ASL Web Errors

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: ASL Web Errors

Unread post by jbmoore »

mikeshinn wrote:
(502) ASLW::_test_ossec - An OSSEC component is not running:....
what errors do you see in

/var/ossec/logs/ossec.log

Entire log filled with..

2018/06/21 22:43:09 ossec-analysisd: ERROR: Invalid integrity message in the database. (37,536 lines)
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8330
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: ASL Web Errors

Unread post by scott »

Reset the FIM db with:

1)
rm -f /var/ossec/queue/syscheck/*

2)
service ossec-hids restart
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: ASL Web Errors

Unread post by jbmoore »

scott wrote:Reset the FIM db with:

1)
rm -f /var/ossec/queue/syscheck/*

2)
service ossec-hids restart
Got it... Thanks... I'll monitor it and see if that fixes the problem..
spaceout
Forum Regular
Forum Regular
Posts: 112
Joined: Wed Mar 19, 2008 10:22 pm

Re: ASL Web Errors

Unread post by spaceout »

I'm experiencing a similar problem with ossec-analysisd, but I have a different error showing in the OSSEC log:

2018/06/30 12:51:48 ossec-analysisd: ERROR: (1226): Error reading XML file '/etc/decoder.xml': XMLERR: File '/etc/decoder.xml' not found. (line 317).
2018/06/30 12:51:48 ossec-analysisd: CRITICAL: (1202): Configuration error at '/etc/decoder.xml'. Exiting.

Is this a file I need to install somehow?
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8330
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: ASL Web Errors

Unread post by scott »

No, we havent used that file in more than 5 years. What version of ossec are you running?
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: ASL Web Errors

Unread post by jbmoore »

scott wrote:Reset the FIM db with:

1)
rm -f /var/ossec/queue/syscheck/*

2)
service ossec-hids restart

Still getting these errors.. as of today..

(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-dbd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-analysisd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-logcollec
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-syscheckd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-monitord
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-maild
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-execd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-maild
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-dbd
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8330
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: ASL Web Errors

Unread post by scott »

See if its running with:

ps ax |grep ossec
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: ASL Web Errors

Unread post by jbmoore »

scott wrote:See if its running with:

ps ax |grep ossec
here is the output..

4630 ? Ssl 0:00 /var/ossec/bin/ossec-modulesd -f
4633 ? Ss 0:01 /var/ossec/bin/ossec-maild -f
4640 ? Ssl 0:29 /var/ossec/bin/ossec-db -f
4643 ? Ssl 0:03 /var/ossec/bin/ossec-execd -f
4710 ? Ss 18:14 /var/ossec/bin/ossec-analysisd -f
4714 ? Ss 0:05 /var/ossec/bin/ossec-logcollector -f
4732 ? Ss 2:12 /var/ossec/bin/ossec-syscheckd -f
4736 ? Ss 0:04 /var/ossec/bin/ossec-monitord -f
4744 ? Ss 0:02 /var/ossec/bin/ossec-dbd -f
13341 ? S 0:00 sh -c rpm -qa | grep ossec-hids
13343 ? S 0:00 grep ossec-hids
13345 pts/0 S+ 0:00 grep --color=auto ossec
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8330
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: ASL Web Errors

Unread post by scott »

Interface just hasnt updated yet, give it a bit and that will go away.
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: ASL Web Errors

Unread post by jbmoore »

scott wrote:Interface just hasnt updated yet, give it a bit and that will go away.
Actually that does not make complete sense, unless it is restarting automatically??

I restarted ossec manually several weeks ago when I I first posted this issue. I then refreshed the interface. Messages gone. Now it is showing up again immediately after refreshing the interface (P.S. I do Php and Java web interfaces professionally so I do understand the refresh issues fairly well)

So.. the only explanations I can come up with is that somehow ossec crashes, the interface picks that up and then ossec restarts itself but the server side code is not seeing/checking that right away so that if I do a refresh of the interface I don't see it for a "while". The problem IMO is that how do I know if there is a problem if I can NOT trust the latest refresh of the interface..??? Though I leave the interface open all the time, I do a refresh immediately before reviewing the server status to insure that I'm seeing the actual status "right now".

