Ossec wont restart after update
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Ossec wont restart after update
Just make sure yums cache is clear, and force an upgrade. So far the cases I've looked at have been driven by yum thinking it had upgraded everything:
yum clean all
aum -uf
asl -s -f
If you're still having an issue, that may because of a local change to the rules that was made (for example, a rule was locally configured to not shun), in which case please let us know what the output of this is and open a case:
grep -i error /var/ossec/logs/ossec.log
yum clean all
aum -uf
asl -s -f
If you're still having an issue, that may because of a local change to the rules that was made (for example, a rule was locally configured to not shun), in which case please let us know what the output of this is and open a case:
grep -i error /var/ossec/logs/ossec.log
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Ossec wont restart after update
I just ran these commands, and it's fixed in my case. I had run them last night except for the yum clean all, with no luck, so believe it was that yum command that made the difference.
Thanks Mike!
Thanks Mike!
Re: Ossec wont restart after update
Strange!
I ran these commands earlier too - but it's now working for me on all machines.
Thanks
I ran these commands earlier too - but it's now working for me on all machines.
Thanks
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Ossec wont restart after update
yum can be grumpy sometimes. I've had to CLI delete the entire cache sometimes to get it to "see" an update.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Ossec wont restart after update
Was there any update to fixing this specific error ?
ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
rules_list: Category '1' not found. Invalid 'category'.
ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
rules_list: Category '1' not found. Invalid 'category'.
I've tried suggestions within this topic and others posts and the problem still exists with ossec-hids unable to start.
ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
rules_list: Category '1' not found. Invalid 'category'.
ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
rules_list: Category '1' not found. Invalid 'category'.
I've tried suggestions within this topic and others posts and the problem still exists with ossec-hids unable to start.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Ossec wont restart after update
That means your system is out of date, please post the output of these commands:
aum -uf
asl -s -f
service ossec-hids restart
yum check-update
aum -uf
asl -s -f
service ossec-hids restart
yum check-update
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Ossec wont restart after update
Thanks. I did try various updates earlier today without success however I've tried again this evening and can replicate to fix and break sporadically.
When it breaks if aum -uf is ran then this occurs, however if I keep running then from time to time it will run without error
Updating OSSEC to 201401201215: updated [OK]
/bin/cp: cannot stat `/var/asl/rules/ossec/etc/*asl*': No such file or directory
/bin/cp: cannot stat `/var/asl/rules/ossec/rules/*': No such file or directory
/bin/cp: cannot stat `/var/asl/rules/ossec/etc/*template': No such file or directory
/bin/cp: cannot stat `/var/asl/rules/ossec/ar/*': No such file or directory
it's also worth noting that sometimes other updates given similar errors ie
Updating CLAMAV to 201401201419: updated [OK]
/bin/cp: cannot stat `/var/asl/rules/clamav/*': No such file or directory
If it runs in full then all is fine
#aum -uf
Checking for updates..
Upgrading ASL Components
Updating ASL Core: successful [OK]
Updating APPINV to 201308071122: updated [OK]
Updating CLAMAV to 201401201419: updated [OK]
Updating GEOMAP to 201401201204: updated [OK]
Updating MODSEC to 201401201359: updated [OK]
Updating Anti-Spam Protection: updated [OK]
Updating Attack Protection: updated [OK]
Updating Dataloss Protection: updated [OK]
Updating Malware Protection: updated [OK]
Updating Rootkit Protection: updated [OK]
Updating Shell Protection: updated [OK]
Updating OSSEC to 201401201215: updated [OK]
Updating Self Healing modules: updated [OK]
Updating Brute Force Protection: updated [OK]
Updating Rootkit Protection: updated [OK]
Also this is the current versions:
# rpm -qa | egrep "ossec-hids|^asl"
asl-php-pdo-5.4.24-22.el6.art.x86_64
asl-php-process-5.4.24-22.el6.art.x86_64
ossec-hids-2.7.1-37.el6.art.x86_64
asl-3.2.15-33.el6.art.x86_64
asl-php-cli-5.4.24-22.el6.art.x86_64
asl-stream-client-1.0-4.el6.art.x86_64
ossec-hids-server-2.7.1-37.el6.art.x86_64
asl-waf-module-3.2.15-33.el6.art.x86_64
asl-php-gd-5.4.24-22.el6.art.x86_64
asl-php-5.4.24-22.el6.art.x86_64
asl-php-common-5.4.24-22.el6.art.x86_64
asl-php-pecl-apc-3.1.13-4.el6.art.x86_64
asl-php-mysqlnd-5.4.24-22.el6.art.x86_64
ossec-hids-mysql-2.7.1-37.el6.art.x86_64
asl-web-3.2.15-33.el6.art.x86_64
When it breaks if aum -uf is ran then this occurs, however if I keep running then from time to time it will run without error
Updating OSSEC to 201401201215: updated [OK]
/bin/cp: cannot stat `/var/asl/rules/ossec/etc/*asl*': No such file or directory
/bin/cp: cannot stat `/var/asl/rules/ossec/rules/*': No such file or directory
/bin/cp: cannot stat `/var/asl/rules/ossec/etc/*template': No such file or directory
/bin/cp: cannot stat `/var/asl/rules/ossec/ar/*': No such file or directory
it's also worth noting that sometimes other updates given similar errors ie
Updating CLAMAV to 201401201419: updated [OK]
/bin/cp: cannot stat `/var/asl/rules/clamav/*': No such file or directory
If it runs in full then all is fine
#aum -uf
Checking for updates..
