Re: [ossec-list] OSSEC-WUI Available Agents
I did check logs and there were only “waiting for the server” messages. I tried all of the suggestions I found on the Internet, nothing worked. BUT, I did fix it another way: I DELETED the agent, created another agent, and then got a DUPLICATE error message. I followed the instructions for getting rid of duplicates and that worked. The agent now comes up ok and the server sees it. I don’t know why this happened only on the Mac and not on the Windows agents. Regards, Rodolfo > On Nov 2, 2018, at 04:55, dan (ddp) wrote: > > On Thu, Nov 1, 2018 at 9:09 AM Rodolfo Peña wrote: >> >> Hi, Frank >> >> although my log files say that the agent (a Mac running OSSEC on a virtual >> box as an agent), connects to a server (OSSEC running as server on a virtual >> box on another Mac), when I list the agents, via agent_control -l, the agent >> shows as "Never connected." >> >> Agents running on Windows XP and Windows-7 as virtual machines, connect fine >> and show up as Active or Disconnected, according to the respective machine >> running or not. >> >> It is only OSSEC running as an agent that I cannot get to show up in the >> list of Active agents. >> >> Any thoughts? Suggestions? >> > > Check the ossec.log on the agent and the server. > >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] ossec wui interface problem
When you add an agent, OSSEC WUI goes blank on the main and search tab. I have already changed to web interface 0.3 assuming that the problem was the 0.8 interface and remains the same. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. ossec-wui.xcf Description: application/xcf
Re: [ossec-list] OSSEC WUI can't read alerts.log
On Sun, Aug 9, 2015 at 12:29 PM, theresa mic-snare rockprinz...@gmail.com wrote: such a shame that WUI is no longer supported/developed. i understand that they rather focus on improving OSSEC than work on a web tool that displays the alerts. i understand that ELK (especially logstash and kibana) do the job nicely... but WUI was the perfect pick for my thesis project (test environment) as I'm running the OSSEC appliance on a 2gb VM, and I don't have the possibility to add more RAM.. alas elasticsearch and logstash are a memory eating slug therefore I'm unable to run ELK on my test server... also it would be a bit overkill just for one OSSEC master and one agent. There is a github for the wui at https://github.com/ossec/ossec-wui Contributions would definitely be welcome! Am Samstag, 8. August 2015 22:49:16 UTC+2 schrieb Daniel: Interesting that ossec-wui isn't supported. I downloaded the appliance right from ossec.net and was following the instructions. Went through my running processes and checked out their configs... sure enough, kibana is also included. Opened up a browser to localhost:5601 and Kibana is still running like a champ. Not even going to try to fix the wui since I'm more familiar with ELK. Thanks for the help, Eero. On Saturday, August 8, 2015 at 4:31:42 PM UTC-4, Eero Volotinen wrote: Well, Check memory_limit on php also. Ossec wui is no longer supported. You should use kibana+elastic search instead of it. Eero Eero Thanks for the quick response. I chown'ed alerts.log from ossec.ossec to ossec.apache and still got the error. I then chmod'ed alerts.log from 640 to 666 and still got the error. Alerts.log is still growing, though. Up to 4.2G. On Saturday, August 8, 2015 at 3:29:32 PM UTC-4, Eero Volotinen wrote: Well, you need to give correct permissions to apache as wui is running under apache uid.. Eeeo 8.8.2015 8.27 ip. Daniel Twardowski noghri...@gmail.com kirjoitti: I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I configured a few domain controllers to send it their logs. When I came in today, the WUI is displaying an error of: Warning: fopen(/var/ossec/logs/alerts/alerts.log): failed to open stream: Value too large for defined data type in /opt/lampp/htdocs/ossec-wui/lib/os_lib_alerts.php on line 839 My alerts.log file is 3.5G. If I delete it and restart ossec services, the file is recreated at 3.5G. Is this an issue with file size? If so, can I up the log rotation to more than just once a day? And how would I flush whatever buffer keeps recreating the 3.5G alerts.log file so I can get back to reviewing logs? Similar, but unanswered message from 2013: https://groups.google.com/forum/#!msg/ossec-list/topCxSvvmBk/5t4YEfPTTYUJ Thanks. Dan -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC WUI can't read alerts.log
Hello, Daniel! You can also try LightSIEM: https://github.com/dsvetlov/lightsiem It's free and open source project based on ELK stack. It allows search in alerts and logs and create visualizations based on received alerts. If you are familiar with ELK stack, it will be very easy for you to adjust LightSIEM for your requirements. Also feel free to make any pull requests or open issues. вс, 9 авг. 2015 г. в 19:29, theresa mic-snare rockprinz...@gmail.com: such a shame that WUI is no longer supported/developed. i understand that they rather focus on improving OSSEC than work on a web tool that displays the alerts. i understand that ELK (especially logstash and kibana) do the job nicely... but WUI was the perfect pick for my thesis project (test environment) as I'm running the OSSEC appliance on a 2gb VM, and I don't have the possibility to add more RAM.. alas elasticsearch and logstash are a memory eating slug therefore I'm unable to run ELK on my test server... also it would be a bit overkill just for one OSSEC master and one agent. Am Samstag, 8. August 2015 22:49:16 UTC+2 schrieb Daniel: Interesting that ossec-wui isn't supported. I downloaded the appliance right from ossec.net and was following the instructions. Went through my running processes and checked out their configs... sure enough, kibana is also included. Opened up a browser to localhost:5601 and Kibana is still running like a champ. Not even going to try to fix the wui since I'm more familiar with ELK. Thanks for the help, Eero. On Saturday, August 8, 2015 at 4:31:42 PM UTC-4, Eero Volotinen wrote: Well, Check memory_limit on php also. Ossec wui is no longer supported. You should use kibana+elastic search instead of it. Eero Eero Thanks for the quick response. I chown'ed alerts.log from ossec.ossec to ossec.apache and still got the error. I then chmod'ed alerts.log from 640 to 666 and still got the error. Alerts.log is still growing, though. Up to 4.2G. On Saturday, August 8, 2015 at 3:29:32 PM UTC-4, Eero Volotinen wrote: Well, you need to give correct permissions to apache as wui is running under apache uid.. Eeeo 8.8.2015 8.27 ip. Daniel Twardowski noghri...@gmail.com kirjoitti: I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I configured a few domain controllers to send it their logs. When I came in today, the WUI is displaying an error of: Warning: fopen(/var/ossec/logs/alerts/alerts.log): failed to open stream: Value too large for defined data type in /opt/lampp/htdocs/ossec-wui/lib/os_lib_alerts.php on line 839 My alerts.log file is 3.5G. If I delete it and restart ossec services, the file is recreated at 3.5G. Is this an issue with file size? If so, can I up the log rotation to more than just once a day? And how would I flush whatever buffer keeps recreating the 3.5G alerts.log file so I can get back to reviewing logs? Similar, but unanswered message from 2013: https://groups.google.com/forum/#!msg/ossec-list/topCxSvvmBk/5t4YEfPTTYUJ Thanks. Dan -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- -- С уважением, Светлов Даниил. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC WUI can't read alerts.log
such a shame that WUI is no longer supported/developed. i understand that they rather focus on improving OSSEC than work on a web tool that displays the alerts. i understand that ELK (especially logstash and kibana) do the job nicely... but WUI was the perfect pick for my thesis project (test environment) as I'm running the OSSEC appliance on a 2gb VM, and I don't have the possibility to add more RAM.. alas elasticsearch and logstash are a memory eating slug therefore I'm unable to run ELK on my test server... also it would be a bit overkill just for one OSSEC master and one agent. Am Samstag, 8. August 2015 22:49:16 UTC+2 schrieb Daniel: Interesting that ossec-wui isn't supported. I downloaded the appliance right from ossec.net and was following the instructions. Went through my running processes and checked out their configs... sure enough, kibana is also included. Opened up a browser to localhost:5601 and Kibana is still running like a champ. Not even going to try to fix the wui since I'm more familiar with ELK. Thanks for the help, Eero. On Saturday, August 8, 2015 at 4:31:42 PM UTC-4, Eero Volotinen wrote: Well, Check memory_limit on php also. Ossec wui is no longer supported. You should use kibana+elastic search instead of it. Eero Eero Thanks for the quick response. I chown'ed alerts.log from ossec.ossec to ossec.apache and still got the error. I then chmod'ed alerts.log from 640 to 666 and still got the error. Alerts.log is still growing, though. Up to 4.2G. On Saturday, August 8, 2015 at 3:29:32 PM UTC-4, Eero Volotinen wrote: Well, you need to give correct permissions to apache as wui is running under apache uid.. Eeeo 8.8.2015 8.27 ip. Daniel Twardowski noghri...@gmail.com kirjoitti: I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I configured a few domain controllers to send it their logs. When I came in today, the WUI is displaying an error of: Warning: fopen(/var/ossec/logs/alerts/alerts.log): failed to open stream: Value too large for defined data type in /opt/lampp/htdocs/ossec-wui/lib/os_lib_alerts.php on line 839 My alerts.log file is 3.5G. If I delete it and restart ossec services, the file is recreated at 3.5G. Is this an issue with file size? If so, can I up the log rotation to more than just once a day? And how would I flush whatever buffer keeps recreating the 3.5G alerts.log file so I can get back to reviewing logs? Similar, but unanswered message from 2013: https://groups.google.com/forum/#!msg/ossec-list/topCxSvvmBk/5t4YEfPTTYUJ Thanks. Dan -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC WUI can't read alerts.log
I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I configured a few domain controllers to send it their logs. When I came in today, the WUI is displaying an error of: Warning: fopen(/var/ossec/logs/alerts/alerts.log): failed to open stream: Value too large for defined data type in /opt/lampp/htdocs/ossec-wui/lib/os_lib_alerts.php on line 839 My alerts.log file is 3.5G. If I delete it and restart ossec services, the file is recreated at 3.5G. Is this an issue with file size? If so, can I up the log rotation to more than just once a day? And how would I flush whatever buffer keeps recreating the 3.5G alerts.log file so I can get back to reviewing logs? Similar, but unanswered message from 2013: https://groups.google.com/forum/#!msg/ossec-list/topCxSvvmBk/5t4YEfPTTYUJ Thanks. Dan -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC WUI can't read alerts.log
Well, you need to give correct permissions to apache as wui is running under apache uid.. Eeeo 8.8.2015 8.27 ip. Daniel Twardowski noghrisli...@gmail.com kirjoitti: I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I configured a few domain controllers to send it their logs. When I came in today, the WUI is displaying an error of: Warning: fopen(/var/ossec/logs/alerts/alerts.log): failed to open stream: Value too large for defined data type in /opt/lampp/htdocs/ossec-wui/lib/os_lib_alerts.php on line 839 My alerts.log file is 3.5G. If I delete it and restart ossec services, the file is recreated at 3.5G. Is this an issue with file size? If so, can I up the log rotation to more than just once a day? And how would I flush whatever buffer keeps recreating the 3.5G alerts.log file so I can get back to reviewing logs? Similar, but unanswered message from 2013: https://groups.google.com/forum/#!msg/ossec-list/topCxSvvmBk/5t4YEfPTTYUJ Thanks. Dan -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC WUI can't read alerts.log
Thanks for the quick response. I chown'ed alerts.log from ossec.ossec to ossec.apache and still got the error. I then chmod'ed alerts.log from 640 to 666 and still got the error. Alerts.log is still growing, though. Up to 4.2G. On Saturday, August 8, 2015 at 3:29:32 PM UTC-4, Eero Volotinen wrote: Well, you need to give correct permissions to apache as wui is running under apache uid.. Eeeo 8.8.2015 8.27 ip. Daniel Twardowski noghri...@gmail.com javascript: kirjoitti: I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I configured a few domain controllers to send it their logs. When I came in today, the WUI is displaying an error of: Warning: fopen(/var/ossec/logs/alerts/alerts.log): failed to open stream: Value too large for defined data type in /opt/lampp/htdocs/ossec-wui/lib/os_lib_alerts.php on line 839 My alerts.log file is 3.5G. If I delete it and restart ossec services, the file is recreated at 3.5G. Is this an issue with file size? If so, can I up the log rotation to more than just once a day? And how would I flush whatever buffer keeps recreating the 3.5G alerts.log file so I can get back to reviewing logs? Similar, but unanswered message from 2013: https://groups.google.com/forum/#!msg/ossec-list/topCxSvvmBk/5t4YEfPTTYUJ Thanks. Dan -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC WUI can't read alerts.log
Well, Check memory_limit on php also. Ossec wui is no longer supported. You should use kibana+elastic search instead of it. Eero Eero Thanks for the quick response. I chown'ed alerts.log from ossec.ossec to ossec.apache and still got the error. I then chmod'ed alerts.log from 640 to 666 and still got the error. Alerts.log is still growing, though. Up to 4.2G. On Saturday, August 8, 2015 at 3:29:32 PM UTC-4, Eero Volotinen wrote: Well, you need to give correct permissions to apache as wui is running under apache uid.. Eeeo 8.8.2015 8.27 ip. Daniel Twardowski noghri...@gmail.com kirjoitti: I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I configured a few domain controllers to send it their logs. When I came in today, the WUI is displaying an error of: Warning: fopen(/var/ossec/logs/alerts/alerts.log): failed to open stream: Value too large for defined data type in /opt/lampp/htdocs/ossec-wui/lib/os_lib_alerts.php on line 839 My alerts.log file is 3.5G. If I delete it and restart ossec services, the file is recreated at 3.5G. Is this an issue with file size? If so, can I up the log rotation to more than just once a day? And how would I flush whatever buffer keeps recreating the 3.5G alerts.log file so I can get back to reviewing logs? Similar, but unanswered message from 2013: https://groups.google.com/forum/#!msg/ossec-list/topCxSvvmBk/5t4YEfPTTYUJ Thanks. Dan -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC WUI can't read alerts.log
Interesting that ossec-wui isn't supported. I downloaded the appliance right from ossec.net and was following the instructions. Went through my running processes and checked out their configs... sure enough, kibana is also included. Opened up a browser to localhost:5601 and Kibana is still running like a champ. Not even going to try to fix the wui since I'm more familiar with ELK. Thanks for the help, Eero. On Saturday, August 8, 2015 at 4:31:42 PM UTC-4, Eero Volotinen wrote: Well, Check memory_limit on php also. Ossec wui is no longer supported. You should use kibana+elastic search instead of it. Eero Eero Thanks for the quick response. I chown'ed alerts.log from ossec.ossec to ossec.apache and still got the error. I then chmod'ed alerts.log from 640 to 666 and still got the error. Alerts.log is still growing, though. Up to 4.2G. On Saturday, August 8, 2015 at 3:29:32 PM UTC-4, Eero Volotinen wrote: Well, you need to give correct permissions to apache as wui is running under apache uid.. Eeeo 8.8.2015 8.27 ip. Daniel Twardowski noghri...@gmail.com kirjoitti: I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I configured a few domain controllers to send it their logs. When I came in today, the WUI is displaying an error of: Warning: fopen(/var/ossec/logs/alerts/alerts.log): failed to open stream: Value too large for defined data type in /opt/lampp/htdocs/ossec-wui/lib/os_lib_alerts.php on line 839 My alerts.log file is 3.5G. If I delete it and restart ossec services, the file is recreated at 3.5G. Is this an issue with file size? If so, can I up the log rotation to more than just once a day? And how would I flush whatever buffer keeps recreating the 3.5G alerts.log file so I can get back to reviewing logs? Similar, but unanswered message from 2013: https://groups.google.com/forum/#!msg/ossec-list/topCxSvvmBk/5t4YEfPTTYUJ Thanks. Dan -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec-wui search broken?