Sorry to be a pain on this.. I installed ASL so that I can spend less time monitoring the server.. not more. I'm sure you can understand my frustrations here.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4119
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: ASL Web Errors

Unread post by mikeshinn »

Lets see if OSSEC is restarting for expected reasons (rule updates), or if its having some problem that caused it to stop running. Do you see any errors in this log file:

grep ERROR /var/ossec/logs/ossec.log | egrep -iv "diff|queue"
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: ASL Web Errors

Unread post by jbmoore »

mikeshinn wrote:Lets see if OSSEC is restarting for expected reasons (rule updates), or if its having some problem that caused it to stop running. Do you see any errors in this log file:

grep ERROR /var/ossec/logs/ossec.log | egrep -iv "diff|queue"
The only error showing up is relating to mail. I checked the settings and I don't see a way to set any email server configurations so..is there a way around this error..??

output:

2018/07/06 10:00:17 ossec-maild: ERROR: (1765): RCPT TO not accepted by server - 'jbm@esonicspider.com'.
2018/07/06 10:00:17 ossec-maild: ERROR: (1223): Error Sending email to 207.137.0.3 (smtp server)
2018/07/06 11:01:10 ossec-maild: ERROR: (1765): RCPT TO not accepted by server - 'jbm@esonicspider.com'.
2018/07/06 11:01:10 ossec-maild: ERROR: (1223): Error Sending email to 207.137.0.3 (smtp server)
2018/07/06 12:01:19 ossec-maild: ERROR: (1765): RCPT TO not accepted by server - 'jbm@esonicspider.com'.
2018/07/06 12:01:19 ossec-maild: ERROR: (1223): Error Sending email to 207.137.0.3 (smtp server)
2018/07/06 13:00:17 ossec-maild: ERROR: (1765): RCPT TO not accepted by server - 'jbm@esonicspider.com'.
2018/07/06 13:00:17 ossec-maild: ERROR: (1223): Error Sending email to 207.137.0.3 (smtp server)
2018/07/06 14:01:16 ossec-maild: ERROR: (1765): RCPT TO not accepted by server - 'jbm@esonicspider.com'.
2018/07/06 14:01:16 ossec-maild: ERROR: (1223): Error Sending email to 207.137.0.3 (smtp server)
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4119
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: ASL Web Errors

Unread post by mikeshinn »

OK, so that would mean OSSEC isnt failing and restarting. But just in case the log file was rotated and it did fail for some reason, lets expand that grep to include all your log files:

zgrep ERROR /var/ossec/logs/ossec.log* | egrep -iv "diff|queue"

As for the email error, that means your email server rejected email to that address, and OSSEc is telling you your email server wont accept email to that address. Youll need to reconfigure your email server to allow you to send email to that address.

Alternatively, you can configure OSSEC to use a different email server and/or send alerts to a different email address. Those OSSEC settings are:

https://wiki.atomicorp.com/wiki/index.p ... SSEC_EMAIL

https://wiki.atomicorp.com/wiki/index.p ... MTP_SERVER
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: ASL Web Errors

Unread post by jbmoore »

mikeshinn wrote:OK, so that would mean OSSEC isnt failing and restarting. But just in case the log file was rotated and it did fail for some reason, lets expand that grep to include all your log files:

zgrep ERROR /var/ossec/logs/ossec.log* | egrep -iv "diff|queue"

As for the email error, that means your email server rejected email to that address, and OSSEc is telling you your email server wont accept email to that address. Youll need to reconfigure your email server to allow you to send email to that address.

Alternatively, you can configure OSSEC to use a different email server and/or send alerts to a different email address. Those OSSEC settings are:

https://wiki.atomicorp.com/wiki/index.p ... SSEC_EMAIL

https://wiki.atomicorp.com/wiki/index.p ... MTP_SERVER
Same output...

As far as the mail server, the mail servers I use require authentication (who doesn't ??) and I don't see that setting.
Post Reply