Atomicorp

ASL 2.02 ossec-hids way broken. Its not compiled for mysql meaning ossec-hids now refuses to run. Rolled back to ASL 2 but this did nothing there is obviously some change 2.02 did to try to use mysql with ossec.
Can an updated ossec-hids be released urgently compiled for mysql support as now both my two servers are running without ossec-hids now [/u]

I was kind of in the same boat - my suggestion, although maybe not the best is to update again, run asl -c to configure the mysql support with new configuration options, then asl -s -f -t.

Hopefully this will help you out, but check for credential issues in /var/ossec/logs/ossec.log every couple of seconds, it seems there are two seperate logins being stored somewhere for this database, maybe one that a typical asl -c doesn't update....

Let me know how it goes for you as I fought with it for a while myself.

Thanks! One question one server is running fedora 9 and does not have mysql installed, so can I set SQL to off?

The other server is fedora 8 with plesk so it naturally has mysql installed.

Thanks!

I'm no ASL guru, but there is an option on whether to enable MySQL support or not, and I'm willing to bet if you say no, it'll listen. =P

No it still whines that ossec is not compiled with mysql support. I am screwed until the packages are fixed

Perhaps when such new features are introduced they either should be in bleeding or have new features off by default

In the meantime 2 emails per min from the servers

I'm not quite sure I understand, but what's the trouble in installing mysql-server for ossec if indeed its really a requirement? Atomic/CentOS channels have it for a quick yum install?

right now I am just working in the F8 plesk server and its that ossec is not compiled for mysql so Scott needs to make fedora ossec compiled with mysql.
Setting it on or off it still fails to start due to its not compiled for mysql.
Are you using fedora or another OS?

I even deleted the /etc/asl/config file and redid the server its still broken.

If there is no fix tomorrow I may start trying old packages again hoping to resurrect ossec from the dead.

Fingers crossed..

Cheers

Oh, gotcha, sorta. Yea, I'm having problems with CentOS 5 with the MySQL integration as well. But, from looking at the archives it appears our versions were published at right about the same time although I'm CentOS 5 and you're FC8...

It appears to me that MySQL is very much compiled into OSSec but I suppose I could be wrong. What makes me think this is all of the errors in osssec.log complaining of being unable to connect to the DB, along with this ossec-dbd daemon.

After struggling with ASL/MySQL for a while and disabling it in the ASL config, I'm back to text logs and such for the time being. I resolved one issue with borked up credentials, but I believe it's configured in more than one place.

I ended up:

yum remove ossec*

This gets rid off all the stuff.

Cleaned out /var/asl and var/ossec

Reinstalled but testing is off

Its running again.

But I need some files nothing I do creates them and it whines they don't exist:

/var/asl/rules/appinv/headers
/var/asl/rules/modsec/domain-blacklist.txt

infact the /var/asl/rules is as far as anything existed I had to create the sub dirs.

For now I created blank 0 byte files and that shuts it up!

Seems the package that is evil is the actual asl 2.02 in testing

Your current woes may have been caused by removing the OSSEC 'part' of ASL... Have you run asl -u? That should pick up domain-blacklist.txt and any other configuration files...

If you're going to play with the -testing channel packages, what you want to do is:

yum --enablerepo=asl-2.0-testing update

asl -c
(follow dialog)

This part will create the DB, if you're using asl 2.0.2 you *HAVE* to do this. No exceptions. You can opt out of it at this point by saying "no" to mysql support. Either way you have to do it.

asl -s -f
This is what will change the settings in OSSEC and the web interface. Running this before you run asl -c will cause problems.

Last but not least, Fedora 8 and 9 aren't supported.

Thanks Scott the updated ossec-hids and ossec-hids-server for both Fedora 8 and 9 fixed my two servers
Happily running testing ASL again