Hi Mike, I read the post and replace the files that Holger attached, restart apache and OSSEC but the Web UI is still wrong. I was reading and someone said around that the WUI isn't interact with the DB (MySQL in my case) to show the alerts and it just extract the info from the log files directly. The thing is I see this behaviour only with this server that I compiled to DB.
I just installed another 2 OSSEC servers and everything is fine. Do you know something about it o another idea? Thanks a lot for all your help, it's really appreciated!!! Kind regards! On 19 jun, 09:00, Mike Disley <[email protected]> wrote: > Greetings, > I believe this is the thread that discusses the problem. > > https://groups.google.com/forum/#!searchin/ossec-list/wui/ossec-list/... > > Regards, > Mike > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Dayco Telecom > Sent: Monday, June 18, 2012 3:53 PM > To: ossec-list > Subject: [ossec-list] Re: Error in message formating on OSSEC Wui > > Hi Dan, I had been reading all the posts in the archives like you suggested, > but I don't find the links you mentioned. The only one post with the symthoms > is the message with the ID: > CAMyQvMqSgODHH4qOOVcdUoC0V5baO7J_GiQxrSEEJs-_KXW4hg () mail ! gmail ! > com from 2012-03-01 11:09:16 > But you two are talking about a tool called "splunk" and not about the > solution. > > can you be more specific in where are the links or even the solutions? > > Thanks a lot... > > Kind regards! > > On 18 jun, 13:19, "dan (ddp)" <[email protected]> wrote: > > On Mon, Jun 18, 2012 at 1:12 PM, Dayco Telecom <[email protected]> wrote: > > > Hi OSSEC Comunity, I have an issue with a new > > > installation of OSSEC 2.6, I just have been installed and configured > > > the server. This server is RHEL 6.2 compiled to MySQL and it's in > > > the network 192.x.x.x and the agents in the network 10.x.x.x with 2 > > > FW between them. The problem is that the Wui show the messasges in > > > an incorrect format, i.e.: > > > > 2012 Jun 15 16:43:38 Rule Id: 11 level: 4 > > > Location: (oraclemanager) 172.28.67.242->WinEvtLog Src IP: > > > mdaycohost Excessive number of events (above normal). > > > > 2012 Jun 15 16:38:40 Rule Id: 5501 level: 3 > > > Location: ossec->/var/log/secure > > > Src IP: 6:38:39 ossec su: pam_unix(su-l:session): session opened for > > > user root by accdayco(uid=500) Login session opened. > > > ** Alert 1339794683.22885: mail - ossec, > > > 2012 Jun 15 16:41:23 ossec->ossec-monitord > > > Rule: 502 (level 3) -> 'Ossec server started.' > > > ossec: Ossec started. > > > 2012 Jun 15 16:35:01 Rule Id: 5501 level: 3 > > > Location: ossec->/var/log/secure > > > Src IP: 6:35:00 ossec sshd[8458]: pam_unix(sshd:session): session > > > opened for user accdayco by (uid=0) Login session opened. > > > ** Alert 1339794307.22371: - pam,syslog,authentication_success, > > > 2012 Jun 15 16:35:07 ossec->/var/log/secure > > > Rule: 5501 (level 3) -> 'Login session opened.' > > > Jun 15 16:35:06 ossec su: pam_unix(su-l:session): session opened for > > > user root by accdayco(uid=500) > > > > Can you help me? > > > > Kind regards! > > > > Oscar D'Lima > > > Especialista I | Coordinación de Mejora Continua de los Servicios > > > Tlf: +58 212 999.90.38 | +58 414 236.78.02 > > > > Torre Dayco, Calle Londres, Urb. Las Mercedes, > > > Caracas, Venezuela. ZP 1060-A > > > Master +58 212 999.9100 > > > > daycohost.com > > > It's a known issue in the WUI 0.3 release. Some people have fixed it, > > look in the archives for links.
