I have issues with OSSEC and I receive massive emails that it can't start the service.
I have tried:
yum update
aum -uf
asl -s -f
Command executed: /sbin/service ossec-hids restart Exit value: 1 Signal number: 0 Dumped core?: 0
Shutting down ossec-hids: [ OK ] Starting ossec-hids: [FAILED]
=====================
In /var/ossec/logs/ossec.log I get messages every few seconds saying:
2013/11/22 14:06:09 rules_list: Signature ID '390702' not found. Invalid 'if_sid'.
2013/11/22 14:07:19 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2013/11/22 14:07:19 ossec-testrule: INFO: Reading decoder file etc/decoders.d/01-asl-decoder.xml.
2013/11/22 14:07:19 ossec-testrule: INFO: Reading decoder file etc/decoders.d/10-asl-drupal-decoder.xml.
2013/11/22 14:07:19 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-exim-decoder.xml.
2013/11/22 14:07:19 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-waf-decoder.xml.
2013/11/22 14:07:19 ossec-testrule: INFO: Reading decoder file etc/decoders.d/75-asl-deltaadmin-decoder.xml.
2013/11/22 14:07:19 rules_list: Signature ID '390702' not found. Invalid 'if_sid'.
2013/11/22 14:08:31 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2013/11/22 14:08:31 ossec-testrule: INFO: Reading decoder file etc/decoders.d/01-asl-decoder.xml.
2013/11/22 14:08:31 ossec-testrule: INFO: Reading decoder file etc/decoders.d/10-asl-drupal-decoder.xml.
2013/11/22 14:08:31 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-exim-decoder.xml.
2013/11/22 14:08:31 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-waf-decoder.xml.
2013/11/22 14:08:31 ossec-testrule: INFO: Reading decoder file etc/decoders.d/75-asl-deltaadmin-decoder.xml.
2013/11/22 14:08:31 rules_list: Signature ID '390702' not found. Invalid 'if_sid'.
2013/11/22 14:09:42 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2013/11/22 14:09:42 ossec-testrule: INFO: Reading decoder file etc/decoders.d/01-asl-decoder.xml.
2013/11/22 14:09:42 ossec-testrule: INFO: Reading decoder file etc/decoders.d/10-asl-drupal-decoder.xml.
2013/11/22 14:09:42 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-exim-decoder.xml.
2013/11/22 14:09:42 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-waf-decoder.xml.
2013/11/22 14:09:42 ossec-testrule: INFO: Reading decoder file etc/decoders.d/75-asl-deltaadmin-decoder.xml.
2013/11/22 14:09:42 rules_list: Signature ID '390702' not found. Invalid 'if_sid'.
2013/11/22 14:10:53 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2013/11/22 14:10:53 ossec-testrule: INFO: Reading decoder file etc/decoders.d/01-asl-decoder.xml.
2013/11/22 14:10:53 ossec-testrule: INFO: Reading decoder file etc/decoders.d/10-asl-drupal-decoder.xml.
2013/11/22 14:10:53 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-exim-decoder.xml.
2013/11/22 14:10:53 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-waf-decoder.xml.
2013/11/22 14:10:53 ossec-testrule: INFO: Reading decoder file etc/decoders.d/75-asl-deltaadmin-decoder.xml.
2013/11/22 14:10:53 rules_list: Signature ID '390702' not found. Invalid 'if_sid'.
What should I do?
PS "I have a Production server and Test server and they BOTH have the same issue. It seems like an update caused this."
Thank you
Makis
ossec-dbd
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: ossec-dbd
Sure, check to see if you have that rule defined in /etc/asl/rules, and if you do remove it and update your security policy with: asl -s -f