Thanks for your response Daniel.
The binaries were different. I shut down OSSEC, killed residual processes, then reinstalled (update). The result is they are still different: r...@test:~# ls -la /var/ossec/bin/ossec-* 542320 2010-04-06 14:54 /var/ossec/bin/ossec-agentd 327452 2010-04-06 14:54 /var/ossec/bin/ossec-agentlessd 704145 2010-04-06 14:54 /var/ossec/bin/ossec-analysisd 6646 2010-03-05 07:27 /var/ossec/bin/ossec-control 309335 2010-04-06 14:54 /var/ossec/bin/ossec-csyslogd 369737 2010-04-06 14:54 /var/ossec/bin/ossec-dbd 93506 2010-04-06 14:54 /var/ossec/bin/ossec-execd 364179 2010-04-06 14:54 /var/ossec/bin/ossec-logcollecto 718295 2010-04-06 14:54 /var/ossec/bin/ossec-logtest 334033 2010-04-06 14:54 /var/ossec/bin/ossec-maild 545863 2010-04-06 14:55 /var/ossec/bin/ossec-monitord 515966 2010-04-06 14:54 /var/ossec/bin/ossec-remoted 218940 2010-04-06 14:55 /var/ossec/bin/ossec-reportd 496210 2010-04-06 14:55 /var/ossec/bin/ossec-syscheckd But logtest now works. Thanks again. -----Original Message----- From: Daniel Cid [mailto:[email protected]] Sent: Tuesday, April 06, 2010 2:08 PM To: [email protected] Subject: Re: [ossec-list] Re: update causes logtest to fail Hi Chad, I can't verify the bug in here. Can you make sure that ossec-logtest got updated properly? Maybe if you had it running during the update, the file didn't get replaced. If run: # ls -la /var/ossec/bin/ossec-* The date from all the binaries should be the same ... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Mon, Apr 5, 2010 at 11:42 AM, Chad Robertson <[email protected]> wrote: > UPDATE > > This is in the ossec.log file. It looks like it's failing to load > that xml file afterall. > > > 2010/04/05 10:25:57 ossec-analysisd: ERROR: Compiled rule not found: > 'is_simple_http_request' > 2010/04/05 10:25:57 ossec-analysisd(1274): ERROR: Invalid configuration. > Element 'compiled_rule': is_simple_http_request. > 2010/04/05 10:25:57 ossec-testrule(1220): ERROR: Error loading the rules: > 'web_rules.xml'. > 2010/04/05 10:27:45 ossec-syscheckd: INFO: Ending syscheck scan > (forwarding database). > 2010/04/05 10:28:05 ossec-rootcheck: INFO: Starting rootcheck scan. > > > > I verified that the compiled rule is in the config as well. > > > > tes...@test:/usr/source/ossec-hids-2.4/src/analysisd/compiled_rules# > ./register_rule.sh list > *Available functions: > check_id_size > comp_mswin_targetuser_calleruser_diff > comp_srcuser_dstuser > is_simple_http_request > is_valid_crawler > tes...@test:/usr/source/ossec-hids-2.4/src/analysisd/compiled_rules# > ./register_rule.sh add is_simple_http_request > ERROR: Function 'is_simple_http_request' already added. > > > > > > On Mon, Apr 5, 2010 at 10:37 AM, Chad Robertson <[email protected]> wrote: >> >> I updated OSSEC to 2.4 (though the -V still report 2.3) and now >> ossec-logtest no longer starts. If I comment out the compiled rules >> in web_rules.xml it starts fine. This also doesn't seem to affect the >> program itself, just the logtest. >> >> >> tes...@test:~# /var/ossec/bin/ossec-analysisd -V >> >> OSSEC HIDS v2.3 - Trend Micro Inc. >> >> This program is free software; you can redistribute it and/or modify >> it under the terms of the GNU General Public License (version 2) as >> published by the Free Software Foundation. For more details, go to >> http://www.ossec.net/main/license/ >> >> tes...@test:~# /etc/init.d/ossec status ossec-monitord is running... >> ossec-logcollector is running... >> ossec-remoted is running... >> ossec-syscheckd is running... >> ossec-analysisd is running... >> ossec-maild is running... >> ossec-execd is running... >> tes...@test:~# /var/ossec/bin/ossec-logtest >> 2010/04/05 10:25:57 ossec-analysisd: ERROR: Compiled rule not found: >> 'is_simple_ >> http_request' >> 2010/04/05 10:25:57 ossec-analysisd(1274): ERROR: Invalid configuration. >> Element >> 'compiled_rule': is_simple_http_request. >> 2010/04/05 10:25:57 ossec-testrule(1220): ERROR: Error loading the rules: >> 'web_r >> ules.xml'. >> >> >> > > -- To unsubscribe, reply using "remove me" as the subject.
