Hi -
Everytime we update ASL settings and save the configuration from the UI on port 30000, the ossec-hids service starts throwing errors in its log file.
2015/05/17 05:38:24 ossec-config(1235): ERROR: Invalid value for element 'log_alert_level': @@LOG_ALERT_LEVEL@@.
2015/05/17 05:39:34 ossec-config(1235): ERROR: Invalid value for element 'log_alert_level': @@LOG_ALERT_LEVEL@@.
Seems like the <log_alert_level> parameter is not getting substituted properly, and when I change it to "1" manually and restart the service, everything is fine.
Any ideas on why this variable is not getting substituted ? Also noticed that this variable is not among the ones that can be configured in the ASL web UI (but HIDS_EMAIL_ALERT_LEVEL is present there).
Thanks !
LOG_ALERT_LEVEL issue in ossec-server.conf
Re: LOG_ALERT_LEVEL issue in ossec-server.conf
I see both HIDS_LOG_ALERT_LEVEL and HIDS_EMAIL_ALERT_LEVEL defined similarly.
[root@hosting1 ~]# find /var/asl -exec grep -H _ALERT_LEVEL {} \;
Binary file /var/asl/bin/asl matches
Binary file /var/asl/bin/aum matches
/var/asl/rules/ossec/templates/config.template:HIDS_EMAIL_ALERT_LEVEL="@@7@@"
/var/asl/rules/ossec/templates/config.template:HIDS_LOG_ALERT_LEVEL="@@1@@"
/var/asl/rules/ossec/templates/template-ossec-server.conf: <log_alert_level>@@LOG_ALERT_LEVEL@@</log_alert_level>
/var/asl/rules/ossec/templates/template-ossec-server.conf: <email_alert_level>@@EMAIL_ALERT_LEVEL@@</email_alert_level>
Binary file /var/asl/lib/modules/hids_check matches
/var/asl/data/templates/config.template:HIDS_EMAIL_ALERT_LEVEL="@@7@@"
/var/asl/data/templates/config.template:HIDS_LOG_ALERT_LEVEL="@@1@@"
/var/asl/data/templates/template-ossec-server.conf: <log_alert_level>@@LOG_ALERT_LEVEL@@</log_alert_level>
/var/asl/data/templates/template-ossec-server.conf: <email_alert_level>@@EMAIL_ALERT_LEVEL@@</email_alert_level>
The only difference so far is that I can see only the EMAIL one in the ASL Web UI. Would that be what is causing this problem ?
[root@hosting1 ~]# find /var/asl -exec grep -H _ALERT_LEVEL {} \;
Binary file /var/asl/bin/asl matches
Binary file /var/asl/bin/aum matches
/var/asl/rules/ossec/templates/config.template:HIDS_EMAIL_ALERT_LEVEL="@@7@@"
/var/asl/rules/ossec/templates/config.template:HIDS_LOG_ALERT_LEVEL="@@1@@"
/var/asl/rules/ossec/templates/template-ossec-server.conf: <log_alert_level>@@LOG_ALERT_LEVEL@@</log_alert_level>
/var/asl/rules/ossec/templates/template-ossec-server.conf: <email_alert_level>@@EMAIL_ALERT_LEVEL@@</email_alert_level>
Binary file /var/asl/lib/modules/hids_check matches
/var/asl/data/templates/config.template:HIDS_EMAIL_ALERT_LEVEL="@@7@@"
/var/asl/data/templates/config.template:HIDS_LOG_ALERT_LEVEL="@@1@@"
/var/asl/data/templates/template-ossec-server.conf: <log_alert_level>@@LOG_ALERT_LEVEL@@</log_alert_level>
/var/asl/data/templates/template-ossec-server.conf: <email_alert_level>@@EMAIL_ALERT_LEVEL@@</email_alert_level>
The only difference so far is that I can see only the EMAIL one in the ASL Web UI. Would that be what is causing this problem ?
Re: LOG_ALERT_LEVEL issue in ossec-server.conf
Noticed that we were on ASL3x, and an upgrade to ASL4x fixed everything.