Event 1002 - dominate event
Event 1002 - dominate event
Newbie here... Trying to understand the various events in the event log and notice that the dominating event is 1002. Did a report and have found the following types of causes:
WARNING: Error opening directory: `/etc/asl/whitelist.078111540`: No such file or directory
WARNING: Error opening directory: `/etc/asl/whitelist.057576963`: No such file or directory
WARNING: Error opening directory: `/etc/asl/whitelist.472905928`: No such file or directory
...etc...
AND..
ERROR: Invalid integrity message in the database.
There are 326 pages of these for a single day...
There is a folder at /etc/asl/whitelist that contains my whitelist settings but there is no other files or folders as indicated in the error message. As far as the integrity message.. the dominate event in the log is "550 : Integrity checksum changed" which may or may not be related. Most all of those that I examined related to changing of various ASL property file settings. For example "Integrity checksum changed for: `/etc/asl/system.properties`" is one of the most common.
Any pointers on how to clean these up?? Seems I can't see the forest for the trees and am concerned that I'll be missing more important issues with respect to being attacked.
Thanks.. John..
WARNING: Error opening directory: `/etc/asl/whitelist.078111540`: No such file or directory
WARNING: Error opening directory: `/etc/asl/whitelist.057576963`: No such file or directory
WARNING: Error opening directory: `/etc/asl/whitelist.472905928`: No such file or directory
...etc...
AND..
ERROR: Invalid integrity message in the database.
There are 326 pages of these for a single day...
There is a folder at /etc/asl/whitelist that contains my whitelist settings but there is no other files or folders as indicated in the error message. As far as the integrity message.. the dominate event in the log is "550 : Integrity checksum changed" which may or may not be related. Most all of those that I examined related to changing of various ASL property file settings. For example "Integrity checksum changed for: `/etc/asl/system.properties`" is one of the most common.
Any pointers on how to clean these up?? Seems I can't see the forest for the trees and am concerned that I'll be missing more important issues with respect to being attacked.
Thanks.. John..
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Event 1002 - dominate event
Are you in a position to try our testing builds?
yum --enablerepo=asl-4.0-testing upgrade ossec-hids
yum --enablerepo=asl-4.0-testing upgrade ossec-hids
Re: Event 1002 - dominate event
Well, this is a production server so, I'm assuming that would not be advisable.scott wrote:Are you in a position to try our testing builds?
yum --enablerepo=asl-4.0-testing upgrade ossec-hids
Any other suggestions??
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Event 1002 - dominate event
This build will go into stable next week.
We have determined though that isnt a bug, those files do exist for a tiny fraction of a second but are gone before they can be copied into the diff store. The update will supress this message.
We have determined though that isnt a bug, those files do exist for a tiny fraction of a second but are gone before they can be copied into the diff store. The update will supress this message.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Event 1002 - dominate event
Is there an update process that I can review...? Thanks!!mikeshinn wrote:This build will go into stable next week.
We have determined though that isnt a bug, those files do exist for a tiny fraction of a second but are gone before they can be copied into the diff store. The update will supress this message.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Event 1002 - dominate event
Yes, that build is the testing channel, you can install it with this command:
yum --enablerepo=asl-4.0-testing upgrade ossec-hids
Its a minor change, so should be fine to use on a production system. It will be moved to the stable channel next Monday.
yum --enablerepo=asl-4.0-testing upgrade ossec-hids
Its a minor change, so should be fine to use on a production system. It will be moved to the stable channel next Monday.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Event 1002 - dominate event
You can install the update now with this command:
yum --enablerepo=asl-4.0-testing upgrade ossec-hids
yum --enablerepo=asl-4.0-testing upgrade ossec-hids
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Event 1002 - dominate event
Has this location changed since you posted it... I'm getting an..mikeshinn wrote:You can install the update now with this command:
yum --enablerepo=asl-4.0-testing upgrade ossec-hids
https://<mike removed your username and password)@www6.atomicorp.com/channels/asl-4.0/centos/7/x86_64/repodata/repomd.xml: [Errno 14] HTTPS Error 401 - Unauthorized
...error (there where many repeats of this as it appeared to try different mirrors..) I cut and pasted the command so I know there was no typo at my end...