On Jul 17, 2015 7:08 AM, theresa mic-snare rockprinz...@gmail.com wrote: I've opened an issue on github... I don't know what else to do now to fix this problem :( I think that's the best option. I haven't had a chance to test this (and i can't reasonably duplicate your setup). Am Mittwoch, 15. Juli 2015 21:11:03 UTC+2 schrieb theresa mic-snare: first of all, let me thank you for the time and effort you've put into troubleshooting for me so far it's very appreciated. also i'm documenting it all as i'm writing my thesis on ossec :) oh yeah, sorry forgot to mention: OS: centos 6.6 apache: 2.2 latest version of WUI (cloned it straight off github) Am Mittwoch, 15. Juli 2015 21:01:46 UTC+2 schrieb dan (ddpbsd): On Jul 15, 2015 2:55 PM, theresa mic-snare rockpr...@gmail.com wrote: nope, selinux is disabled (set to permissive) i am running this on a small VM (with not many ressources) that why I hesitate to get the ELK stack going i think it'd be a bit of an overkill for my test environment. I can't do any testing right now, but I can try later (time and memory permitting). Other than that, I don't have any other ideas at the moment. Which distro are you using? I'm assuming apache. Which version of the wui? The latest code in the repo or 0.8? would you mind editing your previous post? I forgot to remove my website url in my previous post. Am Mittwoch, 15. Juli 2015 20:36:28 UTC+2 schrieb theresa mic-snare: hmm the partition is mounted rw (no other options) it's a single logical volume. nope, just dozens of this PHP Warning: fopen(./tmp/output-tmp.1-59- 9f77eb3ab2892420b85818ac18f09a01.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 that's the thing: the temp file doesn't exist, nor does the tmp directory in the ossec-wui directory exist. the whole ossec-wui directory (and its subdirectories) belong to root:root instead of apache:apache maybe this is the problem? i cloned it off of github and followed the instruction. hmm Am Mittwoch, 15. Juli 2015 20:03:06 UTC+2 schrieb dan (ddpbsd): On Jul 15, 2015 1:57 PM, theresa mic-snare rockpr...@gmail.com wrote: Am Mittwoch, 15. Juli 2015 19:49:18 UTC+2 schrieb dan (ddpbsd): On Jul 15, 2015 1:44 PM, theresa mic-snare rockpr...@gmail.com wrote: oh yeah, there are tons of messages like this in the apache error log PHP Warning: fopen(./tmp/output-tmp.1-57-8cd5679a49c37a4583dfa34473436ab4.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 So make sure that temp file isn't getting created. What are the owner/group and perma of the tmp dir? hmm there's no tmp dir in /var/www/html/ossec-wui the owner/group and perma of the /var/ossec/tmp dir however are: root:apache and 770 What are the mount options for the partition /var/ossec is on? Are there any log messages prior to the one you posted about not being able to create the temp file? Does the temp file exist? If so, what are the perms? @dan: what do you use instead? logstash and kibana? I don't use anything currently, but the elk stack has worked fine for me in the past. Graylog2 was also decent. Splunk was ok except for the 500mb/day limit on the free version. Am Mittwoch, 15. Juli 2015 19:07:32 UTC+2 schrieb dan (ddpbsd): On Jul 9, 2015 5:36 PM, theresa mic-snare rockpr...@gmail.com wrote: hi all, yes, it's me again ;) i've cloned the ossec-wui from github.com and wanted to search my alerts. in the time frame i put from yesterday (e.g 2017-07-08) and till now Minimum Level: all SrcIP: a specific IP that I got through the notification emails (and that I can also find in the alerts.log) other than that everything is default. at the bottom of the page it says: Total alerts found: 3339 Output divided in 4 pages. and Page 1 (338 alerts) Nothing returned (or search expired). which is crazy, because there was only 1 alert from this specific IP. also no alert is actually showing up, unlike in the alerts.log or in the email notification. what i'm doing wrong here? I could also attach a screenshot if need be Are there any related log messages in the webserver's log files? I don't use the wui (it's currently a dead project), but I kinda remember it logging when things went wrong. thanks theresa -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- ---
Re: [ossec-list] ossec-wui search broken?
I've opened an issue on github... I don't know what else to do now to fix this problem :( Am Mittwoch, 15. Juli 2015 21:11:03 UTC+2 schrieb theresa mic-snare: first of all, let me thank you for the time and effort you've put into troubleshooting for me so far it's very appreciated. also i'm documenting it all as i'm writing my thesis on ossec :) oh yeah, sorry forgot to mention: OS: centos 6.6 apache: 2.2 latest version of WUI (cloned it straight off github) Am Mittwoch, 15. Juli 2015 21:01:46 UTC+2 schrieb dan (ddpbsd): On Jul 15, 2015 2:55 PM, theresa mic-snare rockpr...@gmail.com wrote: nope, selinux is disabled (set to permissive) i am running this on a small VM (with not many ressources) that why I hesitate to get the ELK stack going i think it'd be a bit of an overkill for my test environment. I can't do any testing right now, but I can try later (time and memory permitting). Other than that, I don't have any other ideas at the moment. Which distro are you using? I'm assuming apache. Which version of the wui? The latest code in the repo or 0.8? would you mind editing your previous post? I forgot to remove my website url in my previous post. Am Mittwoch, 15. Juli 2015 20:36:28 UTC+2 schrieb theresa mic-snare: hmm the partition is mounted rw (no other options) it's a single logical volume. nope, just dozens of this PHP Warning: fopen(./tmp/output-tmp.1-59- 9f77eb3ab2892420b85818ac18f09a01.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 that's the thing: the temp file doesn't exist, nor does the tmp directory in the ossec-wui directory exist. the whole ossec-wui directory (and its subdirectories) belong to root:root instead of apache:apache maybe this is the problem? i cloned it off of github and followed the instruction. hmm Am Mittwoch, 15. Juli 2015 20:03:06 UTC+2 schrieb dan (ddpbsd): On Jul 15, 2015 1:57 PM, theresa mic-snare rockpr...@gmail.com wrote: Am Mittwoch, 15. Juli 2015 19:49:18 UTC+2 schrieb dan (ddpbsd): On Jul 15, 2015 1:44 PM, theresa mic-snare rockpr...@gmail.com wrote: oh yeah, there are tons of messages like this in the apache error log PHP Warning: fopen(./tmp/output-tmp.1-57-8cd5679a49c37a4583dfa34473436ab4.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 So make sure that temp file isn't getting created. What are the owner/group and perma of the tmp dir? hmm there's no tmp dir in /var/www/html/ossec-wui the owner/group and perma of the /var/ossec/tmp dir however are: root:apache and 770 What are the mount options for the partition /var/ossec is on? Are there any log messages prior to the one you posted about not being able to create the temp file? Does the temp file exist? If so, what are the perms? @dan: what do you use instead? logstash and kibana? I don't use anything currently, but the elk stack has worked fine for me in the past. Graylog2 was also decent. Splunk was ok except for the 500mb/day limit on the free version. Am Mittwoch, 15. Juli 2015 19:07:32 UTC+2 schrieb dan (ddpbsd): On Jul 9, 2015 5:36 PM, theresa mic-snare rockpr...@gmail.com wrote: hi all, yes, it's me again ;) i've cloned the ossec-wui from github.com and wanted to search my alerts. in the time frame i put from yesterday (e.g 2017-07-08) and till now Minimum Level: all SrcIP: a specific IP that I got through the notification emails (and that I can also find in the alerts.log) other than that everything is default. at the bottom of the page it says: Total alerts found: 3339 Output divided in 4 pages. and Page 1 (338 alerts) Nothing returned (or search expired). which is crazy, because there was only 1 alert from this specific IP. also no alert is actually showing up, unlike in the alerts.log or in the email notification. what i'm doing wrong here? I could also attach a screenshot if need be Are there any related log messages in the webserver's log files? I don't use the wui (it's currently a dead project), but I kinda remember it logging when things went wrong. thanks theresa -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this
Re: [ossec-list] ossec-wui search broken?
hmm the partition it is on is mounted rw (no other options) nope, just the PHP Warning: fopen(./tmp/output-tmp.1-59-9f77eb3ab2892420b85818ac18f09a01.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39, referer: http://lab.aremai.net/ossec-wui/index.php?f=s the temp file doesn't exist, nor does the tmp directory in the ossec-wui directory exist. the whole ossec-wui directory (and its subdirectories) belong to root:root instead of apache:apache maybe this is the problem? i cloned it off of github and followed the instruction. hmm Am Mittwoch, 15. Juli 2015 20:03:06 UTC+2 schrieb dan (ddpbsd): On Jul 15, 2015 1:57 PM, theresa mic-snare rockpr...@gmail.com javascript: wrote: Am Mittwoch, 15. Juli 2015 19:49:18 UTC+2 schrieb dan (ddpbsd): On Jul 15, 2015 1:44 PM, theresa mic-snare rockpr...@gmail.com wrote: oh yeah, there are tons of messages like this in the apache error log PHP Warning: fopen(./tmp/output-tmp.1-57-8cd5679a49c37a4583dfa34473436ab4.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 So make sure that temp file isn't getting created. What are the owner/group and perma of the tmp dir? hmm there's no tmp dir in /var/www/html/ossec-wui the owner/group and perma of the /var/ossec/tmp dir however are: root:apache and 770 What are the mount options for the partition /var/ossec is on? Are there any log messages prior to the one you posted about not being able to create the temp file? Does the temp file exist? If so, what are the perms? @dan: what do you use instead? logstash and kibana? I don't use anything currently, but the elk stack has worked fine for me in the past. Graylog2 was also decent. Splunk was ok except for the 500mb/day limit on the free version. Am Mittwoch, 15. Juli 2015 19:07:32 UTC+2 schrieb dan (ddpbsd): On Jul 9, 2015 5:36 PM, theresa mic-snare rockpr...@gmail.com wrote: hi all, yes, it's me again ;) i've cloned the ossec-wui from github.com and wanted to search my alerts. in the time frame i put from yesterday (e.g 2017-07-08) and till now Minimum Level: all SrcIP: a specific IP that I got through the notification emails (and that I can also find in the alerts.log) other than that everything is default. at the bottom of the page it says: Total alerts found: 3339 Output divided in 4 pages. and Page 1 (338 alerts) Nothing returned (or search expired). which is crazy, because there was only 1 alert from this specific IP. also no alert is actually showing up, unlike in the alerts.log or in the email notification. what i'm doing wrong here? I could also attach a screenshot if need be Are there any related log messages in the webserver's log files? I don't use the wui (it's currently a dead project), but I kinda remember it logging when things went wrong. thanks theresa -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec-wui search broken?
On Jul 15, 2015 1:57 PM, theresa mic-snare rockprinz...@gmail.com wrote: Am Mittwoch, 15. Juli 2015 19:49:18 UTC+2 schrieb dan (ddpbsd): On Jul 15, 2015 1:44 PM, theresa mic-snare rockpr...@gmail.com wrote: oh yeah, there are tons of messages like this in the apache error log PHP Warning: fopen(./tmp/output-tmp.1-57-8cd5679a49c37a4583dfa34473436ab4.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 So make sure that temp file isn't getting created. What are the owner/group and perma of the tmp dir? hmm there's no tmp dir in /var/www/html/ossec-wui the owner/group and perma of the /var/ossec/tmp dir however are: root:apache and 770 What are the mount options for the partition /var/ossec is on? Are there any log messages prior to the one you posted about not being able to create the temp file? Does the temp file exist? If so, what are the perms? @dan: what do you use instead? logstash and kibana? I don't use anything currently, but the elk stack has worked fine for me in the past. Graylog2 was also decent. Splunk was ok except for the 500mb/day limit on the free version. Am Mittwoch, 15. Juli 2015 19:07:32 UTC+2 schrieb dan (ddpbsd): On Jul 9, 2015 5:36 PM, theresa mic-snare rockpr...@gmail.com wrote: hi all, yes, it's me again ;) i've cloned the ossec-wui from github.com and wanted to search my alerts. in the time frame i put from yesterday (e.g 2017-07-08) and till now Minimum Level: all SrcIP: a specific IP that I got through the notification emails (and that I can also find in the alerts.log) other than that everything is default. at the bottom of the page it says: Total alerts found: 3339 Output divided in 4 pages. and Page 1 (338 alerts) Nothing returned (or search expired). which is crazy, because there was only 1 alert from this specific IP. also no alert is actually showing up, unlike in the alerts.log or in the email notification. what i'm doing wrong here? I could also attach a screenshot if need be Are there any related log messages in the webserver's log files? I don't use the wui (it's currently a dead project), but I kinda remember it logging when things went wrong. thanks theresa -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec-wui search broken?
hmm the partition is mounted rw (no other options) it's a single logical volume. nope, just dozens of this PHP Warning: fopen(./tmp/output-tmp.1-59- 9f77eb3ab2892420b85818ac18f09a01.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 that's the thing: the temp file doesn't exist, nor does the tmp directory in the ossec-wui directory exist. the whole ossec-wui directory (and its subdirectories) belong to root:root instead of apache:apache maybe this is the problem? i cloned it off of github and followed the instruction. hmm Am Mittwoch, 15. Juli 2015 20:03:06 UTC+2 schrieb dan (ddpbsd): On Jul 15, 2015 1:57 PM, theresa mic-snare rockpr...@gmail.com javascript: wrote: Am Mittwoch, 15. Juli 2015 19:49:18 UTC+2 schrieb dan (ddpbsd): On Jul 15, 2015 1:44 PM, theresa mic-snare rockpr...@gmail.com wrote: oh yeah, there are tons of messages like this in the apache error log PHP Warning: fopen(./tmp/output-tmp.1-57-8cd5679a49c37a4583dfa34473436ab4.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 So make sure that temp file isn't getting created. What are the owner/group and perma of the tmp dir? hmm there's no tmp dir in /var/www/html/ossec-wui the owner/group and perma of the /var/ossec/tmp dir however are: root:apache and 770 What are the mount options for the partition /var/ossec is on? Are there any log messages prior to the one you posted about not being able to create the temp file? Does the temp file exist? If so, what are the perms? @dan: what do you use instead? logstash and kibana? I don't use anything currently, but the elk stack has worked fine for me in the past. Graylog2 was also decent. Splunk was ok except for the 500mb/day limit on the free version. Am Mittwoch, 15. Juli 2015 19:07:32 UTC+2 schrieb dan (ddpbsd): On Jul 9, 2015 5:36 PM, theresa mic-snare rockpr...@gmail.com wrote: hi all, yes, it's me again ;) i've cloned the ossec-wui from github.com and wanted to search my alerts. in the time frame i put from yesterday (e.g 2017-07-08) and till now Minimum Level: all SrcIP: a specific IP that I got through the notification emails (and that I can also find in the alerts.log) other than that everything is default. at the bottom of the page it says: Total alerts found: 3339 Output divided in 4 pages. and Page 1 (338 alerts) Nothing returned (or search expired). which is crazy, because there was only 1 alert from this specific IP. also no alert is actually showing up, unlike in the alerts.log or in the email notification. what i'm doing wrong here? I could also attach a screenshot if need be Are there any related log messages in the webserver's log files? I don't use the wui (it's currently a dead project), but I kinda remember it logging when things went wrong. thanks theresa -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec-wui search broken?
