From OSSEC Wiki

Jump to: navigation, search
[edit]

How to debug ossec

Only read this section if you tried to troubleshoot ossec already, but didn't have lucky solving your problem.
Most of the users will never need to enable debugging, since it can significantly hurt performance.

You can also enable debugging mode on ossec to extract more data about what is going on. To do so, you will need to modify the file /var/ossec/etc/internal_options.conf (or C:\Program Files\ossec-agent\internal_options.conf on Windows) and change the debug level from the default "0" to "1" or "2".
For example, if you wish to debug your windows agent, just change the option windows.debug from 0 to 2. Bellow is the list of all the debug options: 

      # Debug options.
      # Debug 0 -> no debug
      # Debug 1 -> first level of debug
      # Debug 2 -> full debugging

      # Windows debug (used by the windows agent)
      windows.debug=0

      # Syscheck (local, server and unix agent)
      syscheck.debug=0

      # Remoted (server debug)
      remoted.debug=0

      # Analysisd (server or local)
      analysisd.debug=0

      # Log collector (server, local or unix agent)
      logcollector.debug=0

      # Unix agentd
      agent.debug=0
[edit]

Getting more log data

If you are up to editing the source and recompiling, you can use the verbose() function to add entries to the log. This has been helpful on at least one occasion to help pinpoint where a problem was occurring. Something along these lines should work (at least in 1.3): 

    verbose("MyName: inside the_file.c the_function() %s ..", the_string);
  • If you tag all your extra logs with something, MyName, in this example, they stand out better.
  • If you need to get information from several source files, including the file name the_file.c, in this example is helpful.
  • You will almost surely want information from more than one fuction, including the name, the_fuction() will show which function sent the log.
  • Finally, you can include a variable string with the printf format specifier %s in the log entry and the_string is the name of the string variable to send to the log.

With some calls to verbose, recompile and replace the stock binary with your edited one. Restart ossec and tail the log.

Retrieved from "http://ossec.net/wiki/index.php/Community_manual:Debugging"
Views
Personal tools