[ossec-list] Re: File deletion ,Integrity checksum and sending mail fails.

[siddhesh . rele]

Hi,

Dan thanks for the reply.
Yes i am using hostname for smtp server.
In previous version we do not have to do such things for email.

On Wednesday, April 12, 2017 at 8:24:15 PM UTC+5:30, siddhe...@suvidhaa.com 
wrote:
>
> Hi,
>
> I do not receive file deletion alert in latest 2.9.0 version,
> Also any changes made to the file are not reported before.
>
> Also maild demon fails sending the mail. I fixed it by copying the hosts 
> file but i dnt think it is correct way.
>
> Please can you help us to resolve the issue. Let me know if you want any 
> observations.  
>
> Regards,
> SIddhesh Rele.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] on ubuntu compile windows 64bit error

[weisst]

windows 2012 r2 error 
问题签名:
  问题事件名称:APPCRASH
  应用程序名:win32ui.exe
  应用程序版本:0.0.0.0
  应用程序时间戳:58ef28a9
  故障模块名称:StackHash_bc03
  故障模块版本:6.3.9600.17415
  故障模块时间戳:5450559e
  异常代码:c374
  异常偏移:PCH_B7_FROM_ntdll+0x000911FA
  OS 版本:6.3.9600.2.0.0.272.7
  区域设置 ID:2052
  其他信息 1:bc03
  其他信息 2:bc03b0099517a014308582161a3173b5
  其他信息 3:e3d5
  其他信息 4:e3d5a6322d624c2d8e59088803c5efc2