On Jul 15, 2015 1:44 PM, theresa mic-snare rockprinz...@gmail.com wrote: oh yeah, there are tons of messages like this in the apache error log PHP Warning: fopen(./tmp/output-tmp.1-57-8cd5679a49c37a4583dfa34473436ab4.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 So make sure that temp file isn't getting created. What are the owner/group and perma of the tmp dir? @dan: what do you use instead? logstash and kibana? I don't use anything currently, but the elk stack has worked fine for me in the past. Graylog2 was also decent. Splunk was ok except for the 500mb/day limit on the free version. Am Mittwoch, 15. Juli 2015 19:07:32 UTC+2 schrieb dan (ddpbsd): On Jul 9, 2015 5:36 PM, theresa mic-snare rockpr...@gmail.com wrote: hi all, yes, it's me again ;) i've cloned the ossec-wui from github.com and wanted to search my alerts. in the time frame i put from yesterday (e.g 2017-07-08) and till now Minimum Level: all SrcIP: a specific IP that I got through the notification emails (and that I can also find in the alerts.log) other than that everything is default. at the bottom of the page it says: Total alerts found: 3339 Output divided in 4 pages. and Page 1 (338 alerts) Nothing returned (or search expired). which is crazy, because there was only 1 alert from this specific IP. also no alert is actually showing up, unlike in the alerts.log or in the email notification. what i'm doing wrong here? I could also attach a screenshot if need be Are there any related log messages in the webserver's log files? I don't use the wui (it's currently a dead project), but I kinda remember it logging when things went wrong. thanks theresa -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec-wui search broken?
Am Mittwoch, 15. Juli 2015 19:49:18 UTC+2 schrieb dan (ddpbsd): On Jul 15, 2015 1:44 PM, theresa mic-snare rockpr...@gmail.com javascript: wrote: oh yeah, there are tons of messages like this in the apache error log PHP Warning: fopen(./tmp/output-tmp.1-57-8cd5679a49c37a4583dfa34473436ab4.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 So make sure that temp file isn't getting created. What are the owner/group and perma of the tmp dir? hmm there's no tmp dir in /var/www/html/ossec-wui the owner/group and perma of the /var/ossec/tmp dir however are: root:apache and 770 @dan: what do you use instead? logstash and kibana? I don't use anything currently, but the elk stack has worked fine for me in the past. Graylog2 was also decent. Splunk was ok except for the 500mb/day limit on the free version. Am Mittwoch, 15. Juli 2015 19:07:32 UTC+2 schrieb dan (ddpbsd): On Jul 9, 2015 5:36 PM, theresa mic-snare rockpr...@gmail.com wrote: hi all, yes, it's me again ;) i've cloned the ossec-wui from github.com and wanted to search my alerts. in the time frame i put from yesterday (e.g 2017-07-08) and till now Minimum Level: all SrcIP: a specific IP that I got through the notification emails (and that I can also find in the alerts.log) other than that everything is default. at the bottom of the page it says: Total alerts found: 3339 Output divided in 4 pages. and Page 1 (338 alerts) Nothing returned (or search expired). which is crazy, because there was only 1 alert from this specific IP. also no alert is actually showing up, unlike in the alerts.log or in the email notification. what i'm doing wrong here? I could also attach a screenshot if need be Are there any related log messages in the webserver's log files? I don't use the wui (it's currently a dead project), but I kinda remember it logging when things went wrong. thanks theresa -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec-wui search broken?
On Jul 15, 2015 2:27 PM, theresa mic-snare rockprinz...@gmail.com wrote: hmm the partition it is on is mounted rw (no other options) nope, just the PHP Warning: fopen(./tmp/output-tmp.1-59-9f77eb3ab2892420b85818ac18f09a01.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39, referer: http://lab.aremai.net/ossec-wui/index.php?f=s the temp file doesn't exist, nor does the tmp directory in the ossec-wui directory exist. the whole ossec-wui directory (and its subdirectories) belong to root:root instead of apache:apache maybe this is the problem? i cloned it off of github and followed the instruction. hmm Based on the readme, I have to assume the tmp dir in question is /var/ossec/tmp. Is selinux enabled? Could this be blocking the write? Am Mittwoch, 15. Juli 2015 20:03:06 UTC+2 schrieb dan (ddpbsd): On Jul 15, 2015 1:57 PM, theresa mic-snare rockpr...@gmail.com wrote: Am Mittwoch, 15. Juli 2015 19:49:18 UTC+2 schrieb dan (ddpbsd): On Jul 15, 2015 1:44 PM, theresa mic-snare rockpr...@gmail.com wrote: oh yeah, there are tons of messages like this in the apache error log PHP Warning: fopen(./tmp/output-tmp.1-57-8cd5679a49c37a4583dfa34473436ab4.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 So make sure that temp file isn't getting created. What are the owner/group and perma of the tmp dir? hmm there's no tmp dir in /var/www/html/ossec-wui the owner/group and perma of the /var/ossec/tmp dir however are: root:apache and 770 What are the mount options for the partition /var/ossec is on? Are there any log messages prior to the one you posted about not being able to create the temp file? Does the temp file exist? If so, what are the perms? @dan: what do you use instead? logstash and kibana? I don't use anything currently, but the elk stack has worked fine for me in the past. Graylog2 was also decent. Splunk was ok except for the 500mb/day limit on the free version. Am Mittwoch, 15. Juli 2015 19:07:32 UTC+2 schrieb dan (ddpbsd): On Jul 9, 2015 5:36 PM, theresa mic-snare rockpr...@gmail.com wrote: hi all, yes, it's me again ;) i've cloned the ossec-wui from github.com and wanted to search my alerts. in the time frame i put from yesterday (e.g 2017-07-08) and till now Minimum Level: all SrcIP: a specific IP that I got through the notification emails (and that I can also find in the alerts.log) other than that everything is default. at the bottom of the page it says: Total alerts found: 3339 Output divided in 4 pages. and Page 1 (338 alerts) Nothing returned (or search expired). which is crazy, because there was only 1 alert from this specific IP. also no alert is actually showing up, unlike in the alerts.log or in the email notification. what i'm doing wrong here? I could also attach a screenshot if need be Are there any related log messages in the webserver's log files? I don't use the wui (it's currently a dead project), but I kinda remember it logging when things went wrong. thanks theresa -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec-wui search broken?
oh yeah, there are tons of messages like this in the apache error log PHP Warning: fopen(./tmp/output-tmp.1-57- 8cd5679a49c37a4583dfa34473436ab4.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 @dan: what do you use instead? logstash and kibana? Am Mittwoch, 15. Juli 2015 19:07:32 UTC+2 schrieb dan (ddpbsd): On Jul 9, 2015 5:36 PM, theresa mic-snare rockpr...@gmail.com javascript: wrote: hi all, yes, it's me again ;) i've cloned the ossec-wui from github.com and wanted to search my alerts. in the time frame i put from yesterday (e.g 2017-07-08) and till now Minimum Level: all SrcIP: a specific IP that I got through the notification emails (and that I can also find in the alerts.log) other than that everything is default. at the bottom of the page it says: Total alerts found: 3339 Output divided in 4 pages. and Page 1 (338 alerts) Nothing returned (or search expired). which is crazy, because there was only 1 alert from this specific IP. also no alert is actually showing up, unlike in the alerts.log or in the email notification. what i'm doing wrong here? I could also attach a screenshot if need be Are there any related log messages in the webserver's log files? I don't use the wui (it's currently a dead project), but I kinda remember it logging when things went wrong. thanks theresa -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec-wui search broken?
nope, selinux is disabled (set to permissive) i am running this on a small VM (with not many ressources) that why I hesitate to get the ELK stack going i think it'd be a bit of an overkill for my test environment. would you mind editing your previous post? I forgot to remove my website url in my previous post. Am Mittwoch, 15. Juli 2015 20:36:28 UTC+2 schrieb theresa mic-snare: hmm the partition is mounted rw (no other options) it's a single logical volume. nope, just dozens of this PHP Warning: fopen(./tmp/output-tmp.1-59- 9f77eb3ab2892420b85818ac18f09a01.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 that's the thing: the temp file doesn't exist, nor does the tmp directory in the ossec-wui directory exist. the whole ossec-wui directory (and its subdirectories) belong to root:root instead of apache:apache maybe this is the problem? i cloned it off of github and followed the instruction. hmm Am Mittwoch, 15. Juli 2015 20:03:06 UTC+2 schrieb dan (ddpbsd): On Jul 15, 2015 1:57 PM, theresa mic-snare rockpr...@gmail.com wrote: Am Mittwoch, 15. Juli 2015 19:49:18 UTC+2 schrieb dan (ddpbsd): On Jul 15, 2015 1:44 PM, theresa mic-snare rockpr...@gmail.com wrote: oh yeah, there are tons of messages like this in the apache error log PHP Warning: fopen(./tmp/output-tmp.1-57-8cd5679a49c37a4583dfa34473436ab4.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 So make sure that temp file isn't getting created. What are the owner/group and perma of the tmp dir? hmm there's no tmp dir in /var/www/html/ossec-wui the owner/group and perma of the /var/ossec/tmp dir however are: root:apache and 770 What are the mount options for the partition /var/ossec is on? Are there any log messages prior to the one you posted about not being able to create the temp file? Does the temp file exist? If so, what are the perms? @dan: what do you use instead? logstash and kibana? I don't use anything currently, but the elk stack has worked fine for me in the past. Graylog2 was also decent. Splunk was ok except for the 500mb/day limit on the free version. Am Mittwoch, 15. Juli 2015 19:07:32 UTC+2 schrieb dan (ddpbsd): On Jul 9, 2015 5:36 PM, theresa mic-snare rockpr...@gmail.com wrote: hi all, yes, it's me again ;) i've cloned the ossec-wui from github.com and wanted to search my alerts. in the time frame i put from yesterday (e.g 2017-07-08) and till now Minimum Level: all SrcIP: a specific IP that I got through the notification emails (and that I can also find in the alerts.log) other than that everything is default. at the bottom of the page it says: Total alerts found: 3339 Output divided in 4 pages. and Page 1 (338 alerts) Nothing returned (or search expired). which is crazy, because there was only 1 alert from this specific IP. also no alert is actually showing up, unlike in the alerts.log or in the email notification. what i'm doing wrong here? I could also attach a screenshot if need be Are there any related log messages in the webserver's log files? I don't use the wui (it's currently a dead project), but I kinda remember it logging when things went wrong. thanks theresa -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec-wui search broken?
On Jul 15, 2015 2:55 PM, theresa mic-snare rockprinz...@gmail.com wrote: nope, selinux is disabled (set to permissive) i am running this on a small VM (with not many ressources) that why I hesitate to get the ELK stack going i think it'd be a bit of an overkill for my test environment. I can't do any testing right now, but I can try later (time and memory permitting). Other than that, I don't have any other ideas at the moment. Which distro are you using? I'm assuming apache. Which version of the wui? The latest code in the repo or 0.8? would you mind editing your previous post? I forgot to remove my website url in my previous post. Am Mittwoch, 15. Juli 2015 20:36:28 UTC+2 schrieb theresa mic-snare: hmm the partition is mounted rw (no other options) it's a single logical volume. nope, just dozens of this PHP Warning: fopen(./tmp/output-tmp.1-59- 9f77eb3ab2892420b85818ac18f09a01.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 that's the thing: the temp file doesn't exist, nor does the tmp directory in the ossec-wui directory exist. the whole ossec-wui directory (and its subdirectories) belong to root:root instead of apache:apache maybe this is the problem? i cloned it off of github and followed the instruction. hmm Am Mittwoch, 15. Juli 2015 20:03:06 UTC+2 schrieb dan (ddpbsd): On Jul 15, 2015 1:57 PM, theresa mic-snare rockpr...@gmail.com wrote: Am Mittwoch, 15. Juli 2015 19:49:18 UTC+2 schrieb dan (ddpbsd): On Jul 15, 2015 1:44 PM, theresa mic-snare rockpr...@gmail.com wrote: oh yeah, there are tons of messages like this in the apache error log PHP Warning: fopen(./tmp/output-tmp.1-57-8cd5679a49c37a4583dfa34473436ab4.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 So make sure that temp file isn't getting created. What are the owner/group and perma of the tmp dir? hmm there's no tmp dir in /var/www/html/ossec-wui the owner/group and perma of the /var/ossec/tmp dir however are: root:apache and 770 What are the mount options for the partition /var/ossec is on? Are there any log messages prior to the one you posted about not being able to create the temp file? Does the temp file exist? If so, what are the perms? @dan: what do you use instead? logstash and kibana? I don't use anything currently, but the elk stack has worked fine for me in the past. Graylog2 was also decent. Splunk was ok except for the 500mb/day limit on the free version. Am Mittwoch, 15. Juli 2015 19:07:32 UTC+2 schrieb dan (ddpbsd): On Jul 9, 2015 5:36 PM, theresa mic-snare rockpr...@gmail.com wrote: hi all, yes, it's me again ;) i've cloned the ossec-wui from github.com and wanted to search my alerts. in the time frame i put from yesterday (e.g 2017-07-08) and till now Minimum Level: all SrcIP: a specific IP that I got through the notification emails (and that I can also find in the alerts.log) other than that everything is default. at the bottom of the page it says: Total alerts found: 3339 Output divided in 4 pages. and Page 1 (338 alerts) Nothing returned (or search expired). which is crazy, because there was only 1 alert from this specific IP. also no alert is actually showing up, unlike in the alerts.log or in the email notification. what i'm doing wrong here? I could also attach a screenshot if need be Are there any related log messages in the webserver's log files? I don't use the wui (it's currently a dead project), but I kinda remember it logging when things went wrong. thanks theresa -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec-wui search broken?
first of all, let me thank you for the time and effort you've put into troubleshooting for me so far it's very appreciated. also i'm documenting it all as i'm writing my thesis on ossec :) oh yeah, sorry forgot to mention: OS: centos 6.6 apache: 2.2 latest version of WUI (cloned it straight off github) Am Mittwoch, 15. Juli 2015 21:01:46 UTC+2 schrieb dan (ddpbsd): On Jul 15, 2015 2:55 PM, theresa mic-snare rockpr...@gmail.com javascript: wrote: nope, selinux is disabled (set to permissive) i am running this on a small VM (with not many ressources) that why I hesitate to get the ELK stack going i think it'd be a bit of an overkill for my test environment. I can't do any testing right now, but I can try later (time and memory permitting). Other than that, I don't have any other ideas at the moment. Which distro are you using? I'm assuming apache. Which version of the wui? The latest code in the repo or 0.8? would you mind editing your previous post? I forgot to remove my website url in my previous post. Am Mittwoch, 15. Juli 2015 20:36:28 UTC+2 schrieb theresa mic-snare: hmm the partition is mounted rw (no other options) it's a single logical volume. nope, just dozens of this PHP Warning: fopen(./tmp/output-tmp.1-59- 9f77eb3ab2892420b85818ac18f09a01.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 that's the thing: the temp file doesn't exist, nor does the tmp directory in the ossec-wui directory exist. the whole ossec-wui directory (and its subdirectories) belong to root:root instead of apache:apache maybe this is the problem? i cloned it off of github and followed the instruction. hmm Am Mittwoch, 15. Juli 2015 20:03:06 UTC+2 schrieb dan (ddpbsd): On Jul 15, 2015 1:57 PM, theresa mic-snare rockpr...@gmail.com wrote: Am Mittwoch, 15. Juli 2015 19:49:18 UTC+2 schrieb dan (ddpbsd): On Jul 15, 2015 1:44 PM, theresa mic-snare rockpr...@gmail.com wrote: oh yeah, there are tons of messages like this in the apache error log PHP Warning: fopen(./tmp/output-tmp.1-57-8cd5679a49c37a4583dfa34473436ab4.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 So make sure that temp file isn't getting created. What are the owner/group and perma of the tmp dir? hmm there's no tmp dir in /var/www/html/ossec-wui the owner/group and perma of the /var/ossec/tmp dir however are: root:apache and 770 What are the mount options for the partition /var/ossec is on? Are there any log messages prior to the one you posted about not being able to create the temp file? Does the temp file exist? If so, what are the perms? @dan: what do you use instead? logstash and kibana? I don't use anything currently, but the elk stack has worked fine for me in the past. Graylog2 was also decent. Splunk was ok except for the 500mb/day limit on the free version. Am Mittwoch, 15. Juli 2015 19:07:32 UTC+2 schrieb dan (ddpbsd): On Jul 9, 2015 5:36 PM, theresa mic-snare rockpr...@gmail.com wrote: hi all, yes, it's me again ;) i've cloned the ossec-wui from github.com and wanted to search my alerts. in the time frame i put from yesterday (e.g 2017-07-08) and till now Minimum Level: all SrcIP: a specific IP that I got through the notification emails (and that I can also find in the alerts.log) other than that everything is default. at the bottom of the page it says: Total alerts found: 3339 Output divided in 4 pages. and Page 1 (338 alerts) Nothing returned (or search expired). which is crazy, because there was only 1 alert from this specific IP. also no alert is actually showing up, unlike in the alerts.log or in the email notification. what i'm doing wrong here? I could also attach a screenshot if need be Are there any related log messages in the webserver's log files? I don't use the wui (it's currently a dead project), but I kinda remember it logging when things went wrong. thanks theresa -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec-wui search broken?
