Ossec wont restart after update

[mikeshinn]

Just make sure yums cache is clear, and force an upgrade. So far the cases I've looked at have been driven by yum thinking it had upgraded everything:

yum clean all

aum -uf

asl -s -f

If you're still having an issue, that may because of a local change to the rules that was made (for example, a rule was locally configured to not shun), in which case please let us know what the output of this is and open a case:

grep -i error /var/ossec/logs/ossec.log

[skiper43]

I just ran these commands, and it's fixed in my case. I had run them last night except for the yum clean all, with no luck, so believe it was that yum command that made the difference.

Thanks Mike!

[chrismcb]

Strange!

I ran these commands earlier too - but it's now working for me on all machines.

Thanks

[mikeshinn]

yum can be grumpy sometimes. I've had to CLI delete the entire cache sometimes to get it to "see" an update.

[darrenram]

Was there any update to fixing this specific error ?

ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
rules_list: Category '1' not found. Invalid 'category'.
ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
rules_list: Category '1' not found. Invalid 'category'.

I've tried suggestions within this topic and others posts and the problem still exists with ossec-hids unable to start.

[mikeshinn]

That means your system is out of date, please post the output of these commands:

aum -uf

asl -s -f

service ossec-hids restart

yum check-update

[darrenram]

Thanks. I did try various updates earlier today without success however I've tried again this evening and can replicate to fix and break sporadically.

When it breaks if aum -uf is ran then this occurs, however if I keep running then from time to time it will run without error

Updating OSSEC to 201401201215: updated [OK]
/bin/cp: cannot stat `/var/asl/rules/ossec/etc/*asl*': No such file or directory
/bin/cp: cannot stat `/var/asl/rules/ossec/rules/*': No such file or directory
/bin/cp: cannot stat `/var/asl/rules/ossec/etc/*template': No such file or directory
/bin/cp: cannot stat `/var/asl/rules/ossec/ar/*': No such file or directory

it's also worth noting that sometimes other updates given similar errors ie

Updating CLAMAV to 201401201419: updated [OK]
/bin/cp: cannot stat `/var/asl/rules/clamav/*': No such file or directory

If it runs in full then all is fine

#aum -uf
Checking for updates..
Upgrading ASL Components
Updating ASL Core: successful [OK]
Updating APPINV to 201308071122: updated [OK]
Updating CLAMAV to 201401201419: updated [OK]
Updating GEOMAP to 201401201204: updated [OK]
Updating MODSEC to 201401201359: updated [OK]
Updating Anti-Spam Protection: updated [OK]
Updating Attack Protection: updated [OK]
Updating Dataloss Protection: updated [OK]
Updating Malware Protection: updated [OK]
Updating Rootkit Protection: updated [OK]
Updating Shell Protection: updated [OK]
Updating OSSEC to 201401201215: updated [OK]
Updating Self Healing modules: updated [OK]
Updating Brute Force Protection: updated [OK]
Updating Rootkit Protection: updated [OK]


Also this is the current versions:

# rpm -qa | egrep "ossec-hids|^asl"
asl-php-pdo-5.4.24-22.el6.art.x86_64
asl-php-process-5.4.24-22.el6.art.x86_64
ossec-hids-2.7.1-37.el6.art.x86_64
asl-3.2.15-33.el6.art.x86_64
asl-php-cli-5.4.24-22.el6.art.x86_64
asl-stream-client-1.0-4.el6.art.x86_64
ossec-hids-server-2.7.1-37.el6.art.x86_64
asl-waf-module-3.2.15-33.el6.art.x86_64
asl-php-gd-5.4.24-22.el6.art.x86_64
asl-php-5.4.24-22.el6.art.x86_64
asl-php-common-5.4.24-22.el6.art.x86_64
asl-php-pecl-apc-3.1.13-4.el6.art.x86_64
asl-php-mysqlnd-5.4.24-22.el6.art.x86_64
ossec-hids-mysql-2.7.1-37.el6.art.x86_64
asl-web-3.2.15-33.el6.art.x86_64

[mikeshinn]

Wow, somethings really really wrong with your system. Entire directories are missing. My advice would be to reinstall ASL.

https://www.atomicorp.com/wiki/index.ph ... stallation

[kram]

Hello All,

Just updated ASL and ossec-hids fails to start

/var/ossec/logs/ossec.log

Code: Select all

2014/02/20 12:33:52 ossec-analysisd: Invalid use of frequency/context options. Missing if_matched on rule '40111'.
2014/02/20 12:33:52 ossec-testrule(1220): ERROR: Error loading the rules: 'exclusion_rules.xml'.

rpm -qa | egrep "ossec-hids|^asl"

Code: Select all

asl-php-cli-5.4.24-22.el6.art.x86_64
asl-stream-client-1.0-4.el6.art.x86_64
ossec-hids-mysql-2.7.1-37.el6.art.x86_64
asl-php-process-5.4.24-22.el6.art.x86_64
asl-waf-module-3.2.18-37.el6.art.x86_64
asl-web-3.2.18-37.el6.art.x86_64
asl-php-pecl-apc-3.1.13-4.el6.art.x86_64
asl-php-common-5.4.24-22.el6.art.x86_64
asl-php-5.4.24-22.el6.art.x86_64
ossec-hids-server-2.7.1-37.el6.art.x86_64
asl-php-gd-5.4.24-22.el6.art.x86_64
asl-3.2.18-37.el6.art.x86_64
ossec-hids-2.7.1-37.el6.art.x86_64
asl-php-pdo-5.4.24-22.el6.art.x86_64
asl-php-mysqlnd-5.4.24-22.el6.art.x86_64

asl -s -f

Code: Select all

Reloading ossec-hids:                                      [FAILED]

Any suggestion will be great.

[kram]

Quick update.

Re-installed ASL

Problem persisted

Edited /var/ossec/rules/exclusion_rules.xml

Code: Select all

<group name="local,syslog,modsecurity,">
  <rule id="999999" level="0">
    <match>NULL  NULL  NULL  NULL</match>
    <description>List of rules to be ignored.</description>
  </rule>
</group>

<group name="modsecurity,">

        <rule id="71001" level="10">
                <if_sid>60118, 60121</if_sid>
                <match>id "300032"</match>
                <description>Custom event for rule id 300032</description>
                <options>no_email_alert</options>
                <options>no_log</options>
        </rule>

        <rule id="71002" level="10">
                <if_sid>60118, 60121</if_sid>
                <match>id "300068"</match>
                <description>Custom event for rule id 300068</description>
                <options>no_email_alert</options>
                <options>no_log</options>
        </rule>

</group>

/etc/init.d/ossec-hids restart
Shutting down ossec-hids: [ OK ]
Starting ossec-hids: [ OK ]