联机阅读隐私声明:
  http://go.microsoft.com/fwlink/?linkid=280262

如果无法获取联机隐私声明，请脱机阅读我们的隐私声明:
  C:\Windows\system32\zh-CN\erofflps.txt


在 2017年4月14日星期五 UTC+8上午6:24:19，dan (ddpbsd)写道：
>
> On Thu, Apr 13, 2017 at 5:14 AM, weisst  
> wrote: 
> > Dear all 
> > 
> > i try compile windows 64bit on Ubuntu 16.10, and i install depend 
> > 
> > sudo apt-get install build-essential -y 
> > sudo apt-get install nsis nsis-common -y 
> > sudo apt-get install mingw-w64 mingw-w64-common mingw-w64-x86-64-dev -y 
> > 
> > i find mingw use x86_64-w64-mingw32-gcc replace amd64-mingw32msvc-gcc,so 
> i 
> > mod Makefile 
> > 
> > ifneq (,$(shell which amd64-mingw32msvc-gcc)) 
> > MING_BASE:=amd64-mingw32msvc- 
> > 
> > to 
> > 
> > ifneq (,$(shell which x86_64-w64-mingw32-gcc)) 
> > MING_BASE:=x86_64-w64-mingw32- 
> > else 
> > 
>
> You might have to make similar changes to 
> src/external/lua/src/Makefile.mingw 
> But I've never tried it. 
>
> > then make TARGET=winagent , i get some error 
> > 
> > x86_64-w64-mingw32-gcc -shared -o lua52.dll lapi.o lcode.o lctype.o 
> ldebug.o 
> > ldo.o ldump.o lfunc.o lgc.o llex.o lmem.o lobject.o lopcodes.o lparser.o 
> > lstate.o lstring.o ltable.o ltm.o lundump.o lvm.o lzio.o lauxlib.o 
> > lbaselib.o lbitlib.o lcorolib.o ldblib.o liolib.o lmathlib.o loslib.o 
> > lstrlib.o ltablib.o loadlib.o linit.o 
> > strip --strip-unneeded lua52.dll 
> > x86_64-w64-mingw32-gcc -o ossec-lua.exe -s lua.o lua52.dll -lm 
> > make[2]: Leaving directory 
> > '/tmp/ossec-hids-master/src/external/lua-5.2.3/src' 
> > make -f Makefile.mingw "LUAC_T=ossec-luac.exe" ossec-luac.exe 
> > make[2]: Entering directory 
> > '/tmp/ossec-hids-master/src/external/lua-5.2.3/src' 
> > x86_64-w64-mingw32-gcc -O2 -Wall -DLUA_COMPAT_ALL -c -o luac.o luac.c 
> > i686-w64-mingw32-ar rcu liblua.a lapi.o lcode.o lctype.o ldebug.o ldo.o 
> > ldump.o lfunc.o lgc.o llex.o lmem.o lobject.o lopcodes.o lparser.o 
> lstate.o 
> > lstring.o ltable.o ltm.o lundump.o lvm.o lzio.o lauxlib.o lbaselib.o 
> > lbitlib.o lcorolib.o ldblib.o liolib.o lmathlib.o loslib.o lstrlib.o 
> > ltablib.o loadlib.o linit.o 
> > i686-w64-mingw32-ar: u' modifier ignored sinceD' is the default (see 
> `U') 
> > i686-w64-mingw32-ranlib liblua.a 
> > x86_64-w64-mingw32-gcc -o ossec-luac.exe luac.o liblua.a -lm 
> > liblua.a: error adding symbols: Archive has no index; run ranlib to add 
> one 
> > collect2: error: ld returned 1 exit status 
> > Makefile.mingw:66: recipe for target 'ossec-luac.exe' failed 
> > make[2]: *** [ossec-luac.exe] Error 1 
> > make[2]: Leaving directory 
> > '/tmp/ossec-hids-master/src/external/lua-5.2.3/src' 
> > Makefile.mingw:112: recipe for target 'mingw' failed 
> > make[1]: *** [mingw] Error 2 
> > make[1]: Leaving directory 
> > '/tmp/ossec-hids-master/src/external/lua-5.2.3/src' 
> > Makefile:609: recipe for target 'winagent' failed 
> > make: *** [winagent] Error 2 
> > 
> > i try to fix the problem, then i mod lua-5.2.3/src/Makefile.mingw 
> > 
> > CC= i686-w64-mingw32-gcc 
> > CFLAGS= -O2 -Wall -DLUA_COMPAT_ALL $(SYSCFLAGS) $(MYCFLAGS) 
> > LDFLAGS= $(SYSLDFLAGS) $(MYLDFLAGS) 
> > LIBS= -lm $(SYSLIBS) $(MYLIBS) 
> > 
> > AR= i686-w64-mingw32-ar rcu 
> > RANLIB= i686-w64-mingw32-ranlib 
> > RM= rm -f 
> > 
> > try replace all i686-w64-mingw32 to x86_64-w64-mingw32,then complie 
> success 
> > but install on windows 64bit system,ossec agent can't start,have some 
> error, 
> > help me fix it,thanks 
> > 
>
> What error? 
>
> > 
> > also publish on github issue:
> https://github.com/ossec/ossec-hids/issues/1110 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC Agent not works

[Руслан Аминджанов]

Hello!
I installed OSSEC server and client on 2 hosts whoever agent showed as 
"Never connected". There is no firewall between these hosts and if I use 
netcat to connect to server It log shows that message is not properly 
formated.
Output of tcpdump:

00:58:11.619862 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length 73

00:58:11.620415 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 73

00:58:15.620201 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length 73

00:58:15.620618 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 73

00:58:20.620619 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length 73

00:58:20.621167 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 73

00:58:26.621162 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length 73

00:58:26.621703 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 73

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] on ubuntu compile windows 64bit error

[dan (ddp)]

On Thu, Apr 13, 2017 at 5:14 AM, weisst  wrote:
> Dear all
>
> i try compile windows 64bit on Ubuntu 16.10, and i install depend
>
> sudo apt-get install build-essential -y
> sudo apt-get install nsis nsis-common -y
> sudo apt-get install mingw-w64 mingw-w64-common mingw-w64-x86-64-dev -y
>
> i find mingw use x86_64-w64-mingw32-gcc replace amd64-mingw32msvc-gcc,so i
> mod Makefile
>
> ifneq (,$(shell which amd64-mingw32msvc-gcc))
> MING_BASE:=amd64-mingw32msvc-
>
> to
>
> ifneq (,$(shell which x86_64-w64-mingw32-gcc))
> MING_BASE:=x86_64-w64-mingw32-
> else
>

You might have to make similar changes to src/external/lua/src/Makefile.mingw
But I've never tried it.

