store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Fri Nov 22, 2019 10:44 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 29 posts ]  Go to page Previous  1, 2
Author Message
 Post subject: Re: ASL Web Errors
Unread postPosted: Thu Jun 21, 2018 11:28 pm 
Offline
Forum User
Forum User

Joined: Thu Mar 09, 2017 7:26 pm
Posts: 30
Location: California
mikeshinn wrote:
Quote:
(502) ASLW::_test_ossec - An OSSEC component is not running:....


what errors do you see in

/var/ossec/logs/ossec.log



Entire log filled with..

2018/06/21 22:43:09 ossec-analysisd: ERROR: Invalid integrity message in the database. (37,536 lines)


Top
 Profile  
Reply with quote  
 Post subject: Re: ASL Web Errors
Unread postPosted: Mon Jun 25, 2018 1:37 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
Reset the FIM db with:

1)
rm -f /var/ossec/queue/syscheck/*

2)
service ossec-hids restart


Top
 Profile  
Reply with quote  
 Post subject: Re: ASL Web Errors
Unread postPosted: Mon Jun 25, 2018 3:17 pm 
Offline
Forum User
Forum User

Joined: Thu Mar 09, 2017 7:26 pm
Posts: 30
Location: California
scott wrote:
Reset the FIM db with:

1)
rm -f /var/ossec/queue/syscheck/*

2)
service ossec-hids restart


Got it... Thanks... I'll monitor it and see if that fixes the problem..


Top
 Profile  
Reply with quote  
 Post subject: Re: ASL Web Errors
Unread postPosted: Sat Jun 30, 2018 3:53 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Mar 19, 2008 10:22 pm
Posts: 112
I'm experiencing a similar problem with ossec-analysisd, but I have a different error showing in the OSSEC log:

2018/06/30 12:51:48 ossec-analysisd: ERROR: (1226): Error reading XML file '/etc/decoder.xml': XMLERR: File '/etc/decoder.xml' not found. (line 317).
2018/06/30 12:51:48 ossec-analysisd: CRITICAL: (1202): Configuration error at '/etc/decoder.xml'. Exiting.

Is this a file I need to install somehow?


Top
 Profile  
Reply with quote  
 Post subject: Re: ASL Web Errors
Unread postPosted: Mon Jul 02, 2018 7:27 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
No, we havent used that file in more than 5 years. What version of ossec are you running?


Top
 Profile  
Reply with quote  
 Post subject: Re: ASL Web Errors
Unread postPosted: Tue Jul 03, 2018 6:22 pm 
Offline
Forum User
Forum User

Joined: Thu Mar 09, 2017 7:26 pm
Posts: 30
Location: California
scott wrote:
Reset the FIM db with:

1)
rm -f /var/ossec/queue/syscheck/*

2)
service ossec-hids restart



Still getting these errors.. as of today..

(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-dbd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-analysisd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-logcollec
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-syscheckd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-monitord
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-maild
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-execd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-maild
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-dbd


Top
 Profile  
Reply with quote  
 Post subject: Re: ASL Web Errors
Unread postPosted: Thu Jul 05, 2018 12:12 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
See if its running with:

ps ax |grep ossec


Top
 Profile  
Reply with quote  
 Post subject: Re: ASL Web Errors
Unread postPosted: Thu Jul 05, 2018 12:33 pm 
Offline
Forum User
Forum User

Joined: Thu Mar 09, 2017 7:26 pm
Posts: 30
Location: California
scott wrote:
See if its running with:

ps ax |grep ossec


here is the output..

4630 ? Ssl 0:00 /var/ossec/bin/ossec-modulesd -f
4633 ? Ss 0:01 /var/ossec/bin/ossec-maild -f
4640 ? Ssl 0:29 /var/ossec/bin/ossec-db -f
4643 ? Ssl 0:03 /var/ossec/bin/ossec-execd -f
4710 ? Ss 18:14 /var/ossec/bin/ossec-analysisd -f
4714 ? Ss 0:05 /var/ossec/bin/ossec-logcollector -f
4732 ? Ss 2:12 /var/ossec/bin/ossec-syscheckd -f
4736 ? Ss 0:04 /var/ossec/bin/ossec-monitord -f
4744 ? Ss 0:02 /var/ossec/bin/ossec-dbd -f
13341 ? S 0:00 sh -c rpm -qa | grep ossec-hids
13343 ? S 0:00 grep ossec-hids
13345 pts/0 S+ 0:00 grep --color=auto ossec


Top
 Profile  
Reply with quote  
 Post subject: Re: ASL Web Errors
Unread postPosted: Thu Jul 05, 2018 12:37 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
Interface just hasnt updated yet, give it a bit and that will go away.


Top
 Profile  
Reply with quote  
 Post subject: Re: ASL Web Errors
Unread postPosted: Thu Jul 05, 2018 3:45 pm 
Offline
Forum User
Forum User

Joined: Thu Mar 09, 2017 7:26 pm
Posts: 30
Location: California
scott wrote:
Interface just hasnt updated yet, give it a bit and that will go away.


Actually that does not make complete sense, unless it is restarting automatically??

I restarted ossec manually several weeks ago when I I first posted this issue. I then refreshed the interface. Messages gone. Now it is showing up again immediately after refreshing the interface (P.S. I do Php and Java web interfaces professionally so I do understand the refresh issues fairly well)

So.. the only explanations I can come up with is that somehow ossec crashes, the interface picks that up and then ossec restarts itself but the server side code is not seeing/checking that right away so that if I do a refresh of the interface I don't see it for a "while". The problem IMO is that how do I know if there is a problem if I can NOT trust the latest refresh of the interface..??? Though I leave the interface open all the time, I do a refresh immediately before reviewing the server status to insure that I'm seeing the actual status "right now".

Sorry to be a pain on this.. I installed ASL so that I can spend less time monitoring the server.. not more. I'm sure you can understand my frustrations here.


Top
 Profile  
Reply with quote  
 Post subject: Re: ASL Web Errors
Unread postPosted: Fri Jul 06, 2018 1:52 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4087
Location: Chantilly, VA
Lets see if OSSEC is restarting for expected reasons (rule updates), or if its having some problem that caused it to stop running. Do you see any errors in this log file:

grep ERROR /var/ossec/logs/ossec.log | egrep -iv "diff|queue"

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: ASL Web Errors
Unread postPosted: Fri Jul 06, 2018 2:12 pm 
Offline
Forum User
Forum User

Joined: Thu Mar 09, 2017 7:26 pm
Posts: 30
Location: California
mikeshinn wrote:
Lets see if OSSEC is restarting for expected reasons (rule updates), or if its having some problem that caused it to stop running. Do you see any errors in this log file:

grep ERROR /var/ossec/logs/ossec.log | egrep -iv "diff|queue"


The only error showing up is relating to mail. I checked the settings and I don't see a way to set any email server configurations so..is there a way around this error..??

output:

2018/07/06 10:00:17 ossec-maild: ERROR: (1765): RCPT TO not accepted by server - 'jbm@esonicspider.com'.
2018/07/06 10:00:17 ossec-maild: ERROR: (1223): Error Sending email to 207.137.0.3 (smtp server)
2018/07/06 11:01:10 ossec-maild: ERROR: (1765): RCPT TO not accepted by server - 'jbm@esonicspider.com'.
2018/07/06 11:01:10 ossec-maild: ERROR: (1223): Error Sending email to 207.137.0.3 (smtp server)
2018/07/06 12:01:19 ossec-maild: ERROR: (1765): RCPT TO not accepted by server - 'jbm@esonicspider.com'.
2018/07/06 12:01:19 ossec-maild: ERROR: (1223): Error Sending email to 207.137.0.3 (smtp server)
2018/07/06 13:00:17 ossec-maild: ERROR: (1765): RCPT TO not accepted by server - 'jbm@esonicspider.com'.
2018/07/06 13:00:17 ossec-maild: ERROR: (1223): Error Sending email to 207.137.0.3 (smtp server)
2018/07/06 14:01:16 ossec-maild: ERROR: (1765): RCPT TO not accepted by server - 'jbm@esonicspider.com'.
2018/07/06 14:01:16 ossec-maild: ERROR: (1223): Error Sending email to 207.137.0.3 (smtp server)


Top
 Profile  
Reply with quote  
 Post subject: Re: ASL Web Errors
Unread postPosted: Fri Jul 06, 2018 3:06 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4087
Location: Chantilly, VA
OK, so that would mean OSSEC isnt failing and restarting. But just in case the log file was rotated and it did fail for some reason, lets expand that grep to include all your log files:

zgrep ERROR /var/ossec/logs/ossec.log* | egrep -iv "diff|queue"

As for the email error, that means your email server rejected email to that address, and OSSEc is telling you your email server wont accept email to that address. Youll need to reconfigure your email server to allow you to send email to that address.

Alternatively, you can configure OSSEC to use a different email server and/or send alerts to a different email address. Those OSSEC settings are:

https://wiki.atomicorp.com/wiki/index.p ... SSEC_EMAIL

https://wiki.atomicorp.com/wiki/index.p ... MTP_SERVER

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: ASL Web Errors
Unread postPosted: Fri Jul 06, 2018 6:46 pm 
Offline
Forum User
Forum User

Joined: Thu Mar 09, 2017 7:26 pm
Posts: 30
Location: California
mikeshinn wrote:
OK, so that would mean OSSEC isnt failing and restarting. But just in case the log file was rotated and it did fail for some reason, lets expand that grep to include all your log files:

zgrep ERROR /var/ossec/logs/ossec.log* | egrep -iv "diff|queue"

As for the email error, that means your email server rejected email to that address, and OSSEc is telling you your email server wont accept email to that address. Youll need to reconfigure your email server to allow you to send email to that address.

Alternatively, you can configure OSSEC to use a different email server and/or send alerts to a different email address. Those OSSEC settings are:

https://wiki.atomicorp.com/wiki/index.p ... SSEC_EMAIL

https://wiki.atomicorp.com/wiki/index.p ... MTP_SERVER


Same output...

As far as the mail server, the mail servers I use require authentication (who doesn't ??) and I don't see that setting.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 29 posts ]  Go to page Previous  1, 2

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group