# grep 'Jan 06' /var/log/yum.log
Jan 06 09:31:14 Updated: asl-php-common-5.4.23-21.el5.art.x86_64
Jan 06 09:31:37 Updated: nss-3.15.3-4.el5_10.x86_64
Jan 06 09:31:39 Updated: asl-php-pdo-5.4.23-21.el5.art.x86_64
Jan 06 09:31:39 Updated: asl-php-mysqlnd-5.4.23-21.el5.art.x86_64
Jan 06 09:31:40 Updated: nss-tools-3.15.3-4.el5_10.x86_64
Jan 06 09:31:40 Updated: asl-php-process-5.4.23-21.el5.art.x86_64
Jan 06 09:31:41 Updated: asl-php-gd-5.4.23-21.el5.art.x86_64
Jan 06 09:31:42 Updated: mod_security-2.7.7-17.el5.art.x86_64
Jan 06 09:31:42 Updated: asl-php-cli-5.4.23-21.el5.art.x86_64
Jan 06 09:31:44 Updated: asl-php-5.4.23-21.el5.art.x86_64
Jan 06 09:31:46 Updated: nss-devel-3.15.3-4.el5_10.x86_64
Jan 06 09:31:51 Updated: tzdata-java-2013i-1.el5.x86_64
Jan 06 09:32:02 Updated: tzdata-2013i-1.el5.x86_64
Jan 06 09:32:03 Updated: lynis-1.3.8-7.el5.art.noarch
Jan 06 09:32:05 Updated: nss-3.15.3-4.el5_10.i386
Jan 06 15:07:34 Updated: ossec-hids-2.7.1-36.el5.art.x86_64
Jan 06 15:07:51 Updated: ossec-hids-server-2.7.1-36.el5.art.x86_64
Jan 06 15:07:51 Installed: ossec-hids-mysql-2.7.1-36.el5.art.x86_64
Jan 06 15:07:55 Updated: 1:asl-3.2.15-32.el5.art.x86_64
Jan 06 15:07:56 Updated: 1:asl-waf-module-3.2.15-32.el5.art.x86_64
Jan 06 15:08:00 Updated: 1:asl-web-3.2.15-32.el5.art.x86_64
Jan 06 15:29:45 Updated: ossec-hids-2.7.1-37.el5.art.x86_64
Jan 06 15:29:57 Updated: ossec-hids-server-2.7.1-37.el5.art.x86_64
Jan 06 15:29:57 Updated: ossec-hids-mysql-2.7.1-37.el5.art.x86_64
Ossec is just trying to constantly restart itself and fails.
# service ossec-hids status
ossec-monitord not running...
ossec-logcollector not running...
ossec-remoted not running...
ossec-syscheckd not running...
ossec-analysisd not running...
ossec-maild not running...
ossec-execd not running...
ossec-dbd not running...
tail -n20 /var/ossec/logs/ossec.log
Downgrading doesnt resolve the issue either.2014/01/06 15:55:55 ossec-analysisd: Duplicate rule ID:20101
2014/01/06 15:55:55 ossec-testrule(1220): ERROR: Error loading the rules: 'exclusion_rules.xml'.
2014/01/06 15:57:05 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2014/01/06 15:57:05 ossec-testrule: INFO: Reading decoder file etc/decoders.d/01-asl-decoder.xml.
2014/01/06 15:57:05 ossec-testrule: INFO: Reading decoder file etc/decoders.d/10-asl-drupal-decoder.xml.
2014/01/06 15:57:05 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-waf-decoder.xml.
2014/01/06 15:57:05 ossec-testrule: INFO: Reading decoder file etc/decoders.d/75-asl-deltaadmin-decoder.xml.
2014/01/06 15:57:05 ossec-testrule: INFO: Reading decoder file etc/decoders.d/75-asl-exim-decoder.xml.
2014/01/06 15:57:06 ossec-analysisd: Duplicate rule ID:20101
2014/01/06 15:57:06 ossec-testrule(1220): ERROR: Error loading the rules: 'exclusion_rules.xml'.
2014/01/06 15:58:16 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2014/01/06 15:58:16 ossec-testrule: INFO: Reading decoder file etc/decoders.d/01-asl-decoder.xml.
2014/01/06 15:58:16 ossec-testrule: INFO: Reading decoder file etc/decoders.d/10-asl-drupal-decoder.xml.
2014/01/06 15:58:16 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-waf-decoder.xml.
2014/01/06 15:58:16 ossec-testrule: INFO: Reading decoder file etc/decoders.d/75-asl-deltaadmin-decoder.xml.
2014/01/06 15:58:16 ossec-testrule: INFO: Reading decoder file etc/decoders.d/75-asl-exim-decoder.xml.
2014/01/06 15:58:17 ossec-analysisd: Duplicate rule ID:20101
2014/01/06 15:58:17 ossec-testrule(1220): ERROR: Error loading the rules: 'exclusion_rules.xml'.
Running aum -uf doesnt help, nor does asl -f -s=============================================================================================================================================================================================================================================
Package Arch Version Repository Size
=============================================================================================================================================================================================================================================
Downgrading:
ossec-hids x86_64 2.7.1-36.el5.art asl-3.0 37 k
ossec-hids-mysql x86_64 2.7.1-36.el5.art asl-3.0 78 k
ossec-hids-server x86_64 2.7.1-36.el5.art asl-3.0 1.8 M
If I remove or empty the file exclusion_rules.xml it fails to start due to a file format error. Once I do asl -f -s it reconstructs the original file and gets the same original error.
Any suggestions on how to fix?