> then make TARGET=winagent , i get some error
>
> x86_64-w64-mingw32-gcc -shared -o lua52.dll lapi.o lcode.o lctype.o ldebug.o
> ldo.o ldump.o lfunc.o lgc.o llex.o lmem.o lobject.o lopcodes.o lparser.o
> lstate.o lstring.o ltable.o ltm.o lundump.o lvm.o lzio.o lauxlib.o
> lbaselib.o lbitlib.o lcorolib.o ldblib.o liolib.o lmathlib.o loslib.o
> lstrlib.o ltablib.o loadlib.o linit.o
> strip --strip-unneeded lua52.dll
> x86_64-w64-mingw32-gcc -o ossec-lua.exe -s lua.o lua52.dll -lm
> make[2]: Leaving directory
> '/tmp/ossec-hids-master/src/external/lua-5.2.3/src'
> make -f Makefile.mingw "LUAC_T=ossec-luac.exe" ossec-luac.exe
> make[2]: Entering directory
> '/tmp/ossec-hids-master/src/external/lua-5.2.3/src'
> x86_64-w64-mingw32-gcc -O2 -Wall -DLUA_COMPAT_ALL -c -o luac.o luac.c
> i686-w64-mingw32-ar rcu liblua.a lapi.o lcode.o lctype.o ldebug.o ldo.o
> ldump.o lfunc.o lgc.o llex.o lmem.o lobject.o lopcodes.o lparser.o lstate.o
> lstring.o ltable.o ltm.o lundump.o lvm.o lzio.o lauxlib.o lbaselib.o
> lbitlib.o lcorolib.o ldblib.o liolib.o lmathlib.o loslib.o lstrlib.o
> ltablib.o loadlib.o linit.o
> i686-w64-mingw32-ar: u' modifier ignored sinceD' is the default (see `U')
> i686-w64-mingw32-ranlib liblua.a
> x86_64-w64-mingw32-gcc -o ossec-luac.exe luac.o liblua.a -lm
> liblua.a: error adding symbols: Archive has no index; run ranlib to add one
> collect2: error: ld returned 1 exit status
> Makefile.mingw:66: recipe for target 'ossec-luac.exe' failed
> make[2]: *** [ossec-luac.exe] Error 1
> make[2]: Leaving directory
> '/tmp/ossec-hids-master/src/external/lua-5.2.3/src'
> Makefile.mingw:112: recipe for target 'mingw' failed
> make[1]: *** [mingw] Error 2
> make[1]: Leaving directory
> '/tmp/ossec-hids-master/src/external/lua-5.2.3/src'
> Makefile:609: recipe for target 'winagent' failed
> make: *** [winagent] Error 2
>
> i try to fix the problem, then i mod lua-5.2.3/src/Makefile.mingw
>
> CC= i686-w64-mingw32-gcc
> CFLAGS= -O2 -Wall -DLUA_COMPAT_ALL $(SYSCFLAGS) $(MYCFLAGS)
> LDFLAGS= $(SYSLDFLAGS) $(MYLDFLAGS)
> LIBS= -lm $(SYSLIBS) $(MYLIBS)
>
> AR= i686-w64-mingw32-ar rcu
> RANLIB= i686-w64-mingw32-ranlib
> RM= rm -f
>
> try replace all i686-w64-mingw32 to x86_64-w64-mingw32,then complie success
> but install on windows 64bit system,ossec agent can't start,have some error,
> help me fix it,thanks
>

What error?

>
> also publish on github issue:https://github.com/ossec/ossec-hids/issues/1110
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

[Rob Williams]

Hi Jesus,

Thanks for the reply. I have noticed when I activate this rule, it blocks 
all events and does not alert on the first event. Also note, I am trying to 
use the ID field from my decoder to match against. I can't just use a 
static match as the ID continuously changes so I'd need the ID from the 
decoder to do so. Any ideas? Thanks!