On Jul 9, 2015 5:36 PM, theresa mic-snare rockprinz...@gmail.com wrote: hi all, yes, it's me again ;) i've cloned the ossec-wui from github.com and wanted to search my alerts. in the time frame i put from yesterday (e.g 2017-07-08) and till now Minimum Level: all SrcIP: a specific IP that I got through the notification emails (and that I can also find in the alerts.log) other than that everything is default. at the bottom of the page it says: Total alerts found: 3339 Output divided in 4 pages. and Page 1 (338 alerts) Nothing returned (or search expired). which is crazy, because there was only 1 alert from this specific IP. also no alert is actually showing up, unlike in the alerts.log or in the email notification. what i'm doing wrong here? I could also attach a screenshot if need be Are there any related log messages in the webserver's log files? I don't use the wui (it's currently a dead project), but I kinda remember it logging when things went wrong. thanks theresa -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] ossec-wui search broken?
hi all, yes, it's me again ;) i've cloned the ossec-wui from github.com and wanted to search my alerts. in the time frame i put from yesterday (e.g 2017-07-08) and till now Minimum Level: all SrcIP: a specific IP that I got through the notification emails (and that I can also find in the alerts.log) other than that everything is default. at the bottom of the page it says: *Total alerts found: *3339 *Output divided in *4 pages. and Page *1* (338 alerts) *Nothing returned (or search expired). which is crazy, because there was only 1 alert from this specific IP.also no alert is actually showing up, unlike in the alerts.log or in the email notification.*what i'm doing wrong here? I could also attach a screenshot if need be thanks theresa -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] ossec-wui installation problem
Hello, My web server and the ossec server are on 2 different machines. When trying to setup the ossec web interface on my web server by running the ./setup.sh, it asked me for the 'OSSEC install directory path' As the ossec install is not local to the machine, how do I tell it to look on the remote server? Thank you Fred -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec-wui installation problem
On Dec 29, 2014 5:31 AM, Fred974 trinitec...@gmail.com wrote: Hello, My web server and the ossec server are on 2 different machines. When trying to setup the ossec web interface on my web server by running the ./setup.sh, it asked me for the 'OSSEC install directory path' As the ossec install is not local to the machine, how do I tell it to look on the remote server? The wui requires access to the ossec installation. Thank you Fred -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] [Ossec wui] - Search fail : Warning : failed to open stream
Hi guys, I have a problem with Ossec wui : the search engine isn't working (as you can see in the attached file OSSEC Web Interface.png). I followed step 6 : http://www.ossec.net/wiki/index.php/OSSECWUI:Install(as you can in the attached file screenshot tmp permission.png) but it's still not working. Don't know what I missed, everything else is working fine. The only solution I found was the step 6 on the above link. Anyone has a solution ? Thx ! Seb. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC WUI global search not working
Gives me Forbidden error: You don't have permission to access /main/ on this server. Nothing shows up in Apache error or access logs. The search botton next to Main button seems to be working fine. The PayPal Donate button does not work neither, Anyone knows why? Thanks, Jin -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] OSSEC WUI global search not working
Search slot on the upper right corner not working. Forbidden, You don't have permission to access /main/ on this server. The search button on the menu seems to be working fine. PayPal Donate button does work neither. Anyone know why? Thanks, Jin -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] OSSEC WUI global search not working
On Tue, Jun 25, 2013 at 8:02 PM, jinguo@gmail.com wrote: Search slot on the upper right corner not working. Forbidden, You don't have permission to access /main/ on this server. The search button on the menu seems to be working fine. PayPal Donate button does work neither. Anyone know why? Thanks, Jin Try the 0.8 version. The 0.3 version is known to be broken. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] OSSEC WUI global search not working
Could you elaborate on the bugs on 0.3? I am currently running 0.3 but 0.8 was on Alpha last I checked so I was weary of installing it. On Wednesday, June 26, 2013 9:04:51 AM UTC-4, dan (ddpbsd) wrote: On Tue, Jun 25, 2013 at 8:02 PM, jingu...@gmail.com javascript: wrote: Search slot on the upper right corner not working. Forbidden, You don't have permission to access /main/ on this server. The search button on the menu seems to be working fine. PayPal Donate button does work neither. Anyone know why? Thanks, Jin Try the 0.8 version. The 0.3 version is known to be broken. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] OSSEC WUI global search not working
On Wed, Jun 26, 2013 at 10:42 AM, David Blanton blanton.davi...@gmail.com wrote: Could you elaborate on the bugs on 0.3? I am currently running 0.3 but 0.8 was on Alpha last I checked so I was weary of installing it. The main one I can think of is the src ip not being parsed correctly. Look through the archives for more information. I don't use the wui. On Wednesday, June 26, 2013 9:04:51 AM UTC-4, dan (ddpbsd) wrote: On Tue, Jun 25, 2013 at 8:02 PM, jingu...@gmail.com wrote: Search slot on the upper right corner not working. Forbidden, You don't have permission to access /main/ on this server. The search button on the menu seems to be working fine. PayPal Donate button does work neither. Anyone know why? Thanks, Jin Try the 0.8 version. The 0.3 version is known to be broken. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Ossec Wui 0.3 unable to access ossec directory
On Mon, May 27, 2013 at 12:16 PM, md...@strongsecurity.com.br wrote: Hi I extracted ossec-wui-0.3 directory in / var / www I created a User admin and everything was ok, but when localhost/ossec-wui.0.3/index.php access all pages I access shows me the message Wui ossec 0.3 unable to access ossec directory What did I do wrong? I have an agent for testing on windows My debian is installed on a virtual machine on the same machine Screemshot in annex Eu extrai ossec-wui-0.3 no diretório /var/www Criei um usuario admin e tudo estava ok, mas quando acesso localhost/ossec-wui.0.3/index.php todas as páginas que eu acesso me mostra a mensagem Ossec Wui 0.3 unable to access ossec directory O que eu fiz de errado? Tenho um agente para teste no windows Meu debian esta instalado em maquina virtual na mesma máquina Srceemshot em anexo Are you sure the user your webserver is running as was properly added to the ossec group? Did you restart the webserver after making this change? -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] OSSEC WUI 0.8 do not allow access via href link
Hi, All, I have recently installed OSSEC 2.7 and OSSEC WUI 0.8 alpha-0. Everything works fine. Except one interesting restriction for OSSEC WUI. It seems I can only access OSSEC 2.7 via type in it's address in browser address bar, like: http://server name/ossec. If I use a simple nagvigation page with code: a href=server name/ossec target=_blank name=OSSEC Viewtitle=OSSEC WUIOSSEC WUI/a, the main page of OSSEC WUI fall in a loading loop and never show up. It seems to me it is kind of OSSEC WUI protection method to stop access the tool using external link. Is anyone aware of this? How can I get rid of this restriction? Thanks! -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] OSSEC-WUI SrcIP parsing question
Thanks for doing this guys. It was in need of some attention. Michael D. Wood www.itsecuritypros.org On Feb 6, 2013, at 7:04 PM, Jb Cheng jjoob...@gmail.com wrote: Thanks to Ryan Schulze's contribution, also Darius Jahandarie, ddpbsd, and Vic Hargrave. I started integrating several WUI patches into a BitBucket repository: https://bitbucket.org/jbcheng/ossec-wui/. (1) Updated logo, remove paypal button, wider display format, easier to read events output. (2) Updated broken rule ID link, fixed Src IP: error, and added User: if available. (3) Fixed integrity check file regexes to allow period in agent names, and 'any' for IP address. (4) Fixed fseek() error. It is still a work in progress. You are welcome to download the TIP from BitBucket and try it. On Saturday, February 2, 2013 3:01:00 PM UTC-8, Ryan Schulze wrote: Hi Vilius, If you are using the OSSEC Web UI 0.3 download from ossec.net you may want to have a look at some of the patches here on the list. e.g. http://osdir.com/ml/ossec-list/2012-06/msg00161.html The log format changed with version OSSEC 2.6 and broke some of the functionality of the Web UI. I don't use it any more, so I can't say if the changes still work with 2.7, but as long as the log formatting is the same, it should. On 2/2/2013 1:23 PM, Vilius Benetis wrote: Hey, I try to understand where exactly ossec-wui is parsing srcip, as I have often bad parsing, for example: 2013 Feb 02 10:48:42 Rule Id: 2901 level: 3 Location: ubuntu-/var/log/dpkg.log Src IP: 02 10:48:41 install libapr1 none 1.4.6-1 New dpkg (Debian Package) requested to install. ** Alert 1359830922.3553: - syslog,dpkg, 2013 Feb 02 10:48:42 ubuntu-/var/log/dpkg.log Rule: 2901 (level 3) - 'New dpkg (Debian Package) requested to install.' 2013-02-02 10:48:41 install libaprutil1 none 1.3.12+dfsg-3 2013 Feb 02 10:48:32 Rule Id: 5501 level: 3 Location: ubuntu-/var/log/auth.log Src IP: 0:48:32 ubuntu sudo: pam_unix(sudo:session): session opened for user root by user(uid=1000) Login session opened. ** Alert 1359830922.3117: - syslog,dpkg, 2013 Feb 02 10:48:42 ubuntu-/var/log/dpkg.log Rule: 2901 (level 3) - 'New dpkg (Debian Package) requested to install.' 2013-02-02 10:48:41 install libcap2 none 1:2.22-1ubuntu3 this comes from local agent, but equally strange results sometimes come from remotes as well. I believe, that sometimes IP address cannot be extracted, but then most probably in this field should be nothing, right? My programming/debugging skills are very rusty, but if it is not too tricky, I could try to adjust regexp not to fire such results, which messes up statistics and filtering. -- /Vilius -- -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. smime.p7s Description: S/MIME cryptographic signature
[ossec-list] OSSEC-WUI SrcIP parsing question
Hey, I try to understand where exactly ossec-wui is parsing srcip, as I have often bad parsing, for example: 2013 Feb 02 10:48:42 Rule Id: 2901http://www.ossec.net/wiki/index.php/Rule:2901 level: 3 Location: ubuntu-/var/log/dpkg.log Src IP: 02 10:48:41 install libapr1 none 1.4.6-1 New dpkg (Debian Package) requested to install. ** Alert 1359830922.3553: - syslog,dpkg, 2013 Feb 02 10:48:42 ubuntu-/var/log/dpkg.log Rule: 2901 (level 3) - 'New dpkg (Debian Package) requested to install.' 2013-02-02 10:48:41 install libaprutil1 none 1.3.12+dfsg-3 2013 Feb 02 10:48:32 Rule Id: 5501http://www.ossec.net/wiki/index.php/Rule:5501 level: 3 Location: ubuntu-/var/log/auth.log Src IP: 0:48:32 ubuntu sudo: pam_unix(sudo:session): session opened for user root by user(uid=1000) Login session opened. ** Alert 1359830922.3117: - syslog,dpkg, 2013 Feb 02 10:48:42 ubuntu-/var/log/dpkg.log Rule: 2901 (level 3) - 'New dpkg (Debian Package) requested to install.' 2013-02-02 10:48:41 install libcap2 none 1:2.22-1ubuntu3 this comes from local agent, but equally strange results sometimes come from remotes as well. I believe, that sometimes IP address cannot be extracted, but then most probably in this field should be nothing, right? My programming/debugging skills are very rusty, but if it is not too tricky, I could try to adjust regexp not to fire such results, which messes up statistics and filtering. -- /Vilius -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] OSSEC-WUI SrcIP parsing question
Hi Vilius, If you are using the OSSEC Web UI 0.3 download from ossec.net you may want to have a look at some of the patches here on the list. e.g. http://osdir.com/ml/ossec-list/2012-06/msg00161.html The log format changed with version OSSEC 2.6 and broke some of the functionality of the Web UI. I don't use it any more, so I can't say if the changes still work with 2.7, but as long as the log formatting is the same, it should. On 2/2/2013 1:23 PM, Vilius Benetis wrote: Hey, I try to understand where exactly ossec-wui is parsing srcip, as I have often bad parsing, for example: 2013 Feb 02 10:48:42 Rule Id: 2901 http://www.ossec.net/wiki/index.php/Rule:2901 level: 3 Location: ubuntu-/var/log/dpkg.log Src IP: 02 10:48:41 install libapr1 none 1.4.6-1 New dpkg (Debian Package) requested to install. ** Alert 1359830922.3553: - syslog,dpkg, 2013 Feb 02 10:48:42 ubuntu-/var/log/dpkg.log Rule: 2901 (level 3) - 'New dpkg (Debian Package) requested to install.' 2013-02-02 10:48:41 install libaprutil1 none 1.3.12+dfsg-3 2013 Feb 02 10:48:32 Rule Id: 5501 http://www.ossec.net/wiki/index.php/Rule:5501 level: 3 Location: ubuntu-/var/log/auth.log Src IP: 0:48:32 ubuntu sudo: pam_unix(sudo:session): session opened for user root by user(uid=1000) Login session opened. ** Alert 1359830922.3117: - syslog,dpkg, 2013 Feb 02 10:48:42 ubuntu-/var/log/dpkg.log Rule: 2901 (level 3) - 'New dpkg (Debian Package) requested to install.' 2013-02-02 10:48:41 install libcap2 none 1:2.22-1ubuntu3 this comes from local agent, but equally strange results sometimes come from remotes as well. I believe, that sometimes IP address cannot be extracted, but then most probably in this field should be nothing, right? My programming/debugging skills are very rusty, but if it is not too tricky, I could try to adjust regexp not to fire such results, which messes up statistics and filtering. -- /Vilius -- -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Ossec WUI PHP error
I have just started getting this error on my OSSEC server which is running the OSSEC WUI 0.3: [Wed Jan 30 10:27:15 2013] [error] [client ipaddress] PHP Warning: fopen(/var/ossec/logs/alerts/alerts.log): failed to open stream: Value too large for defined data type in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 814 I do believe it is because the alert.og file is too larger (system is 32 bit and file is over 2GB). Short of recompiling or using a 64 bit system is there a way I can cut the log size down/restart with a clean file or something along those lines? Respectfully, Robert Rhoads Network Systems Engineer rhoa...@ci.danville.va.usmailto:rhoa...@ci.danville.va.us (434)-773-8223 opt 3 -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] OSSEC WUI
Check the file permissions, and also your apache error.log On Fri, May 4, 2012 at 2:50 AM, Solayris solay...@gmail.com wrote: Hello, I have Apache 2.2 with PHP and ossec-wui installed on CentOS system. ossec-wui is in /var/www/htdocs/ directory. The DocumentRoot is set to /var/www/htdocs and a link is created for index.php in this location. When I try to access index.php from a web-browser the 403 Forbidden error comes up. You don't have permission to access / index.php on this server. Is there more information on this WUI available other them README file? Thank you, Solayris -- MVH/With regards Frank -- Name: Frank Stefan Sundberg Solli E-mail: frankste...@gmail.com Web:http://0x41.me GPG:684119F4
Re: [ossec-list] OSSEC WUI
I believe the assumption is that the user who wants the ossec-wui will be able to set file permissions correctly and read their web server error log. What did you see when you looked at the server error log? What permissions did you set on that directory and the files therein? On 3 May 2012, at 19:50, Solayris wrote: Hello, I have Apache 2.2 with PHP and ossec-wui installed on CentOS system. ossec-wui is in /var/www/htdocs/ directory. The DocumentRoot is set to /var/www/htdocs and a link is created for index.php in this location. When I try to access index.php from a web-browser the 403 Forbidden error comes up. You don't have permission to access / index.php on this server. Is there more information on this WUI available other them README file? Thank you, Solayris
Re: [ossec-list] OSSEC WUI
Sounds like a permissions issue. chown the directory for your webserver user. Not sure what it is on CentOS - apache or www-data On May 3, 2012 10:49 PM, Solayris solay...@gmail.com wrote: Hello, I have Apache 2.2 with PHP and ossec-wui installed on CentOS system. ossec-wui is in /var/www/htdocs/ directory. The DocumentRoot is set to /var/www/htdocs and a link is created for index.php in this location. When I try to access index.php from a web-browser the 403 Forbidden error comes up. You don't have permission to access / index.php on this server. Is there more information on this WUI available other them README file? Thank you, Solayris
Re: [ossec-list] ossec-wui BUG
On Tue, Oct 25, 2011 at 11:42 AM, James M Pulver jmp...@cornell.edu wrote: The big issue I’ve had is that if I use the built in syslog generation, all the events appear to come from the OSSEC server. So if it can fake the “location” to be where it actually comes from, then I could indeed use any syslog frontend. I believe you can do this with rsyslog and syslog-ng.
