Page 1 of 1
Updated to ossec-hids-2.7-32 broke ossec-hids
Posted: Wed Oct 16, 2013 3:45 am
by biggles
I just updated to ossec-hids-2.7-32.el6.art.x86_64 and then ossec refused to start. No errors in the log file, just these lines being repeated with each restart:
Code: Select all
tail -n 7 /var/ossec/logs/ossec.log
2013/10/16 09:27:31 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2013/10/16 09:27:31 ossec-testrule: INFO: Reading decoder file etc/decoders.d/01-asl-decoder.xml.
2013/10/16 09:27:31 ossec-testrule: INFO: Reading decoder file etc/decoders.d/10-asl-drupal-decoder.xml.
2013/10/16 09:27:31 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-exim-decoder.xml.
2013/10/16 09:27:31 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-waf-decoder.xml.
2013/10/16 09:27:31 ossec-testrule: INFO: Started (pid: 16383).
I have now downgraded to ossec-hids-2.7-24.el6.art.x86_64 and everything is back to normal.
Re: Updated to ossec-hids-2.7-32 broke ossec-hids
Posted: Wed Oct 16, 2013 9:34 am
by scott
You'll need to use ASL 4.0 from the -testing channel in order to be able to use ossec-2.7-32
Re: Updated to ossec-hids-2.7-32 broke ossec-hids
Posted: Wed Oct 16, 2013 9:50 am
by biggles
Ok, thanks. Maybe ossec-hids 2.7 only should be published in testing channel as well?
Re: Updated to ossec-hids-2.7-32 broke ossec-hids
Posted: Wed Oct 16, 2013 1:40 pm
by prupert
biggles wrote:Ok, thanks. Maybe ossec-hids 2.7 only should be published in testing channel as well?
The stable channel offers 2.7-24, which works fine with ASL 3.
Re: Updated to ossec-hids-2.7-32 broke ossec-hids
Posted: Thu Oct 17, 2013 3:13 am
by biggles
Strange. I have not enabled the testing channel and still got the update.
edit: checked again. Now it has been removed. I guess someone read my post...
Re: Updated to ossec-hids-2.7-32 broke ossec-hids
Posted: Thu Oct 17, 2013 4:34 pm
by mikeshinn
It wasnt in the stable channel, is it possible you saw it in another channel?
Re: Updated to ossec-hids-2.7-32 broke ossec-hids
Posted: Fri Oct 18, 2013 2:26 pm
by biggles
No chance Lance
I was in the stable channel. I installed it and then it broke. I downgraded and everything worked. Then I run yum update again and the upgrade was offered again. The day after the upgrade was gone. True story...
Re: Updated to ossec-hids-2.7-32 broke ossec-hids
Posted: Fri Oct 18, 2013 6:08 pm
by mikeshinn
I'm positive it wasnt in the atomic stable channel, is it possible you got it from the nucleus channel? It is published there.
Re: Updated to ossec-hids-2.7-32 broke ossec-hids
Posted: Sun Oct 20, 2013 9:05 am
by biggles
Nope, got it from the tortix channel.