Page 2 of 2
Re: Ossec wont restart after update
Posted: Tue Jan 07, 2014 3:10 pm
by mikeshinn
Just make sure yums cache is clear, and force an upgrade. So far the cases I've looked at have been driven by yum thinking it had upgraded everything:
yum clean all
aum -uf
asl -s -f
If you're still having an issue, that may because of a local change to the rules that was made (for example, a rule was locally configured to not shun), in which case please let us know what the output of this is and open a case:
grep -i error /var/ossec/logs/ossec.log
Re: Ossec wont restart after update
Posted: Tue Jan 07, 2014 3:15 pm
by skiper43
I just ran these commands, and it's fixed in my case. I had run them last night except for the yum clean all, with no luck, so believe it was that yum command that made the difference.
Thanks Mike!
Re: Ossec wont restart after update
Posted: Tue Jan 07, 2014 4:53 pm
by chrismcb
Strange!
I ran these commands earlier too - but it's now working for me on all machines.
Thanks
Re: Ossec wont restart after update
Posted: Tue Jan 07, 2014 6:18 pm
by mikeshinn
yum can be grumpy sometimes. I've had to CLI delete the entire cache sometimes to get it to "see" an update.
Re: Ossec wont restart after update
Posted: Mon Jan 20, 2014 11:00 am
by darrenram
Was there any update to fixing this specific error ?
ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
rules_list: Category '1' not found. Invalid 'category'.
ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
rules_list: Category '1' not found. Invalid 'category'.
I've tried suggestions within this topic and others posts and the problem still exists with ossec-hids unable to start.
Re: Ossec wont restart after update
Posted: Mon Jan 20, 2014 3:06 pm
by mikeshinn
That means your system is out of date, please post the output of these commands:
aum -uf
asl -s -f
service ossec-hids restart
yum check-update
Re: Ossec wont restart after update
Posted: Mon Jan 20, 2014 4:48 pm
by darrenram
Thanks. I did try various updates earlier today without success however I've tried again this evening and can replicate to fix and break sporadically.
When it breaks if aum -uf is ran then this occurs, however if I keep running then from time to time it will run without error
Updating OSSEC to 201401201215: updated [OK]
/bin/cp: cannot stat `/var/asl/rules/ossec/etc/*asl*': No such file or directory
/bin/cp: cannot stat `/var/asl/rules/ossec/rules/*': No such file or directory
/bin/cp: cannot stat `/var/asl/rules/ossec/etc/*template': No such file or directory
/bin/cp: cannot stat `/var/asl/rules/ossec/ar/*': No such file or directory
it's also worth noting that sometimes other updates given similar errors ie
Updating CLAMAV to 201401201419: updated [OK]
/bin/cp: cannot stat `/var/asl/rules/clamav/*': No such file or directory
If it runs in full then all is fine
#aum -uf
Checking for updates..
Upgrading ASL Components
Updating ASL Core: successful [OK]
Updating APPINV to 201308071122: updated [OK]
Updating CLAMAV to 201401201419: updated [OK]
Updating GEOMAP to 201401201204: updated [OK]
Updating MODSEC to 201401201359: updated [OK]
Updating Anti-Spam Protection: updated [OK]
Updating Attack Protection: updated [OK]
Updating Dataloss Protection: updated [OK]
Updating Malware Protection: updated [OK]
Updating Rootkit Protection: updated [OK]
Updating Shell Protection: updated [OK]
Updating OSSEC to 201401201215: updated [OK]
Updating Self Healing modules: updated [OK]
Updating Brute Force Protection: updated [OK]
Updating Rootkit Protection: updated [OK]
Also this is the current versions:
# rpm -qa | egrep "ossec-hids|^asl"
asl-php-pdo-5.4.24-22.el6.art.x86_64
asl-php-process-5.4.24-22.el6.art.x86_64
ossec-hids-2.7.1-37.el6.art.x86_64
asl-3.2.15-33.el6.art.x86_64
asl-php-cli-5.4.24-22.el6.art.x86_64
asl-stream-client-1.0-4.el6.art.x86_64
ossec-hids-server-2.7.1-37.el6.art.x86_64
asl-waf-module-3.2.15-33.el6.art.x86_64
asl-php-gd-5.4.24-22.el6.art.x86_64
asl-php-5.4.24-22.el6.art.x86_64
asl-php-common-5.4.24-22.el6.art.x86_64
asl-php-pecl-apc-3.1.13-4.el6.art.x86_64
asl-php-mysqlnd-5.4.24-22.el6.art.x86_64
ossec-hids-mysql-2.7.1-37.el6.art.x86_64
asl-web-3.2.15-33.el6.art.x86_64
Re: Ossec wont restart after update
Posted: Mon Jan 20, 2014 7:00 pm
by mikeshinn
Wow, somethings really really wrong with your system. Entire directories are missing. My advice would be to reinstall ASL.
https://www.atomicorp.com/wiki/index.ph ... stallation
Re: Ossec wont restart after update
Posted: Thu Feb 20, 2014 6:38 am
by kram
Hello All,
Just updated ASL and ossec-hids fails to start
/var/ossec/logs/ossec.log
Code: Select all
2014/02/20 12:33:52 ossec-analysisd: Invalid use of frequency/context options. Missing if_matched on rule '40111'.
2014/02/20 12:33:52 ossec-testrule(1220): ERROR: Error loading the rules: 'exclusion_rules.xml'.
rpm -qa | egrep "ossec-hids|^asl"
Code: Select all
asl-php-cli-5.4.24-22.el6.art.x86_64
asl-stream-client-1.0-4.el6.art.x86_64
ossec-hids-mysql-2.7.1-37.el6.art.x86_64
asl-php-process-5.4.24-22.el6.art.x86_64
asl-waf-module-3.2.18-37.el6.art.x86_64
asl-web-3.2.18-37.el6.art.x86_64
asl-php-pecl-apc-3.1.13-4.el6.art.x86_64
asl-php-common-5.4.24-22.el6.art.x86_64
asl-php-5.4.24-22.el6.art.x86_64
ossec-hids-server-2.7.1-37.el6.art.x86_64
asl-php-gd-5.4.24-22.el6.art.x86_64
asl-3.2.18-37.el6.art.x86_64
ossec-hids-2.7.1-37.el6.art.x86_64
asl-php-pdo-5.4.24-22.el6.art.x86_64
asl-php-mysqlnd-5.4.24-22.el6.art.x86_64
asl -s -f
Any suggestion will be great.
Re: Ossec wont restart after update
Posted: Thu Feb 20, 2014 2:07 pm
by kram
Quick update.
Re-installed ASL
Problem persisted
Edited /var/ossec/rules/exclusion_rules.xml
Code: Select all
<group name="local,syslog,modsecurity,">
<rule id="999999" level="0">
<match>NULL NULL NULL NULL</match>
<description>List of rules to be ignored.</description>
</rule>
</group>
<group name="modsecurity,">
<rule id="71001" level="10">
<if_sid>60118, 60121</if_sid>
<match>id "300032"</match>
<description>Custom event for rule id 300032</description>
<options>no_email_alert</options>
<options>no_log</options>
</rule>
<rule id="71002" level="10">
<if_sid>60118, 60121</if_sid>
<match>id "300068"</match>
<description>Custom event for rule id 300068</description>
<options>no_email_alert</options>
<options>no_log</options>
</rule>
</group>
/etc/init.d/ossec-hids restart
Shutting down ossec-hids: [ OK ]
Starting ossec-hids: [ OK ]