Re: [ossec-list] ossec-wui BUG
On Tue, Oct 25, 2011 at 2:42 PM, James M Pulver jmp...@cornell.edu wrote: The big issue I’ve had is that if I use the built in syslog generation, all the events appear to come from the OSSEC server. So if it can fake the “location” to be where it actually comes from, then I could indeed use any syslog frontend. I didn't fix this issue in my logstash installation, but I got around it with some creative tagging. Kind of a brute force method. -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of ash kumar Sent: Tuesday, October 25, 2011 2:39 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG I think this is the most practical course of action. Generalizing to syslog formats will ensure that the archive logs can be added to any management system rather than painfully slapping something together. I have wasted far too much time getting logstash to behave.
Re: [ossec-list] ossec-wui BUG
I think this is the most practical course of action. Generalizing to syslog formats will ensure that the archive logs can be added to any management system rather than painfully slapping something together. I have wasted far too much time getting logstash to behave.
RE: [ossec-list] ossec-wui BUG
The big issue I’ve had is that if I use the built in syslog generation, all the events appear to come from the OSSEC server. So if it can fake the “location” to be where it actually comes from, then I could indeed use any syslog frontend. -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of ash kumar Sent: Tuesday, October 25, 2011 2:39 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG I think this is the most practical course of action. Generalizing to syslog formats will ensure that the archive logs can be added to any management system rather than painfully slapping something together. I have wasted far too much time getting logstash to behave.
Re: [ossec-list] ossec-wui BUG
On Thu, Oct 20, 2011 at 11:06 AM, dan (ddp) ddp...@gmail.com wrote: What do people use the wui for? Maybe it'd be easier to create something new that does a subset of what the WUI does. Other products do the log viewing bit much better than WUI ever could, so working on that bit is silly. That pretty much leaves the syscheck db stuff. Anything else? I send my logs to ArcSight via CEF or to Splunk, depending on the site. I don't need the WebUI to view alerts. I use the WebUI to get a fast view of what agents are RED (not checking in) and why. I love that functionality. I don't need another place to view OSSEC logs at work. However, I can imagine in a local instance of OSSEC (like a home firewall), a UI to view alerts would be nice to have, but again, there is always email and the alert volume *should* be low for a home firewall.
RE: [ossec-list] ossec-wui BUG
Well, implementing OSSEC is a big enough task IMO as a project - at least for me. Like I said, I tried to use Logstash + elastic search, it crashed in the simple version, so would have required more work. I'm not wedded to the WUI exactly, but OSSEC doesn't use a standard log format. I'm going to look into whether it makes sense for us to patch the WUI for 2.6 or to put effort into a project to implement another log viewer / front end. But if it's going to require another server it's probably a no go for me right now (budget issues etc). If OSSEC community want to suggest a plug and play replacement for the WUI I'm ALL ears. But everything seems to require not just one, but a set of interlocking components, some new parsing language or scripting to massage the OSSEC log format, and potentially duplicate storage of the log information, in OSSEC and in the log viewer. If I had some direction as to what OSS tool I should use to read the collected OSSEC logs, I'm really interested, especially if there's a howto so it's not another research project. Thanks, -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, October 20, 2011 3:34 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG On Thu, Oct 20, 2011 at 3:19 PM, Culver, Michael mrcul...@aug.edu wrote: What about the output to database option? I haven't seen the db format or data, but it seems like it might be easy to write a simple web app to search the log data. -Mike Are you volunteering? Again, why reinvent the wheel? Especially for Yet Another One-Shot WebApp? There are plenty of free (and non-free) log viewers that work very well. After seeing all of the work that's gone into them, I don't think I'd ever want to start trying to re-do that. -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, October 20, 2011 3:12 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG On Thu, Oct 20, 2011 at 2:47 PM, James M Pulver jmp...@cornell.edu wrote: Well the only product I've gotten that's useful for searching the logs is the WUI - at least the only one that works for me. And it meets all my needs. If it needs to be updated to work with 2.6 line of OSSEC, is it really meeting all of your needs? Maybe if there's a simple HOWTO to use something else that can run on the same system and doesn't require doubly storing all the logs and doesn't take GB and GB more RAM, I'd use it, but nothing meets those requirements where as the WUI does. It searches the existing OSSEC logfiles and compressed files. So not extra disk space. It doesn't require 32GB + RAM *just for the search* like the others I've looked into seem to (elastic search, greylog2)... I have something planned for the 3rd annual Week of OSSEC, but I can't guarantee ram usage. RAM is cheap, buy in bulk. So I think it's great, as long as it parses the logs correctly. We welcome patches. :) -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, October 20, 2011 2:07 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG What do people use the wui for? Maybe it'd be easier to create something new that does a subset of what the WUI does. Other products do the log viewing bit much better than WUI ever could, so working on that bit is silly. That pretty much leaves the syscheck db stuff. Anything else? On Thu, Oct 20, 2011 at 1:02 PM, James M Pulver jmp...@cornell.edu wrote: Replying somewhat belatedly, I also would like to see the WUI updated to work with 2.6 line of OSSEC. I'm not a programmer really though so I don't know that I would be able to do much... But there is interest I think. -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Scott VR Sent: Wednesday, September 14, 2011 10:29 AM To: ossec-list@googlegroups.com Cc: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG Speaking for myself, it was not immediately obvious that the wui was a dead project, though it is quickly obvious that it doesn't work as expected. Does the wui just need some development effort or is it in need of full-fledfed adoption by someone to act as project manager? Is there a project page describing its abandoned state that people are overlooking? I've got some skill and cycles I'd put towards fixing the wui, but such effort should probably
Re: [ossec-list] ossec-wui BUG
I'll have 1.5 things related to OSSEC log viewing coming out next week. I'm not trying to discourage anyone from working on the WUI, just offering a different opinion on it. I think it's a waste of time and resources. If you don't, you're more than welcome to work on it. If you can't code, find someone who can. Saying that other people devote time to it is silly. On Fri, Oct 21, 2011 at 8:51 AM, James M Pulver jmp...@cornell.edu wrote: Well, implementing OSSEC is a big enough task IMO as a project - at least for me. Like I said, I tried to use Logstash + elastic search, it crashed in the simple version, so would have required more work. I'm not wedded to the WUI exactly, but OSSEC doesn't use a standard log format. I'm going to look into whether it makes sense for us to patch the WUI for 2.6 or to put effort into a project to implement another log viewer / front end. But if it's going to require another server it's probably a no go for me right now (budget issues etc). If OSSEC community want to suggest a plug and play replacement for the WUI I'm ALL ears. But everything seems to require not just one, but a set of interlocking components, some new parsing language or scripting to massage the OSSEC log format, and potentially duplicate storage of the log information, in OSSEC and in the log viewer. If I had some direction as to what OSS tool I should use to read the collected OSSEC logs, I'm really interested, especially if there's a howto so it's not another research project. Thanks, -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, October 20, 2011 3:34 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG On Thu, Oct 20, 2011 at 3:19 PM, Culver, Michael mrcul...@aug.edu wrote: What about the output to database option? I haven't seen the db format or data, but it seems like it might be easy to write a simple web app to search the log data. -Mike Are you volunteering? Again, why reinvent the wheel? Especially for Yet Another One-Shot WebApp? There are plenty of free (and non-free) log viewers that work very well. After seeing all of the work that's gone into them, I don't think I'd ever want to start trying to re-do that. -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, October 20, 2011 3:12 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG On Thu, Oct 20, 2011 at 2:47 PM, James M Pulver jmp...@cornell.edu wrote: Well the only product I've gotten that's useful for searching the logs is the WUI - at least the only one that works for me. And it meets all my needs. If it needs to be updated to work with 2.6 line of OSSEC, is it really meeting all of your needs? Maybe if there's a simple HOWTO to use something else that can run on the same system and doesn't require doubly storing all the logs and doesn't take GB and GB more RAM, I'd use it, but nothing meets those requirements where as the WUI does. It searches the existing OSSEC logfiles and compressed files. So not extra disk space. It doesn't require 32GB + RAM *just for the search* like the others I've looked into seem to (elastic search, greylog2)... I have something planned for the 3rd annual Week of OSSEC, but I can't guarantee ram usage. RAM is cheap, buy in bulk. So I think it's great, as long as it parses the logs correctly. We welcome patches. :) -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, October 20, 2011 2:07 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG What do people use the wui for? Maybe it'd be easier to create something new that does a subset of what the WUI does. Other products do the log viewing bit much better than WUI ever could, so working on that bit is silly. That pretty much leaves the syscheck db stuff. Anything else? On Thu, Oct 20, 2011 at 1:02 PM, James M Pulver jmp...@cornell.edu wrote: Replying somewhat belatedly, I also would like to see the WUI updated to work with 2.6 line of OSSEC. I'm not a programmer really though so I don't know that I would be able to do much... But there is interest I think. -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Scott VR Sent: Wednesday, September 14, 2011 10:29 AM To: ossec-list@googlegroups.com Cc: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec
RE: [ossec-list] ossec-wui BUG
I'm saying I'm going to be devoting some time to it. -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Friday, October 21, 2011 9:19 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG I'll have 1.5 things related to OSSEC log viewing coming out next week. I'm not trying to discourage anyone from working on the WUI, just offering a different opinion on it. I think it's a waste of time and resources. If you don't, you're more than welcome to work on it. If you can't code, find someone who can. Saying that other people devote time to it is silly. On Fri, Oct 21, 2011 at 8:51 AM, James M Pulver jmp...@cornell.edu wrote: Well, implementing OSSEC is a big enough task IMO as a project - at least for me. Like I said, I tried to use Logstash + elastic search, it crashed in the simple version, so would have required more work. I'm not wedded to the WUI exactly, but OSSEC doesn't use a standard log format. I'm going to look into whether it makes sense for us to patch the WUI for 2.6 or to put effort into a project to implement another log viewer / front end. But if it's going to require another server it's probably a no go for me right now (budget issues etc). If OSSEC community want to suggest a plug and play replacement for the WUI I'm ALL ears. But everything seems to require not just one, but a set of interlocking components, some new parsing language or scripting to massage the OSSEC log format, and potentially duplicate storage of the log information, in OSSEC and in the log viewer. If I had some direction as to what OSS tool I should use to read the collected OSSEC logs, I'm really interested, especially if there's a howto so it's not another research project. Thanks, -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, October 20, 2011 3:34 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG On Thu, Oct 20, 2011 at 3:19 PM, Culver, Michael mrcul...@aug.edu wrote: What about the output to database option? I haven't seen the db format or data, but it seems like it might be easy to write a simple web app to search the log data. -Mike Are you volunteering? Again, why reinvent the wheel? Especially for Yet Another One-Shot WebApp? There are plenty of free (and non-free) log viewers that work very well. After seeing all of the work that's gone into them, I don't think I'd ever want to start trying to re-do that. -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, October 20, 2011 3:12 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG On Thu, Oct 20, 2011 at 2:47 PM, James M Pulver jmp...@cornell.edu wrote: Well the only product I've gotten that's useful for searching the logs is the WUI - at least the only one that works for me. And it meets all my needs. If it needs to be updated to work with 2.6 line of OSSEC, is it really meeting all of your needs? Maybe if there's a simple HOWTO to use something else that can run on the same system and doesn't require doubly storing all the logs and doesn't take GB and GB more RAM, I'd use it, but nothing meets those requirements where as the WUI does. It searches the existing OSSEC logfiles and compressed files. So not extra disk space. It doesn't require 32GB + RAM *just for the search* like the others I've looked into seem to (elastic search, greylog2)... I have something planned for the 3rd annual Week of OSSEC, but I can't guarantee ram usage. RAM is cheap, buy in bulk. So I think it's great, as long as it parses the logs correctly. We welcome patches. :) -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, October 20, 2011 2:07 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG What do people use the wui for? Maybe it'd be easier to create something new that does a subset of what the WUI does. Other products do the log viewing bit much better than WUI ever could, so working on that bit is silly. That pretty much leaves the syscheck db stuff. Anything else? On Thu, Oct 20, 2011 at 1:02 PM, James M Pulver jmp...@cornell.edu wrote: Replying somewhat belatedly, I also would like to see the WUI updated to work with 2.6 line of OSSEC. I'm not a programmer really though so I don't know that I would be able to do much
RE: [ossec-list] ossec-wui BUG
Speaking as a WUI user I say Thanks! -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of James M Pulver Sent: Friday, October 21, 2011 9:51 AM To: ossec-list@googlegroups.com Subject: RE: [ossec-list] ossec-wui BUG I'm saying I'm going to be devoting some time to it. -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Friday, October 21, 2011 9:19 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG I'll have 1.5 things related to OSSEC log viewing coming out next week. I'm not trying to discourage anyone from working on the WUI, just offering a different opinion on it. I think it's a waste of time and resources. If you don't, you're more than welcome to work on it. If you can't code, find someone who can. Saying that other people devote time to it is silly. On Fri, Oct 21, 2011 at 8:51 AM, James M Pulver jmp...@cornell.edu wrote: Well, implementing OSSEC is a big enough task IMO as a project - at least for me. Like I said, I tried to use Logstash + elastic search, it crashed in the simple version, so would have required more work. I'm not wedded to the WUI exactly, but OSSEC doesn't use a standard log format. I'm going to look into whether it makes sense for us to patch the WUI for 2.6 or to put effort into a project to implement another log viewer / front end. But if it's going to require another server it's probably a no go for me right now (budget issues etc). If OSSEC community want to suggest a plug and play replacement for the WUI I'm ALL ears. But everything seems to require not just one, but a set of interlocking components, some new parsing language or scripting to massage the OSSEC log format, and potentially duplicate storage of the log information, in OSSEC and in the log viewer. If I had some direction as to what OSS tool I should use to read the collected OSSEC logs, I'm really interested, especially if there's a howto so it's not another research project. Thanks, -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, October 20, 2011 3:34 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG On Thu, Oct 20, 2011 at 3:19 PM, Culver, Michael mrcul...@aug.edu wrote: What about the output to database option? I haven't seen the db format or data, but it seems like it might be easy to write a simple web app to search the log data. -Mike Are you volunteering? Again, why reinvent the wheel? Especially for Yet Another One-Shot WebApp? There are plenty of free (and non-free) log viewers that work very well. After seeing all of the work that's gone into them, I don't think I'd ever want to start trying to re-do that. -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, October 20, 2011 3:12 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG On Thu, Oct 20, 2011 at 2:47 PM, James M Pulver jmp...@cornell.edu wrote: Well the only product I've gotten that's useful for searching the logs is the WUI - at least the only one that works for me. And it meets all my needs. If it needs to be updated to work with 2.6 line of OSSEC, is it really meeting all of your needs? Maybe if there's a simple HOWTO to use something else that can run on the same system and doesn't require doubly storing all the logs and doesn't take GB and GB more RAM, I'd use it, but nothing meets those requirements where as the WUI does. It searches the existing OSSEC logfiles and compressed files. So not extra disk space. It doesn't require 32GB + RAM *just for the search* like the others I've looked into seem to (elastic search, greylog2)... I have something planned for the 3rd annual Week of OSSEC, but I can't guarantee ram usage. RAM is cheap, buy in bulk. So I think it's great, as long as it parses the logs correctly. We welcome patches. :) -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, October 20, 2011 2:07 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG What do people use the wui for? Maybe it'd be easier to create something new that does a subset of what the WUI does. Other products do the log viewing bit much better than WUI ever could, so working on that bit is silly. That pretty much leaves the syscheck db stuff. Anything
