ASL Web Errors

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

ASL Web Errors

Unread post by jbmoore »

I'm suddenly seeing the following errors at the bottom of the ASL Web interface..

(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-dbd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-analysisd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-logcollec
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-syscheckd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-monitord
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-execd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-dbd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-logcollec
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-syscheckd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-monitord
(9999) ASLValidate::validate_asl - Bad/incomplete data from request

Is this just "informative" or should I be doing something to address this..??? I read somewhere in the docs that ASL monitors and restarts services when there is a problem. ??

Thanks..
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4119
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: ASL Web Errors

Unread post by mikeshinn »

That means all of OSSEC is shut down, generally this can happen if ASL has been configured to disable OSSEC or if something has removed or replaced OSSEC. To address this follow this process:

https://wiki.atomicorp.com/wiki/index.p ... ds_restart

Or contact support AT atomicorp DOT com and we can assist you.
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: ASL Web Errors

Unread post by jbmoore »

mikeshinn wrote:That means all of OSSEC is shut down, generally this can happen if ASL has been configured to disable OSSEC or if something has removed or replaced OSSEC. To address this follow this process:

https://wiki.atomicorp.com/wiki/index.p ... ds_restart

Or contact support AT atomicorp DOT com and we can assist you.
Great..thanks..That did it!!

I did do a wiki search for that under "ossec restart" and did not come up with that link..

So.. since I did not disable it, and did not remove or replace it... What happen???
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4119
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: ASL Web Errors

Unread post by mikeshinn »

Which of those troubleshooting steps addressed this for you?
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: ASL Web Errors

Unread post by jbmoore »

mikeshinn wrote:Which of those troubleshooting steps addressed this for you?
Just the restart..

Which made me ask as to why that was required (why it died/shutdown).. since I did not disable it, and did not remove or replace it..

Thanks..
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4119
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: ASL Web Errors

Unread post by mikeshinn »

Two things could cause those processes to stop:

1) system ran out of drive space

2) another error caused a shutdown

In the case of 2 (an error caused a shut down), that would be logged in /var/ossec/logs/ossec.log. If the system didnt run out of drive space or inodes, what errors do you see in /var/ossec/logs/ossec.log?
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: ASL Web Errors

Unread post by jbmoore »

mikeshinn wrote:Two things could cause those processes to stop:

1) system ran out of drive space

2) another error caused a shutdown

In the case of 2 (an error caused a shut down), that would be logged in /var/ossec/logs/ossec.log. If the system didnt run out of drive space or inodes, what errors do you see in /var/ossec/logs/ossec.log?
Drive space...

Filesystem Size Used Avail Use% Mounted on
/dev/md1 4.0G 1.1G 2.9G 28% /
devtmpfs 7.8G 0 7.8G 0% /dev
tmpfs 7.9G 84K 7.9G 1% /dev/shm
tmpfs 7.9G 755M 7.1G 10% /run
tmpfs 7.9G 0 7.9G 0% /sys/fs/cgroup
/dev/mapper/vg00-usr 1013G 65G 908G 7% /usr
none 7.9G 6.7M 7.9G 1% /tmp
/dev/mapper/vg00-home 4.8G 37M 4.5G 1% /home
/dev/mapper/vg00-var 202G 22G 173G 11% /var
tmpfs 1.6G 48K 1.6G 1% /run/user/0

Inodes

Filesystem Inodes IUsed IFree IUse% Mounted on
/dev/md1 262144 18432 243712 8% /
devtmpfs 2037335 432 2036903 1% /dev
tmpfs 2051911 6 2051905 1% /dev/shm
tmpfs 2051911 912 2050999 1% /run
tmpfs 2051911 16 2051895 1% /sys/fs/cgroup
/dev/mapper/vg00-usr 67436544 325904 67110640 1% /usr
none 2051911 26 2051885 1% /tmp
/dev/mapper/vg00-home 327680 352 327328 1% /home
/dev/mapper/vg00-var 13434880 228289 13206591 2% /var
tmpfs 2051911 12 2051899 1% /run/user/0

ossec.log..

Pages and pages of these..

2018/06/01 14:47:41 ossec-analysisd: ERROR: Invalid integrity message in the database.

(did not find this message in the wiki nor knowledgebase..??)

I guess this would be a starting point... How to fix??
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: ASL Web Errors

Unread post by jbmoore »

Just being a squeaky wheel here... the ossec.log is still largely full of the "Invalid integrity..." message..

Ideas..??
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: ASL Web Errors

Unread post by jbmoore »

Hi, Well it appears that ossec has shut down again.. same messages when I opened up ASL web interface today..

Oh and I did a restart of ossec and then refreshed the interface.. Messages were at first gone, but a few minutes later they appeared again.

Any ideas on how to fix this ???

Thanks..
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: ASL Web Errors

Unread post by jbmoore »

Some additional notes as I followed the docs on this...

https://wiki.atomicorp.com/wiki/index.p ... ds_restart

1) ASL not up to date... UPDATE_TYPE = "all"
2) MySql problems.. I did a table analysis and returned that all tables are "OK" Since all the tables in tortix are InnoDB tables most of the instructions in the docs do not apply or so my understanding. There is the problem with the message in the ossec log "ossec-analysisd: ERROR: Invalid integrity message in the database." which I still don't understand.
3) OSSEC_ENABLED = "yes"
4) Since restarting ossec does not return any errors... I don't think this applies..??
5,6,7,8,9) The Mysql database seems to be working fine for all other applications.. so I don't know if any of these might be relevant..??

Any other ideas or am I misunderstanding something critical??
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: ASL Web Errors

Unread post by jbmoore »

Just noticed some new error messages...

(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: ASL Web Errors

Unread post by jbmoore »

Hm... I'm thinking that these "bad request" errors are coming from my trying to delete the whitelist entries.. I notice that they don't always disappear from the interface right away so I might be sending delete requests that have already been deleted..??? Make sense?
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4119
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: ASL Web Errors

Unread post by mikeshinn »

That just means the system was temporarily unable to connect to the update servers. You can ignore it.
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: ASL Web Errors

Unread post by jbmoore »

Thanks, make sense...

But...

Why am I continually getting the:

(502) ASLW::_test_ossec - An OSSEC component is not running:....
and..
2018/06/01 14:47:41 ossec-analysisd: ERROR: Invalid integrity message in the database.

errors...???
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4119
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: ASL Web Errors

Unread post by mikeshinn »

(502) ASLW::_test_ossec - An OSSEC component is not running:....
what errors do you see in

/var/ossec/logs/ossec.log
Post Reply