On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote:
>
> Hi all,
>
> I'm running into an issue where rule 510 is triggering and I'm getting 
> spammed with alerts but I can't seem to tune it correctly. What's weird is 
> that I am still getting alerted for rule 510 for this log, but I can't 
> figure out how to get that to show in logtest. Basically, I am getting 
> spammed with rule 510 and trying to filter it down more and here is what 
> happens when I enter the log in logtest: any ideas on how to fix 
> this?
>
> **Phase 1: Completed pre-decoding.
>
>full event: 'File '/filepath/' is owned by root and has written 
> permissions to anyone.'
>
>hostname: 'hostname'
>
>program_name: '(null)'
>
>log: 'File '/filepath/' is owned by root and has written 
> permissions to anyone.'
>
>
> **Phase 2: Completed decoding.
>
>decoder: 'sample_decoder_setup'
>
>id: '/filepath/'
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] How soon does an agent disconnect appear

[dan (ddp)]

On Wed, Apr 12, 2017 at 4:01 PM, Nikki S  wrote:
> How long does it take for the agent to appear as 'disconnected'?  I read on
> another thread that the 'keep alive' needs to fail three times. I could not
> find where we set the frequency of the agent check in.
>

I think it's 10 minutes, and I don't think it's currently configurable
in ossec.conf.

> Thank you!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Is it possible to trigger an active response on a rule with a severity level of 0?

[dan (ddp)]

On Wed, Apr 12, 2017 at 1:40 PM, Rob Williams  wrote:
> Essentially, I want to trigger an active response for a rule that I created
> that has a severity level of 0. I created this rule because I did not want
> to be alerted on the default rule and only wanted to be alerted based on the
> output from my active response. My question is if I have the severity level
> of 0, will it just be completely ignored without the active response even
> triggering? I ask because I'm having trouble setting it up properly and want
> to rule out if this is the cause. Thank you for your help in advance.
>

I think it will be ignored, but I've never tried it. You could try
bumping the level to 1 to see if that fixes the issue.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] File deletion ,Integrity checksum and sending mail fails.

[dan (ddp)]

On Wed, Apr 12, 2017 at 6:28 AM,   wrote:
> Hi,
>
> I do not receive file deletion alert in latest 2.9.0 version,
> Also any changes made to the file are not reported before.
>

I haven't tested this, but I'll give it a shot.

> Also maild demon fails sending the mail. I fixed it by copying the hosts
> file but i dnt think it is correct way.
>

If you're using a hostname instead of an IP for the smtp server, this
makes sense. maild chroots to /var/ossec.

> Please can you help us to resolve the issue. Let me know if you want any
> observations.
>
> Regards,
> SIddhesh Rele.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

[dan (ddp)]

On Mon, Apr 10, 2017 at 2:46 PM, Anoop Perayil  wrote:
> I am running OSSEC on a Security Onion build Ubuntu 14.04.5 LTS.
> The issue started after I added in more disk since I ran out of space in /
>

I really wish SO would partition their system properly. Big /, nothing
else is very annoying.
Check permissions. Maybe things didn't copy over properly?

> On Monday, 10 April 2017 23:52:07 UTC+5:30, Joshua Gimer wrote:
>>
>> Do you have SELinux running in an enforcing mode? What is the output of
>> sestatus?
>>
>> Josh
>>
>> On Wed, Oct 12, 2016 at 8:58 AM, Kernel Panic  wrote:
>>>
>>> Really do not know, just installed  it from repo and tried to start the
>>> service.
>>>
>>> Thanks
>>> Regards
>>>
>>> El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic
>>> escribió:

 Hi guys,
 Yes, I've been reading the error on the list, lots of cases and I got it
 too but I run out of idea.

 The log:

 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue
 '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue
 '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue
 '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access
 queue: '/var/ossec/queue/ossec/queue'. Giving up..
 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue
 '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue
 '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue
 '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access
 queue: '/var/ossec/queue/ossec/queue'. Giving up..