RE: [ossec-list] ossec-wui BUG
Replying somewhat belatedly, I also would like to see the WUI updated to work with 2.6 line of OSSEC. I'm not a programmer really though so I don't know that I would be able to do much... But there is interest I think. -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Scott VR Sent: Wednesday, September 14, 2011 10:29 AM To: ossec-list@googlegroups.com Cc: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG Speaking for myself, it was not immediately obvious that the wui was a dead project, though it is quickly obvious that it doesn't work as expected. Does the wui just need some development effort or is it in need of full-fledfed adoption by someone to act as project manager? Is there a project page describing its abandoned state that people are overlooking? I've got some skill and cycles I'd put towards fixing the wui, but such effort should probably be managed to avoid needless duplication of effort, etc. --ScottVR On Sep 14, 2011, at 9:06 AM, dan (ddp) ddp...@gmail.com wrote: Out of curiosity, why did you revert to an ancient version of OSSEC instead of fixing or replacing WUI (which has been a dead project for years)? On Wed, Sep 14, 2011 at 8:57 AM, Mike Disley mike.a.dis...@tpsgc-pwgsc.gc.ca wrote: I had the same issue when I upgraded to ver 2.6. I rolled back to 2.3 and the problem went away. -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Alexander Rikmanis Sent: Tuesday, September 13, 2011 8:28 PM To: ossec-list Subject: [ossec-list] ossec-wui BUG Log files are parsed incorrectly. here is the raw log file from ossec and what wui shows to me: -- WUI: 2011 Sep 14 10:10:13 Rule Id: 5501 level: 3 Location: (manager) aa.bb.cc.dd-/var/log/secure Src IP: 8:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) Login session opened. ** Alert 1315951847.1022810: - pam,syslog,authentication_success, 2011 Sep 14 10:10:47 (manager) aa.bb.cc.dd-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:50 takapu su: pam_unix(su-l:session): session opened for user root by sw(uid=1001) - Raw log: ** Alert 1315951813.1022534: - pam,syslog,authentication_success, 2011 Sep 14 10:10:13 (manager) 67.225.152.209-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) ^ Look at Src IP field - there is a date there. And the first symbol is gone. here is the screenshot: [IMG]http://i52.tinypic.com/n1xn9i.png[/IMG]
Re: [ossec-list] ossec-wui BUG
What do people use the wui for? Maybe it'd be easier to create something new that does a subset of what the WUI does. Other products do the log viewing bit much better than WUI ever could, so working on that bit is silly. That pretty much leaves the syscheck db stuff. Anything else? On Thu, Oct 20, 2011 at 1:02 PM, James M Pulver jmp...@cornell.edu wrote: Replying somewhat belatedly, I also would like to see the WUI updated to work with 2.6 line of OSSEC. I'm not a programmer really though so I don't know that I would be able to do much... But there is interest I think. -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Scott VR Sent: Wednesday, September 14, 2011 10:29 AM To: ossec-list@googlegroups.com Cc: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG Speaking for myself, it was not immediately obvious that the wui was a dead project, though it is quickly obvious that it doesn't work as expected. Does the wui just need some development effort or is it in need of full-fledfed adoption by someone to act as project manager? Is there a project page describing its abandoned state that people are overlooking? I've got some skill and cycles I'd put towards fixing the wui, but such effort should probably be managed to avoid needless duplication of effort, etc. --ScottVR On Sep 14, 2011, at 9:06 AM, dan (ddp) ddp...@gmail.com wrote: Out of curiosity, why did you revert to an ancient version of OSSEC instead of fixing or replacing WUI (which has been a dead project for years)? On Wed, Sep 14, 2011 at 8:57 AM, Mike Disley mike.a.dis...@tpsgc-pwgsc.gc.ca wrote: I had the same issue when I upgraded to ver 2.6. I rolled back to 2.3 and the problem went away. -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Alexander Rikmanis Sent: Tuesday, September 13, 2011 8:28 PM To: ossec-list Subject: [ossec-list] ossec-wui BUG Log files are parsed incorrectly. here is the raw log file from ossec and what wui shows to me: -- WUI: 2011 Sep 14 10:10:13 Rule Id: 5501 level: 3 Location: (manager) aa.bb.cc.dd-/var/log/secure Src IP: 8:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) Login session opened. ** Alert 1315951847.1022810: - pam,syslog,authentication_success, 2011 Sep 14 10:10:47 (manager) aa.bb.cc.dd-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:50 takapu su: pam_unix(su-l:session): session opened for user root by sw(uid=1001) - Raw log: ** Alert 1315951813.1022534: - pam,syslog,authentication_success, 2011 Sep 14 10:10:13 (manager) 67.225.152.209-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) ^ Look at Src IP field - there is a date there. And the first symbol is gone. here is the screenshot: [IMG]http://i52.tinypic.com/n1xn9i.png[/IMG]
Re: [ossec-list] ossec-wui BUG
I agree. Maybe something simple to list the status of the agents, the current syscheck/rootcheck information and a few more things that are OSSEC-specific. thanks, On Thu, Oct 20, 2011 at 3:06 PM, dan (ddp) ddp...@gmail.com wrote: What do people use the wui for? Maybe it'd be easier to create something new that does a subset of what the WUI does. Other products do the log viewing bit much better than WUI ever could, so working on that bit is silly. That pretty much leaves the syscheck db stuff. Anything else? On Thu, Oct 20, 2011 at 1:02 PM, James M Pulver jmp...@cornell.edu wrote: Replying somewhat belatedly, I also would like to see the WUI updated to work with 2.6 line of OSSEC. I'm not a programmer really though so I don't know that I would be able to do much... But there is interest I think. -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Scott VR Sent: Wednesday, September 14, 2011 10:29 AM To: ossec-list@googlegroups.com Cc: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG Speaking for myself, it was not immediately obvious that the wui was a dead project, though it is quickly obvious that it doesn't work as expected. Does the wui just need some development effort or is it in need of full-fledfed adoption by someone to act as project manager? Is there a project page describing its abandoned state that people are overlooking? I've got some skill and cycles I'd put towards fixing the wui, but such effort should probably be managed to avoid needless duplication of effort, etc. --ScottVR On Sep 14, 2011, at 9:06 AM, dan (ddp) ddp...@gmail.com wrote: Out of curiosity, why did you revert to an ancient version of OSSEC instead of fixing or replacing WUI (which has been a dead project for years)? On Wed, Sep 14, 2011 at 8:57 AM, Mike Disley mike.a.dis...@tpsgc-pwgsc.gc.ca wrote: I had the same issue when I upgraded to ver 2.6. I rolled back to 2.3 and the problem went away. -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Alexander Rikmanis Sent: Tuesday, September 13, 2011 8:28 PM To: ossec-list Subject: [ossec-list] ossec-wui BUG Log files are parsed incorrectly. here is the raw log file from ossec and what wui shows to me: -- WUI: 2011 Sep 14 10:10:13 Rule Id: 5501 level: 3 Location: (manager) aa.bb.cc.dd-/var/log/secure Src IP: 8:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) Login session opened. ** Alert 1315951847.1022810: - pam,syslog,authentication_success, 2011 Sep 14 10:10:47 (manager) aa.bb.cc.dd-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:50 takapu su: pam_unix(su-l:session): session opened for user root by sw(uid=1001) - Raw log: ** Alert 1315951813.1022534: - pam,syslog,authentication_success, 2011 Sep 14 10:10:13 (manager) 67.225.152.209-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) ^ Look at Src IP field - there is a date there. And the first symbol is gone. here is the screenshot: [IMG]http://i52.tinypic.com/n1xn9i.png[/IMG]
RE: [ossec-list] ossec-wui BUG
Well the only product I've gotten that's useful for searching the logs is the WUI - at least the only one that works for me. And it meets all my needs. Maybe if there's a simple HOWTO to use something else that can run on the same system and doesn't require doubly storing all the logs and doesn't take GB and GB more RAM, I'd use it, but nothing meets those requirements where as the WUI does. It searches the existing OSSEC logfiles and compressed files. So not extra disk space. It doesn't require 32GB + RAM *just for the search* like the others I've looked into seem to (elastic search, greylog2)... So I think it's great, as long as it parses the logs correctly. -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, October 20, 2011 2:07 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG What do people use the wui for? Maybe it'd be easier to create something new that does a subset of what the WUI does. Other products do the log viewing bit much better than WUI ever could, so working on that bit is silly. That pretty much leaves the syscheck db stuff. Anything else? On Thu, Oct 20, 2011 at 1:02 PM, James M Pulver jmp...@cornell.edu wrote: Replying somewhat belatedly, I also would like to see the WUI updated to work with 2.6 line of OSSEC. I'm not a programmer really though so I don't know that I would be able to do much... But there is interest I think. -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Scott VR Sent: Wednesday, September 14, 2011 10:29 AM To: ossec-list@googlegroups.com Cc: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG Speaking for myself, it was not immediately obvious that the wui was a dead project, though it is quickly obvious that it doesn't work as expected. Does the wui just need some development effort or is it in need of full-fledfed adoption by someone to act as project manager? Is there a project page describing its abandoned state that people are overlooking? I've got some skill and cycles I'd put towards fixing the wui, but such effort should probably be managed to avoid needless duplication of effort, etc. --ScottVR On Sep 14, 2011, at 9:06 AM, dan (ddp) ddp...@gmail.com wrote: Out of curiosity, why did you revert to an ancient version of OSSEC instead of fixing or replacing WUI (which has been a dead project for years)? On Wed, Sep 14, 2011 at 8:57 AM, Mike Disley mike.a.dis...@tpsgc-pwgsc.gc.ca wrote: I had the same issue when I upgraded to ver 2.6. I rolled back to 2.3 and the problem went away. -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Alexander Rikmanis Sent: Tuesday, September 13, 2011 8:28 PM To: ossec-list Subject: [ossec-list] ossec-wui BUG Log files are parsed incorrectly. here is the raw log file from ossec and what wui shows to me: -- WUI: 2011 Sep 14 10:10:13 Rule Id: 5501 level: 3 Location: (manager) aa.bb.cc.dd-/var/log/secure Src IP: 8:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) Login session opened. ** Alert 1315951847.1022810: - pam,syslog,authentication_success, 2011 Sep 14 10:10:47 (manager) aa.bb.cc.dd-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:50 takapu su: pam_unix(su-l:session): session opened for user root by sw(uid=1001) - Raw log: ** Alert 1315951813.1022534: - pam,syslog,authentication_success, 2011 Sep 14 10:10:13 (manager) 67.225.152.209-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) ^ Look at Src IP field - there is a date there. And the first symbol is gone. here is the screenshot: [IMG]http://i52.tinypic.com/n1xn9i.png[/IMG]
Re: [ossec-list] ossec-wui BUG
On Thu, 20 Oct 2011 15:44:01 -0300, Daniel Cid wrote: I agree. Maybe something simple to list the status of the agents, the current syscheck/rootcheck information and a few more things that are OSSEC-specific. If the raw ossec logs (in archives.log file) were made to be syslog-compliant, or if the raw logs could be an output option of ossec-csyslogd (instead of only alerts), that would open a lot of options. Then one could easily use ossec to send all events to one of many good syslog GUIs or SIEMS and be able to use OSSEC for transport of raw logs and analysis. -- Michael Starks [I] Immutable Security http://www.immutablesecurity.com
Re: [ossec-list] ossec-wui BUG
On Thu, Oct 20, 2011 at 2:47 PM, James M Pulver jmp...@cornell.edu wrote: Well the only product I've gotten that's useful for searching the logs is the WUI - at least the only one that works for me. And it meets all my needs. If it needs to be updated to work with 2.6 line of OSSEC, is it really meeting all of your needs? Maybe if there's a simple HOWTO to use something else that can run on the same system and doesn't require doubly storing all the logs and doesn't take GB and GB more RAM, I'd use it, but nothing meets those requirements where as the WUI does. It searches the existing OSSEC logfiles and compressed files. So not extra disk space. It doesn't require 32GB + RAM *just for the search* like the others I've looked into seem to (elastic search, greylog2)... I have something planned for the 3rd annual Week of OSSEC, but I can't guarantee ram usage. RAM is cheap, buy in bulk. So I think it's great, as long as it parses the logs correctly. We welcome patches. :) -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, October 20, 2011 2:07 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG What do people use the wui for? Maybe it'd be easier to create something new that does a subset of what the WUI does. Other products do the log viewing bit much better than WUI ever could, so working on that bit is silly. That pretty much leaves the syscheck db stuff. Anything else? On Thu, Oct 20, 2011 at 1:02 PM, James M Pulver jmp...@cornell.edu wrote: Replying somewhat belatedly, I also would like to see the WUI updated to work with 2.6 line of OSSEC. I'm not a programmer really though so I don't know that I would be able to do much... But there is interest I think. -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Scott VR Sent: Wednesday, September 14, 2011 10:29 AM To: ossec-list@googlegroups.com Cc: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG Speaking for myself, it was not immediately obvious that the wui was a dead project, though it is quickly obvious that it doesn't work as expected. Does the wui just need some development effort or is it in need of full-fledfed adoption by someone to act as project manager? Is there a project page describing its abandoned state that people are overlooking? I've got some skill and cycles I'd put towards fixing the wui, but such effort should probably be managed to avoid needless duplication of effort, etc. --ScottVR On Sep 14, 2011, at 9:06 AM, dan (ddp) ddp...@gmail.com wrote: Out of curiosity, why did you revert to an ancient version of OSSEC instead of fixing or replacing WUI (which has been a dead project for years)? On Wed, Sep 14, 2011 at 8:57 AM, Mike Disley mike.a.dis...@tpsgc-pwgsc.gc.ca wrote: I had the same issue when I upgraded to ver 2.6. I rolled back to 2.3 and the problem went away. -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Alexander Rikmanis Sent: Tuesday, September 13, 2011 8:28 PM To: ossec-list Subject: [ossec-list] ossec-wui BUG Log files are parsed incorrectly. here is the raw log file from ossec and what wui shows to me: -- WUI: 2011 Sep 14 10:10:13 Rule Id: 5501 level: 3 Location: (manager) aa.bb.cc.dd-/var/log/secure Src IP: 8:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) Login session opened. ** Alert 1315951847.1022810: - pam,syslog,authentication_success, 2011 Sep 14 10:10:47 (manager) aa.bb.cc.dd-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:50 takapu su: pam_unix(su-l:session): session opened for user root by sw(uid=1001) - Raw log: ** Alert 1315951813.1022534: - pam,syslog,authentication_success, 2011 Sep 14 10:10:13 (manager) 67.225.152.209-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) ^ Look at Src IP field - there is a date there. And the first symbol is gone. here is the screenshot: [IMG]http://i52.tinypic.com/n1xn9i.png[/IMG]
RE: [ossec-list] ossec-wui BUG
