? Quote:
Originally Posted by Centro The new one is like the above message! - THIS was my question.
Is it an error or is it the simular to the old message? | The line that triggered this rule is part of the new statistics backend in 6.0.x, it is a perfectly normal line to be written to that log in 6.0.x. |
02-11-2010, 11:11 AM
| | |
Re-opened this as I believe those messages should not be written to /var/log/messages and should go to /var/log/zimbra.log. Are they being generated from SQLlite ? for the time being I have suppressed from OSSEC but would like to understand what they are.
__________________ |
02-11-2010, 11:43 AM
| | |
The fact that the messages were going to /var/log/messages was a bug that was supposedly fixed in 6.0.5: Bug 43541 - rsyslog: exclude local1 and local0 from logging to /var/log/messages.
The messages like the one in the OP are actually only supposed to be showing in /var/log/zimbra-stats.log and are all of the statistics about cpu, disk, vm usage and the like.
The size of the messages is perfectly valid, the fact that OSSEC can't handle the messages, or thinks they are too large is a bug in OSSEC. | | Thread Tools | Search this Thread | | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