 The queue
 srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue

 Also read the local_rules may have issues, tested with -t and no errors
 displayed also with xmllint

 xmllint local_rules.xml
 
 --SNIP-
 
 
 

 There is a file also under /var/ossec/etc/decoder.xml that seems not
 good , is that correct?
 xmllint decoder.xml
 decoder.xml:52: parser error : Extra content at the end of the document
 
 ^

 And found this:

 xmllint  ossec.conf
 ossec.conf:74: parser error : Comment not terminated
 

 Line 74, what's missing here?

  
 
 72000





 ossec-hids-2.8.3-53.el6.art.x86_64
 ossec-hids-server-2.8.3-53.el6.art.x86_64
 ossec-wui-0.8-4.el6.art.noarch

 Thanks for your time and support
 Regards








>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>>
>>
>> --
>> Thanks,
>> Joshua Gimer
>>
>> ---
>>
>> http://www.linkedin.com/in/jgimer
>> http://twitter.com/jgimer
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

[dan (ddp)]

On Mon, Apr 10, 2017 at 2:34 PM, Felix Martel  wrote:
> Perhaps this is way off base, but have you added an agent for localhost ? In
> my context of a new install, a ton of issues went away after I added an
> agent for the localhost (name=localhost, IP=127.0.0.1). Didn't export the
> key or anything. Once I did that, my queue errors went away and my agents
> started reporting.
>

You shouldn't have to add an agent for the localhost, it's
automatically considered agent 000.

> If I have one rant regarding OSSEC HIDS, it's the structure and quality of
> documentation: Sketchy at best... Doing a lot of poking in the dark to solve
> issues.
>

Please help: https://github.com/ossec/ossec-docs


>
> On Tuesday, October 11, 2016 at 2:22:03 PM UTC-4, Kernel Panic wrote:
>>
>> Hi guys,
>> Yes, I've been reading the error on the list, lots of cases and I got it
>> too but I run out of idea.
>>
>> The log:
>>
>> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access
>> queue: '/var/ossec/queue/ossec/queue'. Giving up..
>> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue:
>> '/var/ossec/queue/ossec/queue'. Giving up..
>>
>> The queue
>> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
>>
>> Also read the local_rules may have issues, tested with -t and no errors
>> displayed also with xmllint
>>
>> xmllint local_rules.xml
>> 
>> --SNIP-
>> 
>> 
>> 
>>
>> There is a file also under /var/ossec/etc/decoder.xml that seems not good
>> , is that correct?
>> xmllint decoder.xml
>> decoder.xml:52: parser error : Extra content at the end of the document
>> 
>> ^
>>
>> And found this:
>>
>> xmllint  ossec.conf
>> ossec.conf:74: parser error : Comment not terminated
>> 
>>
>> Line 74, what's missing here?
>>
>>  
>> 
>> 72000
>>
>>
>>
>>
>>
>> ossec-hids-2.8.3-53.el6.art.x86_64
>> ossec-hids-server-2.8.3-53.el6.art.x86_64
>> ossec-wui-0.8-4.el6.art.noarch
>>
>> Thanks for your time and support
>> Regards
>>
>>
>>
>>
>>
>>
>>
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC upgrade from 2.8.3 to 2.9 RC5 DBD error

[dan (ddp)]

