ASL Web Errors

[jbmoore]

I'm suddenly seeing the following errors at the bottom of the ASL Web interface..

(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-dbd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-analysisd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-logcollec
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-syscheckd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-monitord
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-execd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-dbd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-logcollec
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-syscheckd
(502) ASLW::_test_ossec - An OSSEC component is not running: ossec-monitord
(9999) ASLValidate::validate_asl - Bad/incomplete data from request

Is this just "informative" or should I be doing something to address this..??? I read somewhere in the docs that ASL monitors and restarts services when there is a problem. ??

Thanks..

[mikeshinn]

That means all of OSSEC is shut down, generally this can happen if ASL has been configured to disable OSSEC or if something has removed or replaced OSSEC. To address this follow this process:

https://wiki.atomicorp.com/wiki/index.p ... ds_restart

Or contact support AT atomicorp DOT com and we can assist you.

[jbmoore]

That means all of OSSEC is shut down, generally this can happen if ASL has been configured to disable OSSEC or if something has removed or replaced OSSEC. To address this follow this process:

https://wiki.atomicorp.com/wiki/index.p ... ds_restart

Or contact support AT atomicorp DOT com and we can assist you.

Great..thanks..That did it!!

I did do a wiki search for that under "ossec restart" and did not come up with that link..

So.. since I did not disable it, and did not remove or replace it... What happen???

[mikeshinn]

Which of those troubleshooting steps addressed this for you?

[jbmoore]

Which of those troubleshooting steps addressed this for you?

Just the restart..

Which made me ask as to why that was required (why it died/shutdown).. since I did not disable it, and did not remove or replace it..

Thanks..

[mikeshinn]

Two things could cause those processes to stop:

1) system ran out of drive space

2) another error caused a shutdown

In the case of 2 (an error caused a shut down), that would be logged in /var/ossec/logs/ossec.log. If the system didnt run out of drive space or inodes, what errors do you see in /var/ossec/logs/ossec.log?

[jbmoore]

Two things could cause those processes to stop:

1) system ran out of drive space

2) another error caused a shutdown

In the case of 2 (an error caused a shut down), that would be logged in /var/ossec/logs/ossec.log. If the system didnt run out of drive space or inodes, what errors do you see in /var/ossec/logs/ossec.log?

Drive space...

Filesystem Size Used Avail Use% Mounted on
/dev/md1 4.0G 1.1G 2.9G 28% /
devtmpfs 7.8G 0 7.8G 0% /dev
tmpfs 7.9G 84K 7.9G 1% /dev/shm
tmpfs 7.9G 755M 7.1G 10% /run
tmpfs 7.9G 0 7.9G 0% /sys/fs/cgroup
/dev/mapper/vg00-usr 1013G 65G 908G 7% /usr
none 7.9G 6.7M 7.9G 1% /tmp
/dev/mapper/vg00-home 4.8G 37M 4.5G 1% /home
/dev/mapper/vg00-var 202G 22G 173G 11% /var
tmpfs 1.6G 48K 1.6G 1% /run/user/0

Inodes

Filesystem Inodes IUsed IFree IUse% Mounted on
/dev/md1 262144 18432 243712 8% /
devtmpfs 2037335 432 2036903 1% /dev
tmpfs 2051911 6 2051905 1% /dev/shm
tmpfs 2051911 912 2050999 1% /run
tmpfs 2051911 16 2051895 1% /sys/fs/cgroup
/dev/mapper/vg00-usr 67436544 325904 67110640 1% /usr
none 2051911 26 2051885 1% /tmp
/dev/mapper/vg00-home 327680 352 327328 1% /home
/dev/mapper/vg00-var 13434880 228289 13206591 2% /var
tmpfs 2051911 12 2051899 1% /run/user/0

ossec.log..

Pages and pages of these..

2018/06/01 14:47:41 ossec-analysisd: ERROR: Invalid integrity message in the database.

(did not find this message in the wiki nor knowledgebase..??)

I guess this would be a starting point... How to fix??

[jbmoore]

Just being a squeaky wheel here... the ossec.log is still largely full of the "Invalid integrity..." message..

Ideas..??

[jbmoore]

Hi, Well it appears that ossec has shut down again.. same messages when I opened up ASL web interface today..

Oh and I did a restart of ossec and then refreshed the interface.. Messages were at first gone, but a few minutes later they appeared again.

Any ideas on how to fix this ???

Thanks..

[jbmoore]

Some additional notes as I followed the docs on this...

https://wiki.atomicorp.com/wiki/index.p ... ds_restart

1) ASL not up to date... UPDATE_TYPE = "all"
2) MySql problems.. I did a table analysis and returned that all tables are "OK" Since all the tables in tortix are InnoDB tables most of the instructions in the docs do not apply or so my understanding. There is the problem with the message in the ossec log "ossec-analysisd: ERROR: Invalid integrity message in the database." which I still don't understand.
3) OSSEC_ENABLED = "yes"
4) Since restarting ossec does not return any errors... I don't think this applies..??
5,6,7,8,9) The Mysql database seems to be working fine for all other applications.. so I don't know if any of these might be relevant..??

Any other ideas or am I misunderstanding something critical??

[jbmoore]

Just noticed some new error messages...

(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request
(9999) ASLValidate::validate_asl - Bad/incomplete data from request

[jbmoore]

Hm... I'm thinking that these "bad request" errors are coming from my trying to delete the whitelist entries.. I notice that they don't always disappear from the interface right away so I might be sending delete requests that have already been deleted..??? Make sense?

[mikeshinn]

That just means the system was temporarily unable to connect to the update servers. You can ignore it.

[jbmoore]

Thanks, make sense...

But...

Why am I continually getting the:

(502) ASLW::_test_ossec - An OSSEC component is not running:....
and..
2018/06/01 14:47:41 ossec-analysisd: ERROR: Invalid integrity message in the database.

errors...???

[mikeshinn]

(502) ASLW::_test_ossec - An OSSEC component is not running:....

what errors do you see in

/var/ossec/logs/ossec.log