What about the output to database option? I haven't seen the db format or data, but it seems like it might be easy to write a simple web app to search the log data. -Mike -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, October 20, 2011 3:12 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG On Thu, Oct 20, 2011 at 2:47 PM, James M Pulver jmp...@cornell.edu wrote: Well the only product I've gotten that's useful for searching the logs is the WUI - at least the only one that works for me. And it meets all my needs. If it needs to be updated to work with 2.6 line of OSSEC, is it really meeting all of your needs? Maybe if there's a simple HOWTO to use something else that can run on the same system and doesn't require doubly storing all the logs and doesn't take GB and GB more RAM, I'd use it, but nothing meets those requirements where as the WUI does. It searches the existing OSSEC logfiles and compressed files. So not extra disk space. It doesn't require 32GB + RAM *just for the search* like the others I've looked into seem to (elastic search, greylog2)... I have something planned for the 3rd annual Week of OSSEC, but I can't guarantee ram usage. RAM is cheap, buy in bulk. So I think it's great, as long as it parses the logs correctly. We welcome patches. :) -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, October 20, 2011 2:07 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG What do people use the wui for? Maybe it'd be easier to create something new that does a subset of what the WUI does. Other products do the log viewing bit much better than WUI ever could, so working on that bit is silly. That pretty much leaves the syscheck db stuff. Anything else? On Thu, Oct 20, 2011 at 1:02 PM, James M Pulver jmp...@cornell.edu wrote: Replying somewhat belatedly, I also would like to see the WUI updated to work with 2.6 line of OSSEC. I'm not a programmer really though so I don't know that I would be able to do much... But there is interest I think. -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Scott VR Sent: Wednesday, September 14, 2011 10:29 AM To: ossec-list@googlegroups.com Cc: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG Speaking for myself, it was not immediately obvious that the wui was a dead project, though it is quickly obvious that it doesn't work as expected. Does the wui just need some development effort or is it in need of full-fledfed adoption by someone to act as project manager? Is there a project page describing its abandoned state that people are overlooking? I've got some skill and cycles I'd put towards fixing the wui, but such effort should probably be managed to avoid needless duplication of effort, etc. --ScottVR On Sep 14, 2011, at 9:06 AM, dan (ddp) ddp...@gmail.com wrote: Out of curiosity, why did you revert to an ancient version of OSSEC instead of fixing or replacing WUI (which has been a dead project for years)? On Wed, Sep 14, 2011 at 8:57 AM, Mike Disley mike.a.dis...@tpsgc-pwgsc.gc.ca wrote: I had the same issue when I upgraded to ver 2.6. I rolled back to 2.3 and the problem went away. -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Alexander Rikmanis Sent: Tuesday, September 13, 2011 8:28 PM To: ossec-list Subject: [ossec-list] ossec-wui BUG Log files are parsed incorrectly. here is the raw log file from ossec and what wui shows to me: -- WUI: 2011 Sep 14 10:10:13 Rule Id: 5501 level: 3 Location: (manager) aa.bb.cc.dd-/var/log/secure Src IP: 8:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) Login session opened. ** Alert 1315951847.1022810: - pam,syslog,authentication_success, 2011 Sep 14 10:10:47 (manager) aa.bb.cc.dd-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:50 takapu su: pam_unix(su-l:session): session opened for user root by sw(uid=1001) - Raw log: ** Alert 1315951813.1022534: - pam,syslog,authentication_success, 2011 Sep 14 10:10:13 (manager) 67.225.152.209-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0
Re: [ossec-list] ossec-wui BUG
On Thu, Oct 20, 2011 at 3:19 PM, Culver, Michael mrcul...@aug.edu wrote: What about the output to database option? I haven't seen the db format or data, but it seems like it might be easy to write a simple web app to search the log data. -Mike Are you volunteering? Again, why reinvent the wheel? Especially for Yet Another One-Shot WebApp? There are plenty of free (and non-free) log viewers that work very well. After seeing all of the work that's gone into them, I don't think I'd ever want to start trying to re-do that. -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, October 20, 2011 3:12 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG On Thu, Oct 20, 2011 at 2:47 PM, James M Pulver jmp...@cornell.edu wrote: Well the only product I've gotten that's useful for searching the logs is the WUI - at least the only one that works for me. And it meets all my needs. If it needs to be updated to work with 2.6 line of OSSEC, is it really meeting all of your needs? Maybe if there's a simple HOWTO to use something else that can run on the same system and doesn't require doubly storing all the logs and doesn't take GB and GB more RAM, I'd use it, but nothing meets those requirements where as the WUI does. It searches the existing OSSEC logfiles and compressed files. So not extra disk space. It doesn't require 32GB + RAM *just for the search* like the others I've looked into seem to (elastic search, greylog2)... I have something planned for the 3rd annual Week of OSSEC, but I can't guarantee ram usage. RAM is cheap, buy in bulk. So I think it's great, as long as it parses the logs correctly. We welcome patches. :) -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, October 20, 2011 2:07 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG What do people use the wui for? Maybe it'd be easier to create something new that does a subset of what the WUI does. Other products do the log viewing bit much better than WUI ever could, so working on that bit is silly. That pretty much leaves the syscheck db stuff. Anything else? On Thu, Oct 20, 2011 at 1:02 PM, James M Pulver jmp...@cornell.edu wrote: Replying somewhat belatedly, I also would like to see the WUI updated to work with 2.6 line of OSSEC. I'm not a programmer really though so I don't know that I would be able to do much... But there is interest I think. -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Scott VR Sent: Wednesday, September 14, 2011 10:29 AM To: ossec-list@googlegroups.com Cc: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG Speaking for myself, it was not immediately obvious that the wui was a dead project, though it is quickly obvious that it doesn't work as expected. Does the wui just need some development effort or is it in need of full-fledfed adoption by someone to act as project manager? Is there a project page describing its abandoned state that people are overlooking? I've got some skill and cycles I'd put towards fixing the wui, but such effort should probably be managed to avoid needless duplication of effort, etc. --ScottVR On Sep 14, 2011, at 9:06 AM, dan (ddp) ddp...@gmail.com wrote: Out of curiosity, why did you revert to an ancient version of OSSEC instead of fixing or replacing WUI (which has been a dead project for years)? On Wed, Sep 14, 2011 at 8:57 AM, Mike Disley mike.a.dis...@tpsgc-pwgsc.gc.ca wrote: I had the same issue when I upgraded to ver 2.6. I rolled back to 2.3 and the problem went away. -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Alexander Rikmanis Sent: Tuesday, September 13, 2011 8:28 PM To: ossec-list Subject: [ossec-list] ossec-wui BUG Log files are parsed incorrectly. here is the raw log file from ossec and what wui shows to me: -- WUI: 2011 Sep 14 10:10:13 Rule Id: 5501 level: 3 Location: (manager) aa.bb.cc.dd-/var/log/secure Src IP: 8:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) Login session opened. ** Alert 1315951847.1022810: - pam,syslog,authentication_success, 2011 Sep 14 10:10:47 (manager) aa.bb.cc.dd-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:50 takapu su: pam_unix(su-l:session): session opened for user root by sw(uid
[ossec-list] ossec-wui
For those of you who want to use this, these are the changes I needed to make: /srv/www/htdocs/ossec-wui/lib/os_lib_alerts.php line 842: change: fseek($fp, $seek_place, SEEK_SET); to: fseek($fp, $seek_place, SEEK_SET); and make sure to set date.timezone to your time zone in /etc/php5/apache2/php.ini. My system is openSUSE. Regards, Dennis -- Dennis Golden Golden Consulting Services, Inc.
Re: [ossec-list] ossec-wui BUG
On Mon, Sep 19, 2011 at 8:23 AM, James M Pulver jmp...@cornell.edu wrote: I tried, and logstash web gui didn’t seem to work as well – i.e. it kept crashing with out of memory errors. Plus I think it had to make a second copy of all the logs. . . Maybe I’m confused though. Maybe you need more memory? -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of ash kumar Sent: Friday, September 16, 2011 4:23 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG For what the WUI does, you can do that and then some with Logstash. Not really worth spending time on flogging the WUI in my humble opinion.
RE: [ossec-list] ossec-wui BUG
I tried, and logstash web gui didn’t seem to work as well – i.e. it kept crashing with out of memory errors. Plus I think it had to make a second copy of all the logs. . . Maybe I’m confused though. -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of ash kumar Sent: Friday, September 16, 2011 4:23 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-wui BUG For what the WUI does, you can do that and then some with Logstash. Not really worth spending time on flogging the WUI in my humble opinion.
Re: [ossec-list] ossec-wui BUG
For what the WUI does, you can do that and then some with Logstash. Not really worth spending time on flogging the WUI in my humble opinion.
RE: [ossec-list] ossec-wui BUG
I had the same issue when I upgraded to ver 2.6. I rolled back to 2.3 and the problem went away. -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Alexander Rikmanis Sent: Tuesday, September 13, 2011 8:28 PM To: ossec-list Subject: [ossec-list] ossec-wui BUG Log files are parsed incorrectly. here is the raw log file from ossec and what wui shows to me: -- WUI: 2011 Sep 14 10:10:13 Rule Id: 5501 level: 3 Location: (manager) aa.bb.cc.dd-/var/log/secure Src IP: 8:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) Login session opened. ** Alert 1315951847.1022810: - pam,syslog,authentication_success, 2011 Sep 14 10:10:47 (manager) aa.bb.cc.dd-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:50 takapu su: pam_unix(su-l:session): session opened for user root by sw(uid=1001) - Raw log: ** Alert 1315951813.1022534: - pam,syslog,authentication_success, 2011 Sep 14 10:10:13 (manager) 67.225.152.209-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) ^ Look at Src IP field - there is a date there. And the first symbol is gone. here is the screenshot: [IMG]http://i52.tinypic.com/n1xn9i.png[/IMG]
Re: [ossec-list] ossec-wui BUG
Speaking for myself, it was not immediately obvious that the wui was a dead project, though it is quickly obvious that it doesn't work as expected. Does the wui just need some development effort or is it in need of full-fledfed adoption by someone to act as project manager? Is there a project page describing its abandoned state that people are overlooking? I've got some skill and cycles I'd put towards fixing the wui, but such effort should probably be managed to avoid needless duplication of effort, etc. --ScottVR On Sep 14, 2011, at 9:06 AM, dan (ddp) ddp...@gmail.com wrote: Out of curiosity, why did you revert to an ancient version of OSSEC instead of fixing or replacing WUI (which has been a dead project for years)? On Wed, Sep 14, 2011 at 8:57 AM, Mike Disley mike.a.dis...@tpsgc-pwgsc.gc.ca wrote: I had the same issue when I upgraded to ver 2.6. I rolled back to 2.3 and the problem went away. -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Alexander Rikmanis Sent: Tuesday, September 13, 2011 8:28 PM To: ossec-list Subject: [ossec-list] ossec-wui BUG Log files are parsed incorrectly. here is the raw log file from ossec and what wui shows to me: -- WUI: 2011 Sep 14 10:10:13 Rule Id: 5501 level: 3 Location: (manager) aa.bb.cc.dd-/var/log/secure Src IP: 8:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) Login session opened. ** Alert 1315951847.1022810: - pam,syslog,authentication_success, 2011 Sep 14 10:10:47 (manager) aa.bb.cc.dd-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:50 takapu su: pam_unix(su-l:session): session opened for user root by sw(uid=1001) - Raw log: ** Alert 1315951813.1022534: - pam,syslog,authentication_success, 2011 Sep 14 10:10:13 (manager) 67.225.152.209-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) ^ Look at Src IP field - there is a date there. And the first symbol is gone. here is the screenshot: [IMG]http://i52.tinypic.com/n1xn9i.png[/IMG]
Re: [ossec-list] ossec-wui BUG
There's nothing except a source tarball. No one owns it at the moment, because no one has cared enough. If anyone else is working on it, hopefully they'll step up and let the list know, but I'm not aware of anything. On Wed, Sep 14, 2011 at 10:29 AM, Scott VR scot...@s0cialpath.net wrote: Speaking for myself, it was not immediately obvious that the wui was a dead project, though it is quickly obvious that it doesn't work as expected. Does the wui just need some development effort or is it in need of full-fledfed adoption by someone to act as project manager? Is there a project page describing its abandoned state that people are overlooking? I've got some skill and cycles I'd put towards fixing the wui, but such effort should probably be managed to avoid needless duplication of effort, etc. --ScottVR On Sep 14, 2011, at 9:06 AM, dan (ddp) ddp...@gmail.com wrote: Out of curiosity, why did you revert to an ancient version of OSSEC instead of fixing or replacing WUI (which has been a dead project for years)? On Wed, Sep 14, 2011 at 8:57 AM, Mike Disley mike.a.dis...@tpsgc-pwgsc.gc.ca wrote: I had the same issue when I upgraded to ver 2.6. I rolled back to 2.3 and the problem went away. -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Alexander Rikmanis Sent: Tuesday, September 13, 2011 8:28 PM To: ossec-list Subject: [ossec-list] ossec-wui BUG Log files are parsed incorrectly. here is the raw log file from ossec and what wui shows to me: -- WUI: 2011 Sep 14 10:10:13 Rule Id: 5501 level: 3 Location: (manager) aa.bb.cc.dd-/var/log/secure Src IP: 8:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) Login session opened. ** Alert 1315951847.1022810: - pam,syslog,authentication_success, 2011 Sep 14 10:10:47 (manager) aa.bb.cc.dd-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:50 takapu su: pam_unix(su-l:session): session opened for user root by sw(uid=1001) - Raw log: ** Alert 1315951813.1022534: - pam,syslog,authentication_success, 2011 Sep 14 10:10:13 (manager) 67.225.152.209-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) ^ Look at Src IP field - there is a date there. And the first symbol is gone. here is the screenshot: [IMG]http://i52.tinypic.com/n1xn9i.png[/IMG]
[ossec-list] ossec-wui BUG
Log files are parsed incorrectly. here is the raw log file from ossec and what wui shows to me: -- WUI: 2011 Sep 14 10:10:13 Rule Id: 5501 level: 3 Location: (manager) aa.bb.cc.dd-/var/log/secure Src IP: 8:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) Login session opened. ** Alert 1315951847.1022810: - pam,syslog,authentication_success, 2011 Sep 14 10:10:47 (manager) aa.bb.cc.dd-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:50 takapu su: pam_unix(su-l:session): session opened for user root by sw(uid=1001) - Raw log: ** Alert 1315951813.1022534: - pam,syslog,authentication_success, 2011 Sep 14 10:10:13 (manager) 67.225.152.209-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) ^ Look at Src IP field - there is a date there. And the first symbol is gone. here is the screenshot: [IMG]http://i52.tinypic.com/n1xn9i.png[/IMG]
Re: [ossec-list] ossec-wui BUG
It's a known issue. I don't think anyone's fixed it yet. Well, no one's adopted the WUI and started putting any work into it. Good luck! On Tue, Sep 13, 2011 at 8:27 PM, Alexander Rikmanis alexander.rikma...@smallworlds.com wrote: Log files are parsed incorrectly. here is the raw log file from ossec and what wui shows to me: -- WUI: 2011 Sep 14 10:10:13 Rule Id: 5501 level: 3 Location: (manager) aa.bb.cc.dd-/var/log/secure Src IP: 8:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) Login session opened. ** Alert 1315951847.1022810: - pam,syslog,authentication_success, 2011 Sep 14 10:10:47 (manager) aa.bb.cc.dd-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:50 takapu su: pam_unix(su-l:session): session opened for user root by sw(uid=1001) - Raw log: ** Alert 1315951813.1022534: - pam,syslog,authentication_success, 2011 Sep 14 10:10:13 (manager) 67.225.152.209-/var/log/secure Rule: 5501 (level 3) - 'Login session opened.' Sep 13 18:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) ^ Look at Src IP field - there is a date there. And the first symbol is gone. here is the screenshot: [IMG]http://i52.tinypic.com/n1xn9i.png[/IMG]
Re: [ossec-list] OSSEC-WUI Total not match alert +syscheck
I won't use WUI, so could you tell me on what .php file this total is? Then I can try to understand the code for you. Jeremy started an hg repo for it, but I don't think anyone ever stepped up to try and fix it: https://bitbucket.org/jrossi/ossec-wui/overview On Wed, Jun 8, 2011 at 11:41 AM, Oscar Martinez Pastor airis...@gmail.com wrote: Hi everybody, I'm looked in the mail list but didn't found something related. In the stats tab of WUI, there is a total on the top left and I would like to know the meaning. I have noticed that this number, doesn't correspond to the addition of number of alerts and number of syschecks. Can somebody give me a clue? I will query my database with mysql client to look for it in the meanwhile. I would like to contribute in the future to the developpement of the ossec wui, can somebody tell me about it? thanks, osscar.
