I am trying to analyze MySQL error logs that are generated on my OSSEC agent and raise alerts using OSSEC server.
here is the code block added to /var/ossec/etc/ossec.conf on the agent side to read the error logs of MySQL from the agent:
<localfile>
<log_format>mysql_log</log_format>
<location>/var/log/mysql/error.log</location>
</localfile>
After doing so I have restarted the agent and server but unable test any error logs that are getting generated on the agent side like:
2020-09-15T04:09:24.164859Z 12 [Note] Access denied for user 'root'#'localhost' (using password: YES)
As per doc https://ossec-docs.readthedocs.io/en/latest/docs/programs/ossec-logtest.html under Caveats we need to add MySQL log: to the log generated for the ossec-logtest.
This will be added automatically when we send these logs to the OSSEC server for analysis from the agent.
ossec-logtest result for MySQL error log
ossec-logtest is working fine after adding MySQL log: to the beginning but they are not working in the realtime.
Can anyone please help me through this problem.
The fact that ossec-logtest trigger an alert means that mysql decoder and rules are working fine
Check on Agent
MySql is running. systemctl status mysqld.service
MySql configuration (loglevel and output file) allow to log that kind of event . See here
If the value is greater than 1, aborted connections are written to the
error log, and access-denied errors for new connection attempts are
written.
MySql is effectively logging 'Access denied': grep "Access denied" /var/log/mysql/error.log
Ossec and their processes is running ok: /var/ossec/bin/ossec-control status
Check on Manager
log_alert_level field in /var/ossec/etc/ossec.conf is lower o equal than 9 (loglevel showed in your ossec-logtest)
Related
I am having an issue adding an instance to my ReplicationSet with MySQL 8.0.28 and MySQL Shell
rs.addInstance('a.b.c.d:3306')
the response I get is
Adding instance to the replicaset...
* Performing validation checks
This instance reports its own address as a.b.c.d:3306
a.b.c.d:3306: Instance configuration is suitable.
* Checking async replication topology...
* Checking transaction state of the instance...
WARNING: A GTID set check of the MySQL instance at 'a.b.c.d:3306' determined that it contains transactions that do not originate from the replicaset, which must be discarded before it can join the replicaset.
a.b.c.d:3306 has the following errant GTIDs that do not exist in the replicaset:
2b575744-e07d-11ec-ada9-00ff6b3adad4:1-67
WARNING: Discarding these extra GTID events can either be done manually or by completely overwriting the state of a.b.c.d:3306 with a physical snapshot from an existing replicaset member. To use this method by default, set the 'recoveryMethod' option to 'clone'.
Having extra GTID events is not expected, and it is recommended to investigate this further and ensure that the data can be removed prior to choosing the clone recovery method.
Please select a recovery method [C]lone/[A]bort (default Abort): C
* Updating topology
Waiting for clone process of the new member to complete. Press ^C to abort the operation.
* Waiting for clone to finish...
NOTE: a.b.c.d:3306 is being cloned from x.y.z.x:3306
ERROR: The clone process has failed: Clone Donor Error: 1184 : Aborted connection 554 to db: 'unconnected' user: 'mysql_innodb_rs_10' host: 'xxx' (init_connect command failed). (3862)
ERROR: Error adding instance to replicaset: Clone Donor Error: 1184 : Aborted connection 554 to db: 'unconnected' user: 'mysql_innodb_rs_10' host: xxx' (init_connect command failed).
Reverting topology changes...
Changes successfully reverted.
ERROR: a.b.c.d:3306 could not be added to the replicaset
ReplicaSet.addInstance: Clone Donor Error: 1184 : Aborted connection 554 to db: 'unconnected' user: 'mysql_innodb_rs_10' host: 'xxx' (init_connect command failed). (RuntimeError)
I can't find any information on how to proceed with this, any help would be appreciated?
Assuming that your user has all of the required permissions, then the first thing to check based on (init_connect command failed) in your description would be the init_connect variable on both master and slave:
SHOW GLOBAL VARIABLES LIKE 'init_connect';
It should be the same on both servers.
(The 'unconnected' in your subject will simply be referring to the db - which is not an issue).
Mysql 8.0.28 Replication slave was created multiple times. He started giving the following error. Even though I made stop slave and start slave, the same error continues. how to make slave stand up?
Coordinator stopped because there were error(s) in the worker(s). The most recent failure being: Worker 1 failed executing transaction 'ANONYMOUS' at master log , end_log_pos 345612577. See error log and/or performance_schema.replication_applier_status_by_worker table for more details about this failure or others, if any.
Likely caused by importing data, then starting replication leading to inconsistent states. Can also be permission issues or whatnot.
To see what was attempted you should do something like this:
mysqlbinlog --read-from-remote-server -h <masterip> -u replicateuser <binfile> --verbose --base64-output=DECODE-ROWS -p|grep -A10 -B10 345612577
This will give you information on the query that caused the issue.
Up until today MYSQL was working OK for months with 2 MAMP Drupal localhost builds.
But now MYSQL no longer loads.
When opening MAMP the Apache Server starts,
whereas the MYSQL Server does not start.
This means the "Open WebStart page" option is greyed over and the Drupal path that would normally load the site just displays an error.
