ossec-hids restart

premierhosting · Mon Jan 10, 2011 5:24 pm

Any ideas why this would happen every minute or so:

Command executed: /sbin/service ossec-hids restart
Exit value: 0
Signal number: 0
Dumped core?: 0

Shutting down ossec-hids: [ OK ]
Starting ossec-hids: 2011/01/10 13:15:12 ossec-testrule: INFO: Reading local decoder file.
2011/01/10 13:15:13 ossec-rootcheck: Rootcheck disabled. Exiting.
2011/01/10 13:15:13 ossec-syscheckd: WARN: Rootcheck module disabled.
[ OK ]

Unread post by **mikeshinn** » Mon Jan 10, 2011 5:44 pm

What do you see in ossec.log?

premierhosting · Mon Jan 10, 2011 5:48 pm

2011/01/10 13:47:53 ossec-dbd(5204): ERROR: Database error. Unable to run query.
2011/01/10 13:47:58 ossec-dbd(5203): ERROR: Error executing query 'INSERT INTO data(id, server_id, user, full_log) VALUES ('626431', '2', '(none)', 'Jan 10 13:47:48 cloud1 pop3d: Connection, ip=[216.14.233.107]') '. Error: 'Table './tortix/data' is marked as crashed and should be repaired'.
2011/01/10 13:47:58 ossec-dbd(5209): INFO: Closing connection to database.
2011/01/10 13:47:58 ossec-dbd(5210): INFO: Attempting to reconnect to database.
2011/01/10 13:47:58 ossec-dbd: Connected to database 'tortix' at '127.0.0.1'.
2011/01/10 13:47:58 ossec-dbd(5204): ERROR: Database error. Unable to run query.

premierhosting · Mon Jan 10, 2011 5:58 pm

Repaired. Should fix it

jamiehook01 · Unread post by **jamiehook01** » Fri Sep 02, 2011 5:01 pm

Hi guys,

i am getting the same email error but my log files looks different, can anyone help? I have a limited knowledge as well which does not help.

Thanks for any info or advice you can provide.

Jamie

Code: Select all

2011/09/02 20:45:04 ossec-maild(1225): INFO: SIGNAL Received. Exit Cleaning...
2011/09/02 21:45:04 ossec-execd(1314): INFO: Shutdown received. Deleting responses.
2011/09/02 21:45:04 ossec-execd(1225): INFO: SIGNAL Received. Exit Cleaning...
2011/09/02 20:45:27 ossec-analysisd(1235): ERROR: Invalid value for element 'options': no_ar.
2011/09/02 20:45:27 ossec-analysisd: Invalid option 'options' for rule '3302'.
2011/09/02 20:45:27 ossec-analysisd(1220): ERROR: Error loading the rules: 'postfix_rules.xml'.
2011/09/02 21:45:27 ossec-dbd: Connected to database 'tortix' at '127.0.0.1'.
2011/09/02 20:45:27 ossec-maild: INFO: Started (pid: 13816).
2011/09/02 21:45:27 ossec-execd: INFO: Started (pid: 13821).
2011/09/02 20:45:28 ossec-analysisd: INFO: Reading local decoder file.
2011/09/02 20:45:28 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml'
2011/09/02 20:45:28 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml'
2011/09/02 20:45:28 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml'
2011/09/02 20:45:28 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml'
2011/09/02 20:45:28 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml'
2011/09/02 20:45:28 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml'
2011/09/02 20:45:28 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml'
2011/09/02 20:45:28 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml'
2011/09/02 20:45:28 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml'
2011/09/02 20:45:28 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml'
2011/09/02 20:45:28 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml'
2011/09/02 20:45:28 ossec-analysisd: INFO: Reading rules file: 'pure-ftpd_rules.xml'
2011/09/02 20:45:28 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml'
2011/09/02 20:45:28 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml'
2011/09/02 20:45:28 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml'
2011/09/02 20:45:28 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml'
2011/09/02 20:45:28 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml'
2011/09/02 20:45:28 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml'
2011/09/02 20:45:28 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml'
2011/09/02 20:45:28 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml'
2011/09/02 20:45:28 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml'
2011/09/02 20:45:28 ossec-remoted: INFO: Started (pid: 13836).
2011/09/02 20:45:28 ossec-analysisd(1235): ERROR: Invalid value for element 'options': no_ar.
2011/09/02 20:45:28 ossec-analysisd: Invalid option 'options' for rule '3302'.
2011/09/02 20:45:28 ossec-analysisd(1220): ERROR: Error loading the rules: 'postfix_rules.xml'.
2011/09/02 20:45:28 ossec-remoted: INFO: Started (pid: 13837).
2011/09/02 21:45:28 ossec-rootcheck: Rootcheck disabled. Exiting.
2011/09/02 21:45:28 ossec-syscheckd: WARN: Rootcheck module disabled.
2011/09/02 20:45:28 ossec-monitord: INFO: Started (pid: 13851).
2011/09/02 21:45:29 ossec-dbd(1235): ERROR: Invalid value for element 'options': no_ar.
2011/09/02 21:45:29 ossec-dbd(1238): ERROR: Invalid value for element 'options': no_ar
2011/09/02 21:45:29 ossec-dbd(1220): ERROR: Error loading the rules: 'postfix_rules.xml'.
2011/09/02 21:45:29 ossec-dbd(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting.
2011/09/02 20:45:31 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'.
2011/09/02 20:45:31 ossec-remoted(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up..
2011/09/02 21:45:35 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2011/09/02 21:45:35 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2011/09/02 21:45:37 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2011/09/02 21:45:37 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
2011/09/02 20:45:41 ossec-monitord(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'.
2011/09/02 20:45:41 ossec-monitord(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up..
2011/09/02 21:45:43 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2011/09/02 21:45:43 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2011/09/02 21:45:56 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2011/09/02 21:45:56 ossec-syscheckd(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..

Unread post by **mikeshinn** » Sat Sep 03, 2011 1:41 pm

2011/09/02 20:45:28 ossec-analysisd(1235): ERROR: Invalid value for element 'options': no_ar.

You're either not using our OSSEC, or you are way out of date. Thats a function we added into OSSEC, so may sure you have the latest ossec from us.

jamiehook01 · Unread post by **jamiehook01** » Fri Sep 09, 2011 5:29 am

Hi,

My OSSEC is stating that it is upto date in the ASL manager "OSSEC rules are current: 201108261410". i have only installed ASL no other packages. Could you let me know how to check and/or update if needed?

Thank you

Unread post by **scott** » Fri Sep 09, 2011 12:39 pm

rpm -q ossec-hids would tell you

Unread post by **mikeshinn** » Fri Sep 09, 2011 6:02 pm

Then you need to run:

yum upgrade asl asl-web ossec-hids

asl -s -f

asl -u

Atomicorp

ossec-hids restart

ossec-hids restart

Re: ossec-hids restart

Re: ossec-hids restart

Re: ossec-hids restart

Re: ossec-hids restart

Re: ossec-hids restart

Re: ossec-hids restart

Re: ossec-hids restart

Re: ossec-hids restart