Upgrading ASL Components
Updating ASL Core: successful [OK]
Updating APPINV to 201308071122: updated [OK]
Updating CLAMAV to 201401201419: updated [OK]
Updating GEOMAP to 201401201204: updated [OK]
Updating MODSEC to 201401201359: updated [OK]
Updating Anti-Spam Protection: updated [OK]
Updating Attack Protection: updated [OK]
Updating Dataloss Protection: updated [OK]
Updating Malware Protection: updated [OK]
Updating Rootkit Protection: updated [OK]
Updating Shell Protection: updated [OK]
Updating OSSEC to 201401201215: updated [OK]
Updating Self Healing modules: updated [OK]
Updating Brute Force Protection: updated [OK]
Updating Rootkit Protection: updated [OK]
Also this is the current versions:
# rpm -qa | egrep "ossec-hids|^asl"
asl-php-pdo-5.4.24-22.el6.art.x86_64
asl-php-process-5.4.24-22.el6.art.x86_64
ossec-hids-2.7.1-37.el6.art.x86_64
asl-3.2.15-33.el6.art.x86_64
asl-php-cli-5.4.24-22.el6.art.x86_64
asl-stream-client-1.0-4.el6.art.x86_64
ossec-hids-server-2.7.1-37.el6.art.x86_64
asl-waf-module-3.2.15-33.el6.art.x86_64
asl-php-gd-5.4.24-22.el6.art.x86_64
asl-php-5.4.24-22.el6.art.x86_64
asl-php-common-5.4.24-22.el6.art.x86_64
asl-php-pecl-apc-3.1.13-4.el6.art.x86_64
asl-php-mysqlnd-5.4.24-22.el6.art.x86_64
ossec-hids-mysql-2.7.1-37.el6.art.x86_64
asl-web-3.2.15-33.el6.art.x86_64
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Ossec wont restart after update
Wow, somethings really really wrong with your system. Entire directories are missing. My advice would be to reinstall ASL.
https://www.atomicorp.com/wiki/index.ph ... stallation
https://www.atomicorp.com/wiki/index.ph ... stallation
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Ossec wont restart after update
Hello All,
Just updated ASL and ossec-hids fails to start
/var/ossec/logs/ossec.log
rpm -qa | egrep "ossec-hids|^asl"
asl -s -f
Any suggestion will be great.
Just updated ASL and ossec-hids fails to start
/var/ossec/logs/ossec.log
Code: Select all
2014/02/20 12:33:52 ossec-analysisd: Invalid use of frequency/context options. Missing if_matched on rule '40111'.
2014/02/20 12:33:52 ossec-testrule(1220): ERROR: Error loading the rules: 'exclusion_rules.xml'.
Code: Select all
asl-php-cli-5.4.24-22.el6.art.x86_64
asl-stream-client-1.0-4.el6.art.x86_64
ossec-hids-mysql-2.7.1-37.el6.art.x86_64
asl-php-process-5.4.24-22.el6.art.x86_64
asl-waf-module-3.2.18-37.el6.art.x86_64
asl-web-3.2.18-37.el6.art.x86_64
asl-php-pecl-apc-3.1.13-4.el6.art.x86_64
asl-php-common-5.4.24-22.el6.art.x86_64
asl-php-5.4.24-22.el6.art.x86_64
ossec-hids-server-2.7.1-37.el6.art.x86_64
asl-php-gd-5.4.24-22.el6.art.x86_64
asl-3.2.18-37.el6.art.x86_64
ossec-hids-2.7.1-37.el6.art.x86_64
asl-php-pdo-5.4.24-22.el6.art.x86_64
asl-php-mysqlnd-5.4.24-22.el6.art.x86_64
Code: Select all
Reloading ossec-hids: [FAILED]
Mark Brindley
2Large Networks - Web solutions that work
2Large Networks - Web solutions that work
Re: Ossec wont restart after update
Quick update.
Re-installed ASL
Problem persisted
Edited /var/ossec/rules/exclusion_rules.xml
/etc/init.d/ossec-hids restart
Shutting down ossec-hids: [ OK ]
Starting ossec-hids: [ OK ]
Re-installed ASL
Problem persisted
Edited /var/ossec/rules/exclusion_rules.xml
Code: Select all
<group name="local,syslog,modsecurity,">
<rule id="999999" level="0">
<match>NULL NULL NULL NULL</match>
<description>List of rules to be ignored.</description>
</rule>
</group>
<group name="modsecurity,">
<rule id="71001" level="10">
<if_sid>60118, 60121</if_sid>
<match>id "300032"</match>
<description>Custom event for rule id 300032</description>
<options>no_email_alert</options>
<options>no_log</options>
</rule>
<rule id="71002" level="10">
<if_sid>60118, 60121</if_sid>
<match>id "300068"</match>
<description>Custom event for rule id 300068</description>
<options>no_email_alert</options>
<options>no_log</options>
</rule>
</group>
Shutting down ossec-hids: [ OK ]
Starting ossec-hids: [ OK ]
Mark Brindley
2Large Networks - Web solutions that work
2Large Networks - Web solutions that work