Using Terminal, if I run:
which mysql
the response is:
/Applications/MAMP/Library/bin/mysql
But if I try to login into MYSQL via Terminal:
mysql -u (myuser) -p
I am prompted for the password, but after entering correct password I receive:
ERROR 2002 (HY000): Can't connect to local MySQL server through socket
'/Applications/MAMP/tmp/mysql/mysql.sock' (2)
I checked that path, and there is no mysql.sock file there. In that directory there is just one file titled .dummy that has no content in it.
Some forums relating to the same error suggest I check and stop any other running MYSQL instances, but I don't appear to have any.
For example I ran:
ps -ef | grep mysql
And I just receive this:
501 11212 10699 0 12:31pm ttys000 0:00.00 grep mysql
I don't entirely understand that response, but it looks like there is nothing running that I can 'kill'.
Also, if I try things like:
sudo service mysql start
I am prompted for my Mac user password, which I enter, but I am then given the error:
sudo: service: command not found
Any help here would be greatly appreciated.
EDIT: I ran:
mysqld
And received a lot of information! Too long to paste here,
but some things I noticed were:
2019-02-14T03:01:33.211495Z 0 [Note] --secure-file-priv is set to NULL.
Operations related to importing and exporting data are disabled
I don't know how to address the above, but it sounds like it's not helping the situation?
Further on from there, the first 'warning' from the list was:
[ERROR] Can't open the mysql.plugin table. Please run mysql_upgrade to create it.
I followed that advice and ran:
mysql_upgrade
and received this error:
mysql_upgrade: Got error: 2002: Can't connect to local MySQL server through socket '/Applications/MAMP/tmp/mysql/mysql.sock' (2) while connecting to the MySQL server
Upgrade process encountered error and will not continue.
Any ideas as to how to fix that?
Some other errors I noticed are:
[ERROR] Fatal error: Can't open and lock privilege tables: Table 'mysql.user' doesn't exist
[ERROR] Fatal error: Failed to initialize ACL/grant/time zones structures or failed to remove temporary table files.
[ERROR] Aborting
followed by a lot of lines of "shutting down plugin...(various)..." that ended in:
mysqld: Shutdown complete
Again, I am completely lost here?
After hours of trying out suggestions from various forum threads, such as:
Creating my.cnf files; or
Adjusting the MAMP php.ini file with extra code, or
Reinstalling MAMP again,or
Dumping the "ib_logfile.." files from the MAMP/db/mysql57 directory,
The only thing that finally resolved this for me was:
I suddenly remembered I copied all my working files to a backup.
so I checked the backup directories for MAMP/db/mysql57 and noticed there was a lot of content in there that for some reason was now missing from my live version,
so I deleted everything in the current MAMP/db/mysql57 directory and pasted all the backup items in.
Suddenly MAMP's MYSQL server lights up, the Startup page auto loads into my browser and I can run drush commands in my CLI and load the Drupal CMS again.
Happy Days!
I have MySQL Community Server version 5.7.17 running on Centos 6, everything comes with clean install, Centos 6 installed with "minimal" options, MySQL installed by official yum repo.
When I start MySQL server, the log "/var/log/mysqld.log" showing:
[Note] Access denied for user 'UNKNOWN_MYSQL_USER'#'localhost' (using password: NO)
It appears at the last line of the log, I tried to:
mysql> select * from mysql.user;
I can only see "root" and "mysql.sys" which comes by default, may I know what is the user 'UNKNOWN_MYSQL_USER'#'localhost'? is that something new in the version 5.7.17?
Thanks.
Nothing to worry about :)
You are receiving this message because someone/something tried to access MySQL server, but connection failed. You can reproduce this behaviour by attempting to connect to MySQL with wrong user and/or password and watch the error log file.
In your case, looks like it's the /etc/init.d/mysqld itself trying to test if MySQL server is up and running.
TIMEOUT="$STARTTIMEOUT"
while [ $TIMEOUT -gt 0 ]; do
RESPONSE=`/usr/bin/mysqladmin --socket="$socketfile" --user=UNKNOWN_MYSQL_USER ping 2>&1`
By default, in MySQL 5.7 the error log verbosity is set to 3 (errors, warnings and notes), this is why you're seeing this message in the error log file.
mysql> show variables like 'log_error_verbosity';
+---------------------+-------+
| Variable_name | Value |
+---------------------+-------+
| log_error_verbosity | 3 |
+---------------------+-------+
I think it's just Mysql script to make sure your Mysql server db secure or not. If your log doesn't show this line, it mean they can access to db with 'UNKNOWN_MYSQL_USER'#'localhost' without password.
Hi I'm unable to start my mysql and subversion using root as user.When im trying to start it by ./ctlscript.sh start mysql it is showing that mysql could not be started.The same is happening in the case of subversion also.In logs its showing that
error: Can't connect to local MySQL server through socket '/data/redmine/mysql/tmp/mysql.sock' (2) (Mysql2::Error)
error: [ pid=6349 thr=139977144923904 file=ext/common/agents/HelperAgent/RequestHandler.h:1731 time=2014-09-29 12:54:58.7821 ]: [Client 23] Cannot checkout session. An error occured while starting up the preloader.
Can any one help?
Please check whether your root user has the permission to start the mysql and other services.
If not please give the permissions using CHMOD