On Mon, Apr 10, 2017 at 2:34 PM, Dayne Jordan  wrote:
> DISREGARD - major faux pas on my part from previous... its' alert not alerts
> table.(singular)
>
> Alert table does exist, however the column "level" does not, i will create
> it manually.
>
> MariaDB [ossec]> describe alert;
> +-+---+--+-+-+---+
> | Field   | Type  | Null | Key | Default | Extra |
> +-+---+--+-+-+---+
> | id  | int(10) unsigned  | NO   | PRI | NULL|   |
> | server_id   | smallint(5) unsigned  | NO   | PRI | NULL|   |
> | rule_id | mediumint(8) unsigned | NO   | MUL | NULL|   |
> | timestamp   | int(10) unsigned  | NO   | MUL | NULL|   |
> | location_id | smallint(5) unsigned  | NO   | | NULL|   |
> | src_ip  | int(10) unsigned  | YES  | MUL | NULL|   |
> | dst_ip  | int(10) unsigned  | YES  | | NULL|   |
> | src_port| smallint(5) unsigned  | YES  | | NULL|   |
> | dst_port| smallint(5) unsigned  | YES  | | NULL|   |
> | alertid | tinytext  | YES  | | NULL|   |
> +-+---+--+-+-+---+
> 10 rows in set (0.00 sec)
>
>
> I added the "level" column and all is well so far. I wonder why the
> mysql.schema script isnt doing this? No error messages in the log.
>
> MariaDB [ossec]> describe alert;
> +-+---+--+-+-+---+
> | Field   | Type  | Null | Key | Default | Extra |
> +-+---+--+-+-+---+
> | id  | int(10) unsigned  | NO   | PRI | NULL|   |
> | server_id   | smallint(5) unsigned  | NO   | PRI | NULL|   |
> | rule_id | mediumint(8) unsigned | NO   | MUL | NULL|   |
> | timestamp   | int(10) unsigned  | NO   | MUL | NULL|   |
> | location_id | smallint(5) unsigned  | NO   | | NULL|   |
> | src_ip  | int(10) unsigned  | YES  | MUL | NULL|   |
> | dst_ip  | int(10) unsigned  | YES  | | NULL|   |
> | src_port| smallint(5) unsigned  | YES  | | NULL|   |
> | dst_port| smallint(5) unsigned  | YES  | | NULL|   |
> | alertid | tinytext  | YES  | | NULL|   |
> | level   | tinyint(3) unsigned   | YES  | | NULL|   |
> +-+---+--+-+-+---+
> 11 rows in set (0.00 sec)
>

I just tried it with MASTER:
MariaDB [ossecdb]> describe alert;
+-+---+--+-+-++
| Field   | Type  | Null | Key | Default | Extra  |
+-+---+--+-+-++
| id  | int(10) unsigned  | NO   | PRI | NULL| auto_increment |
| server_id   | smallint(5) unsigned  | NO   | PRI | NULL||
| rule_id | mediumint(8) unsigned | NO   | MUL | NULL||
| level   | tinyint(3) unsigned   | YES  | MUL | NULL||
| timestamp   | int(10) unsigned  | NO   | MUL | NULL||
| location_id | smallint(5) unsigned  | NO   | | NULL||
| src_ip  | varchar(46)   | YES  | MUL | NULL||
| dst_ip  | varchar(46)   | YES  | | NULL||
| src_port| smallint(5) unsigned  | YES  | | NULL||
| dst_port| smallint(5) unsigned  | YES  | | NULL||
| alertid | varchar(30)   | YES  | MUL | NULL||
| user| text  | NO   | | NULL||
| full_log| text  | NO   | | NULL||
| is_hidden   | tinyint(4)| NO   | | 0   ||
| tld | varchar(5)| NO   | MUL | ||
+-+---+--+-+-++
15 rows in set (0.02 sec)


>
> On Monday, April 10, 2017 at 2:22:49 PM UTC-4, Dayne Jordan wrote:
>>
>> MariaDB [(none)]> use ossec
>> Reading table information for completion of table and column names
>> You can turn off this feature to get a quicker startup with -A
>>
>> Database changed
>> MariaDB [ossec]> describe alerts;
>> ERROR 1146 (42S02): Table 'ossec.alerts' doesn't exist
>> MariaDB [ossec]>
>>
>> the mysql schema certainly appears to have the logic to create all the
>> tables it needed. I ran the mysql schema again manually, restarted mysql and
>> ossec and still have the same error.
>>
>>
>> On Monday, April 10, 2017 at 2:07:47 PM UTC-4, Joshua Gimer wrote:
>>>
>>> Looking at the database schema here:
>>>
>>> 

[ossec-list] on ubuntu compile windows 64bit error

[weisst]