[ossec-list] OSSEC-WUI Total not match alert +syscheck
Hi everybody, I'm looked in the mail list but didn't found something related. In the stats tab of WUI, there is a total on the top left and I would like to know the meaning. I have noticed that this number, doesn't correspond to the addition of number of alerts and number of syschecks. Can somebody give me a clue? I will query my database with mysql client to look for it in the meanwhile. I would like to contribute in the future to the developpement of the ossec wui, can somebody tell me about it? thanks, osscar.
[ossec-list] OSSEC WUI
New installation with latest versions of OSSEC and WUI on CentOS. Sorry for the basic question - Does the search on WUI require OSSEC to be compiled with database support? Thanks
Re: [ossec-list] OSSEC WUI
Nope. WUI does not utilize the database support. On Mon, Feb 8, 2010 at 4:12 PM, Ron ronrolf...@gmail.com wrote: New installation with latest versions of OSSEC and WUI on CentOS. Sorry for the basic question - Does the search on WUI require OSSEC to be compiled with database support? Thanks
[ossec-list] ossec-wui nothing returned
I have installed ossec-1.8 and ossec-wui 0.3 on red hat enterprise linux 4(with apache 2.0.52 and php 4.3.9). I also installed it following with http://www.ossec.net/wiki/index.php/OSSECWUI:Install.But when use ossec-wui to search information the result is that Total alerts found :1811 Output divided in 2 page fist prev page 1(810 alerts) next last Nothing returned or search expired It cannot show the correct result.this problem trouble me a lot of time.please help me!
[ossec-list] ossec-wui
Hi, I am testing the OSSEC and I wanna use the ossec-wui. I already instaled the server and ossec-wui in server A and agent in server B, but in web only show the events of server A. I already extracted the key and imported in agent. Is there something config that I forgot? Thank you -- Rafael Brito Gomes Projeto UFBA LPIC-1 CPM Braxis Tel : +55 71 3283 6102 http://www.cpmbraxis.com
[ossec-list] ossec-wui-0.3
Hello, Disclaimer: I'm fairly new to both Linux and Ossec-HIDS My test environment includes a CentOS 5 server running Ossec-HIDS Server Manager 2.0 with WUI 0.3 and 1 Windows Vista client running Agent Manager for Windows 2.0 Agent connects to server fine (verified in agent logs and I am receiving notifications via email) however the WUI reports no agent available on the main page. I've rebooted several times, followed the instructions here: http://www.ossec.net/wiki/index.php/OSSECWUI:Install, checked the status of the server using: /var/ossec/bin/ossec-control status (output...) ossec-monitord is running... ossec-logcollector is running... ossec-remoted is running... ossec-syscheckd is running... ossec-analysisd is running... ossec-maild is running... ossec-execd is running... ...and tried the recommendation here: http://www.ossec.net/dcid/?p=125. Nothing seems to solve the problem. I am officially stuck. Any suggestions? Thanks, Jeremiah
[ossec-list] OSSEC-WUI Problems
I'm getting the infamous message: Warning: opendir(/var/ossec) [function.opendir]: failed to open dir: Permission denied in /var/www/ossec-wui/lib/os_lib_handle.php on line 94 Unable to access ossec directory. This is a clean install of Debian 5.0, nothing but the core system. I then installed Apache2, PHP5, GCC, make. Then OSSEC, then OSSEC-WUI... I followed this document http://www.ossec.net/wiki/index.php/OSSECWUI:Install I have searched the mail archives...I have verified what I know to verify...:( Thanks, -Andy CONFIDENTIALITY NOTICE: This correspondence, and all attachments transmitted with it, may contain legally privileged and confidential information intended solely for the use of the intended recipient. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any reading, dissemination, distribution, copying or other use of this communication is strictly prohibited. If you have received this message in error, please notify the sender immediately by telephone at 580.213.1730, or by electronic mail hd...@cnb-enid.com, and delete this message and all copies and backups thereof. Failure to comply with this confidentiality notice may result in criminal or civil penalties and/or prosecution.
[ossec-list] ossec-wui syscheck woes
Could use some help trying to figure out why I'm seeing: No integrity checking information available. Nothing reported as changed. I turned on show_errors in php.ini, and I'm getting: Warning: arsort() expects parameter 1 to be array, null given in /export/home/webservd/htdocs/ossec-wui-0.3/lib/os_lib_syscheck.php on line 97 Warning: Invalid argument supplied for foreach() in /export/home/webservd/htdocs/ossec-wui-0.3/lib/os_lib_syscheck.php on line 98 Any ideas? (With the CLI everything seems OK, namely, I can see that syscheck is working, etc.) Mark Mercado UNIX Systems Administrator Information Technology Services University of Michigan - Flint
[ossec-list] ossec-wui error
Last night i added high volume two domain controllers and two high volume web servers for ossec monitoring After that when i checked today to use the search feature to search the logs using ossec wui it is taking a long time to load and evey after 30 minutes the IE browesr is still trying to load the search results without any luck. Any ideas as to what can be done. If i search for days before i added the 4 servers the search results show up very fast. Thank you
[ossec-list] OSSEC-WUI News?
Any news on an update to the WUI? What sort of changes are going to happen? - Derek J. Morris - CIO of DigitalMorris
[ossec-list] OSSEC-WUI permission issues
Hi folks, I've read several threads about this on the mailing list, but I think my situation is slightly different... I followed the OSSEC-WUI install guide (http://www.ossec.net/wiki/index.php/OSSECWUI:Install) to the letter, and triple-checked my work... but I still cannot get OSSEC-WUI to work; it reports Unable to access ossec directory. on all pages. I'm running OSSEC-1.6 with OSSEC-WUI-0.3; OSSEC is installed within the Apache chroot. This is on top of CentOS 5.1 (SELinux disabled). Below are my conf files and various related logs: == /var/log/httpd/ssl_error_log == [Mon Sep 08 13:27:25 2008] [error] [client 10.100.100.30] PHP Warning: opendir(/var/www/ossec/) [a href='function.opendir'function.opendir/a]: failed to open dir: Permission denied in /var/www/html/ossec-wui/lib/os_lib_handle.php on line 94, referer: https://192.168.1.82/ossec-wui/index.php == /var/www/html/ossec_conf.php == ... /* Ossec directory */ $ossec_dir=/var/www/ossec/; ... == /etc/group == ... ossec:x:101:apache: ... == # ls -la /var/www/ossec == total 44 dr-xr-x--- 11 root ossec 4096 Aug 18 18:13 . drwxr-xr-x 10 root root 4096 Jan 21 2008 .. dr-xr-x--- 3 root ossec 4096 Aug 18 18:13 active-response dr-xr-x--- 2 root ossec 4096 Sep 8 11:58 bin dr-xr-x--- 3 root ossec 4096 Sep 8 13:06 etc drwxr-x--- 5 ossec ossec 4096 Aug 20 21:13 logs dr-xr-x--- 9 root ossec 4096 Aug 18 18:13 queue dr-xr-x--- 5 root ossec 4096 Sep 8 13:06 rules drwxr-x--- 5 ossec ossec 4096 Aug 18 18:14 stats dr-xr-x--- 2 root ossec 4096 Aug 18 18:13 tmp dr-xr-x--- 3 root ossec 4096 Sep 8 13:06 var == # ls -la /var/www/html/ossec-wui == total 108 drwxr-xr-x 8 1000 1000 4096 Aug 11 12:48 . drwxr-xr-x 4 root root4096 Aug 21 11:05 .. -rwxr-xr-x 1 1000 1000 278 Feb 27 2008 CONTRIB drwxr-xr-x 3 1000 1000 4096 Mar 4 2008 css -rw-r--r-- 1 root root 266 Sep 8 12:55 .htaccess -rw-r--r-- 1 1000 1000 218 Feb 29 2008 htaccess_def.txt -rw-r--r-- 1 root root 22 Sep 8 12:55 .htpasswd drwxr-xr-x 2 1000 1000 4096 Mar 4 2008 img -rwxr-xr-x 1 1000 1000 5225 Feb 27 2008 index.php drwxr-xr-x 2 1000 1000 4096 Mar 4 2008 js drwxr-xr-x 3 1000 1000 4096 Aug 11 12:48 lib -rw-r--r-- 1 1000 1000 35745 Mar 3 2008 LICENSE -rw-r--r-- 1 1000 1000 467 Sep 8 13:09 ossec_conf.php -rw-r--r-- 1 1000 1000 1157 Feb 27 2008 README -rw-r--r-- 1 1000 1000 923 Feb 27 2008 README.search -rwxr-xr-x 1 1000 1000 1824 Feb 29 2008 setup.sh drwxr-xr-x 2 1000 1000 4096 Aug 11 12:48 site drwxrwx--- 2 root apache 4096 Aug 11 12:48 tmp It's clearly a file permissions issue, but if I open up the permissions /var/www/ossec enough to make OSSEC-WUI read data within, OSSEC log-collector fails at the following restart: == /var/www/ossec/logs/ossec.log == 2008/09/08 13:01:02 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/www/ossec/queue/ossec/queue'. Giving up.. I've restarted Apache a number of times after all my changes, and I tried this with OSSEC 1.5.1 and OSSEC 1.6, so I don't think it's corrupt install. This was all working back with OSSEC 1.5 a couple of months ago. BTW: with regards to the OSSEC-WUI install wiki, it's unclear which tmp/ dir step# 6 is referring to... Any help/advice appreciated. Thanks in advance, Alessandro
[ossec-list] OSSEC-WUI
Pretty new to OSSEC/Linux I've been running OSSEC 1.4 on Debian Sarge successfully for a few months and like it. Thought I'd have a look at the web front end (v2.0) but on 'Main' I get the message: 'Agent not found', the search etc. receives 'no results' I've created an agent for the localhost (seems daft but I did it anyway..) without any difference. Any help would be appreciated Regards, Walter Wilson Group Network and Security Manager ISD V.Ships (UK) Ltd DDI: +44 141 305 7771 Main: +44 141 243 2435 This email is confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited. If you have received this email in error please contact the sender. We only print the emails we really need to
[ossec-list] ossec wui problem with index.php
hello i installed ossec and the last ossec-wui, apache and php is working all the pages works, except index.php that everytime i click on it i download !! the owner, the permissions, the group is ok thank u Ps: i already subscribe to the list with an other mail and never receive or could post a message, if the administrator wants some information let me know
[ossec-list] ossec-wui Unable to access ossec directory.
Hi to all. I installed the web ossec-wui-0.2, but after all check on file sistem permission end file configuration, I obtain the message Unable to access ossec directory when I type http://192.168.20.133/ossec-wui/. Some ideas ?? Thank you Enrico
[ossec-list] OSSEC-WUI question
The primary goal of implementing OSSEC where I work is to centralize logging, alerts, etc. (no surprise there). The WebUI is a great addition to the package as it lets me give the group responsible for care and feeding of the various systems and devices some visibility into what is being reported. Since 90% of this data is sent via Syslog and captured /sorted by syslog-ng, I am using the log analysis engine to suck in the data and generate alerts, etc. While I get valid data in '/opt/ossec/logs/alerts/alerts.log', the WebUI continues to deny the existence of anything except the local server agent and even for that claims that no alert data is available. I know I'm new to the OSSEC world, so I'm pretty sure I missed something or broke something in my setup. The exact error is: Available agents: +ossec-server (127.0.0.1) -ossec-server (127.0.0.1) Name: ossec-server IP: 127.0.0.1 Last keep alive: 2007 May 24 10:51:21 OS: Latest modified files: No integrity checking information available. Nothing reported as changed. Unable to retrieve alerts. I did add the www user to the /etc/groups ossec entry and ensured that the local tmp file has 777 permissions. I also made sure to change the ossec_conf.php file to point to '/opt/ossec' instead of '/var/ossec'. Help again? -- Ed Vazquez There are never any bugs you haven't found yet. 24 May 2007 10:41:58 smime.p7s Description: S/MIME cryptographic signature
[ossec-list] ossec-wui search results shows totals, but no details of results
I'm using the ossec-wui 0.02 with ossec 1.1 on a linux server The search results, no matter what I put in as variables, shows the total alerts found (some number based on the search variables), then Nothing returned (or search expired). in red. It does not list the search results themselves. Should it? Could it? Screenshot attached The home page shows a list of recent alerts, connected agents and most recently changed files, so the data is visible to the ossec-wui. Where can I look/check to see why I'm getting a search results total, but no detail of the results. Thanks. John
[ossec-list] Ossec-wui
I have what some may call a stupid question. When installing ossec-wui v0.2 The setup.sh asks for a user name and pw what should it be? I am not sure if it should be root, ossec, or the apache user. Dennis
[ossec-list] ossec-wui v0.2
I have tried to install ossec-wui v.0.2 on a CentOS box. I am getting the No Agent Available on the main page. I have OSSEC v1.1 running and working great. It is sending me email alerts on about 10 agents that I have reporting to that server. I have used version the wui v.01 before on a different box with a similar setup and it worked fine. Search my Rule ID is a great feature and has helped me tremendously in my log management. Any suggestions on getting v.02 running correctly here? Thanks, Chris Blank Bkgrd.gif Description: Blank Bkgrd.gif