Thanks..
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Event 1002 - dominate event
a 401 error means either your username or password is incorrectly, or that account doesnt have an active license. What happens when you reset your password per the URL below:
https://wiki.atomicorp.com/wiki/index.p ... n_Required
https://wiki.atomicorp.com/wiki/index.p ... n_Required
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Event 1002 - dominate event
I checked and my license is current and my password/username is correct while logging into ASL..mikeshinn wrote:a 401 error means either your username or password is incorrectly, or that account doesnt have an active license. What happens when you reset your password per the URL below:
https://wiki.atomicorp.com/wiki/index.p ... n_Required
Still getting that same error..
I'm guessing that I need to somehow add my username and password to the yum request..??? How else would it know who I am???
Sorry...
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Event 1002 - dominate event
You just need to set these to your license manager username and password in the ASL gui. If you're having trouble doing that, just let us know and we'd be happy to help you with that.
https://wiki.atomicorp.com/wiki/index.p ... n#USERNAME
https://wiki.atomicorp.com/wiki/index.p ... n#PASSWORD
https://wiki.atomicorp.com/wiki/index.p ... n#USERNAME
https://wiki.atomicorp.com/wiki/index.p ... n#PASSWORD
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Event 1002 - dominate event
Checked that and it seems to be set correctly.. So.. I changed the password in the license manager and then updated that in the Authentication Information page..mikeshinn wrote:You just need to set these to your license manager username and password in the ASL gui. If you're having trouble doing that, just let us know and we'd be happy to help you with that.
https://wiki.atomicorp.com/wiki/index.p ... n#USERNAME
https://wiki.atomicorp.com/wiki/index.p ... n#PASSWORD
Also I notice that this part of the error "creatarich:<mike redacted your password>" did not change after I reset the password.. In fact the <mike redacted your password> does not match the original password (close but not quite) ???
Still getting that error.. Sorry for my thick headedness.. I'm obviously missing something, obvious...
Re: Event 1002 - dominate event
Good afternoon,
Are you still experiencing this issue? We were able to log into your system using previously provided info and ran the following commands:
aum -u
yum upgrade
yum --enablerepo=asl-4.0-testing upgrade ossec-hids
All commands ran successfully, however we did select "N" (for no) when prompted/asked if we wanted to apply the updates.
Very best,
-Ben
all work fine, so whatever issue he was having, guessing it was a transient/resolved on its own
Are you still experiencing this issue? We were able to log into your system using previously provided info and ran the following commands:
aum -u
yum upgrade
yum --enablerepo=asl-4.0-testing upgrade ossec-hids
All commands ran successfully, however we did select "N" (for no) when prompted/asked if we wanted to apply the updates.
Very best,
-Ben
all work fine, so whatever issue he was having, guessing it was a transient/resolved on its own
Re: Event 1002 - dominate event
[quote="BSimmons"]Good afternoon,
Are you still experiencing this issue? We were able to log into your system using previously provided info and ran the following commands:
/quote]
Ben,
Just tested it and it updated just fine.. Don't know what changed..but here is my guess. The old password had an & (ampersand) in it and that is a no, no in a query string so that may have caused the password to not match.. I had changed the password earlier but the old password kept showing up so my guess from that is something was not updating very quickly from the GUI to the command line (caching..??)
Anyway.. working now..
Thanks so much for the fantastic support..
John..
Are you still experiencing this issue? We were able to log into your system using previously provided info and ran the following commands:
/quote]
Ben,
Just tested it and it updated just fine.. Don't know what changed..but here is my guess. The old password had an & (ampersand) in it and that is a no, no in a query string so that may have caused the password to not match.. I had changed the password earlier but the old password kept showing up so my guess from that is something was not updating very quickly from the GUI to the command line (caching..??)
Anyway.. working now..
Thanks so much for the fantastic support..
John..
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Event 1002 - dominate event
Yeah the password is used in the yum configuration, and it doesnt handle metacharacters very well, even when encoded. Its a limitation of the software management system in Linux unfortunately.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone