Atomicorp

mikeshinn wrote:

(502) ASLW::_test_ossec - An OSSEC component is not running:....

what errors do you see in

/var/ossec/logs/ossec.log

Entire log filled with..

2018/06/21 22:43:09 ossec-analysisd: ERROR: Invalid integrity message in the database. (37,536 lines)

Reset the FIM db with:

1)
rm -f /var/ossec/queue/syscheck/*

2)
service ossec-hids restart

scott wrote:Reset the FIM db with:

1)
rm -f /var/ossec/queue/syscheck/*

2)
service ossec-hids restart

Got it... Thanks... I'll monitor it and see if that fixes the problem..

I'm experiencing a similar problem with ossec-analysisd, but I have a different error showing in the OSSEC log:

2018/06/30 12:51:48 ossec-analysisd: ERROR: (1226): Error reading XML file '/etc/decoder.xml': XMLERR: File '/etc/decoder.xml' not found. (line 317).
2018/06/30 12:51:48 ossec-analysisd: CRITICAL: (1202): Configuration error at '/etc/decoder.xml'. Exiting.

Is this a file I need to install somehow?

No, we havent used that file in more than 5 years. What version of ossec are you running?

scott wrote:Reset the FIM db with:

1)
rm -f /var/ossec/queue/syscheck/*

2)
service ossec-hids restart

Still getting these errors.. as of today..

(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-dbd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-analysisd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-logcollec
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-syscheckd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-monitord
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-maild
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-execd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-maild
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-dbd

See if its running with:

ps ax |grep ossec

scott wrote:See if its running with:

ps ax |grep ossec

here is the output..

4630 ? Ssl 0:00 /var/ossec/bin/ossec-modulesd -f
4633 ? Ss 0:01 /var/ossec/bin/ossec-maild -f
4640 ? Ssl 0:29 /var/ossec/bin/ossec-db -f
4643 ? Ssl 0:03 /var/ossec/bin/ossec-execd -f
4710 ? Ss 18:14 /var/ossec/bin/ossec-analysisd -f
4714 ? Ss 0:05 /var/ossec/bin/ossec-logcollector -f
4732 ? Ss 2:12 /var/ossec/bin/ossec-syscheckd -f
4736 ? Ss 0:04 /var/ossec/bin/ossec-monitord -f
4744 ? Ss 0:02 /var/ossec/bin/ossec-dbd -f
13341 ? S 0:00 sh -c rpm -qa | grep ossec-hids
13343 ? S 0:00 grep ossec-hids
13345 pts/0 S+ 0:00 grep --color=auto ossec

Interface just hasnt updated yet, give it a bit and that will go away.

scott wrote:Interface just hasnt updated yet, give it a bit and that will go away.

Actually that does not make complete sense, unless it is restarting automatically??

I restarted ossec manually several weeks ago when I I first posted this issue. I then refreshed the interface. Messages gone. Now it is showing up again immediately after refreshing the interface (P.S. I do Php and Java web interfaces professionally so I do understand the refresh issues fairly well)

So.. the only explanations I can come up with is that somehow ossec crashes, the interface picks that up and then ossec restarts itself but the server side code is not seeing/checking that right away so that if I do a refresh of the interface I don't see it for a "while". The problem IMO is that how do I know if there is a problem if I can NOT trust the latest refresh of the interface..??? Though I leave the interface open all the time, I do a refresh immediately before reviewing the server status to insure that I'm seeing the actual status "right now".

Sorry to be a pain on this.. I installed ASL so that I can spend less time monitoring the server.. not more. I'm sure you can understand my frustrations here.

Lets see if OSSEC is restarting for expected reasons (rule updates), or if its having some problem that caused it to stop running. Do you see any errors in this log file:

grep ERROR /var/ossec/logs/ossec.log | egrep -iv "diff|queue"

mikeshinn wrote:Lets see if OSSEC is restarting for expected reasons (rule updates), or if its having some problem that caused it to stop running. Do you see any errors in this log file:

grep ERROR /var/ossec/logs/ossec.log | egrep -iv "diff|queue"

The only error showing up is relating to mail. I checked the settings and I don't see a way to set any email server configurations so..is there a way around this error..??

output:

2018/07/06 10:00:17 ossec-maild: ERROR: (1765): RCPT TO not accepted by server - 'jbm@esonicspider.com'.
2018/07/06 10:00:17 ossec-maild: ERROR: (1223): Error Sending email to 207.137.0.3 (smtp server)
2018/07/06 11:01:10 ossec-maild: ERROR: (1765): RCPT TO not accepted by server - 'jbm@esonicspider.com'.
2018/07/06 11:01:10 ossec-maild: ERROR: (1223): Error Sending email to 207.137.0.3 (smtp server)
2018/07/06 12:01:19 ossec-maild: ERROR: (1765): RCPT TO not accepted by server - 'jbm@esonicspider.com'.
2018/07/06 12:01:19 ossec-maild: ERROR: (1223): Error Sending email to 207.137.0.3 (smtp server)
2018/07/06 13:00:17 ossec-maild: ERROR: (1765): RCPT TO not accepted by server - 'jbm@esonicspider.com'.
2018/07/06 13:00:17 ossec-maild: ERROR: (1223): Error Sending email to 207.137.0.3 (smtp server)
2018/07/06 14:01:16 ossec-maild: ERROR: (1765): RCPT TO not accepted by server - 'jbm@esonicspider.com'.
2018/07/06 14:01:16 ossec-maild: ERROR: (1223): Error Sending email to 207.137.0.3 (smtp server)

OK, so that would mean OSSEC isnt failing and restarting. But just in case the log file was rotated and it did fail for some reason, lets expand that grep to include all your log files:

zgrep ERROR /var/ossec/logs/ossec.log* | egrep -iv "diff|queue"

As for the email error, that means your email server rejected email to that address, and OSSEc is telling you your email server wont accept email to that address. Youll need to reconfigure your email server to allow you to send email to that address.

Alternatively, you can configure OSSEC to use a different email server and/or send alerts to a different email address. Those OSSEC settings are:

https://wiki.atomicorp.com/wiki/index.p ... SSEC_EMAIL

https://wiki.atomicorp.com/wiki/index.p ... MTP_SERVER

mikeshinn wrote:OK, so that would mean OSSEC isnt failing and restarting. But just in case the log file was rotated and it did fail for some reason, lets expand that grep to include all your log files:

zgrep ERROR /var/ossec/logs/ossec.log* | egrep -iv "diff|queue"

As for the email error, that means your email server rejected email to that address, and OSSEc is telling you your email server wont accept email to that address. Youll need to reconfigure your email server to allow you to send email to that address.

Alternatively, you can configure OSSEC to use a different email server and/or send alerts to a different email address. Those OSSEC settings are:

https://wiki.atomicorp.com/wiki/index.p ... SSEC_EMAIL

https://wiki.atomicorp.com/wiki/index.p ... MTP_SERVER

Same output...

As far as the mail server, the mail servers I use require authentication (who doesn't ??) and I don't see that setting.