Dear all

i try compile windows 64bit on Ubuntu 16.10, and i install depend

sudo apt-get install build-essential -y
sudo apt-get install nsis nsis-common -y
sudo apt-get install mingw-w64 mingw-w64-common mingw-w64-x86-64-dev -y

i find mingw use *x86_64-w64-mingw32-gcc* replace *amd64-mingw32msvc-gcc*,so 
i mod Makefile

ifneq (,$(shell which amd64-mingw32msvc-gcc))
MING_BASE:=amd64-mingw32msvc-

to

ifneq (,$(shell which x86_64-w64-mingw32-gcc))
MING_BASE:=x86_64-w64-mingw32-
else

then make TARGET=winagent , i get some error

x86_64-w64-mingw32-gcc -shared -o lua52.dll lapi.o lcode.o lctype.o 
ldebug.o ldo.o ldump.o lfunc.o lgc.o llex.o lmem.o lobject.o lopcodes.o 
lparser.o lstate.o lstring.o ltable.o ltm.o lundump.o lvm.o lzio.o 
lauxlib.o lbaselib.o lbitlib.o lcorolib.o ldblib.o liolib.o lmathlib.o 
loslib.o lstrlib.o ltablib.o loadlib.o linit.o
strip --strip-unneeded lua52.dll
x86_64-w64-mingw32-gcc -o ossec-lua.exe -s lua.o lua52.dll -lm
make[2]: Leaving directory 
'/tmp/ossec-hids-master/src/external/lua-5.2.3/src'
make -f Makefile.mingw "LUAC_T=ossec-luac.exe" ossec-luac.exe
make[2]: Entering directory 
'/tmp/ossec-hids-master/src/external/lua-5.2.3/src'
x86_64-w64-mingw32-gcc -O2 -Wall -DLUA_COMPAT_ALL -c -o luac.o luac.c
i686-w64-mingw32-ar rcu liblua.a lapi.o lcode.o lctype.o ldebug.o ldo.o 
ldump.o lfunc.o lgc.o llex.o lmem.o lobject.o lopcodes.o lparser.o lstate.o 
lstring.o ltable.o ltm.o lundump.o lvm.o lzio.o lauxlib.o lbaselib.o 
lbitlib.o lcorolib.o ldblib.o liolib.o lmathlib.o loslib.o lstrlib.o 
ltablib.o loadlib.o linit.o
i686-w64-mingw32-ar: u' modifier ignored sinceD' is the default (see `U')
i686-w64-mingw32-ranlib liblua.a
x86_64-w64-mingw32-gcc -o ossec-luac.exe luac.o liblua.a -lm
liblua.a: error adding symbols: Archive has no index; run ranlib to add one
collect2: error: ld returned 1 exit status
Makefile.mingw:66: recipe for target 'ossec-luac.exe' failed
make[2]: *** [ossec-luac.exe] Error 1
make[2]: Leaving directory 
'/tmp/ossec-hids-master/src/external/lua-5.2.3/src'
Makefile.mingw:112: recipe for target 'mingw' failed
make[1]: *** [mingw] Error 2
make[1]: Leaving directory 
'/tmp/ossec-hids-master/src/external/lua-5.2.3/src'
Makefile:609: recipe for target 'winagent' failed
make: *** [winagent] Error 2

i try to fix the problem, then i mod lua-5.2.3/src/Makefile.mingw

CC= i686-w64-mingw32-gcc
CFLAGS= -O2 -Wall -DLUA_COMPAT_ALL $(SYSCFLAGS) $(MYCFLAGS)
LDFLAGS= $(SYSLDFLAGS) $(MYLDFLAGS)
LIBS= -lm $(SYSLIBS) $(MYLIBS)

AR= i686-w64-mingw32-ar rcu
RANLIB= i686-w64-mingw32-ranlib
RM= rm -f

try replace all *i686-w64-mingw32* to *x86_64-w64-mingw32*,then complie 
success
but install on windows 64bit system,ossec agent can't start,have some 
error, help me fix it,thanks


also publish on github issue:https://github.com/ossec/ossec-hids/issues/1110

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.