On Tue, Jun 19, 2012 at 12:34 PM, Dayco Telecom <[email protected]> wrote: > Hi Mike, I read the post and replace the files that Holger attached, > restart apache and OSSEC but the Web UI is still wrong. I was reading > and someone said around that the WUI isn't interact with the DB (MySQL > in my case) to show the alerts and it just extract the info from the > log files directly. The thing is I see this behaviour only with this > server that I compiled to DB. > > I just installed another 2 OSSEC servers and everything is fine. > > > Do you know something about it o another idea? > > > Thanks a lot for all your help, it's really appreciated!!! > > > Kind regards! >
What kind of problems does it show on the server with the db? What does the log entry look like in alerts.log? > > On 19 jun, 09:00, Mike Disley <[email protected]> wrote: >> Greetings, >> I believe this is the thread that discusses the problem. >> >> https://groups.google.com/forum/#!searchin/ossec-list/wui/ossec-list/... >> >> Regards, >> Mike >> >> >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of Dayco Telecom >> Sent: Monday, June 18, 2012 3:53 PM >> To: ossec-list >> Subject: [ossec-list] Re: Error in message formating on OSSEC Wui >> >> Hi Dan, I had been reading all the posts in the archives like you suggested, >> but I don't find the links you mentioned. The only one post with the >> symthoms is the message with the ID: >> CAMyQvMqSgODHH4qOOVcdUoC0V5baO7J_GiQxrSEEJs-_KXW4hg () mail ! gmail ! >> com from 2012-03-01 11:09:16 >> But you two are talking about a tool called "splunk" and not about the >> solution. >> >> can you be more specific in where are the links or even the solutions? >> >> Thanks a lot... >> >> Kind regards! >> >> On 18 jun, 13:19, "dan (ddp)" <[email protected]> wrote: >> > On Mon, Jun 18, 2012 at 1:12 PM, Dayco Telecom <[email protected]> >> > wrote: >> > > Hi OSSEC Comunity, I have an issue with a new >> > > installation of OSSEC 2.6, I just have been installed and configured >> > > the server. This server is RHEL 6.2 compiled to MySQL and it's in >> > > the network 192.x.x.x and the agents in the network 10.x.x.x with 2 >> > > FW between them. The problem is that the Wui show the messasges in >> > > an incorrect format, i.e.: >> >> > > 2012 Jun 15 16:43:38 Rule Id: 11 level: 4 >> > > Location: (oraclemanager) 172.28.67.242->WinEvtLog Src IP: >> > > mdaycohost Excessive number of events (above normal). >> >> > > 2012 Jun 15 16:38:40 Rule Id: 5501 level: 3 >> > > Location: ossec->/var/log/secure >> > > Src IP: 6:38:39 ossec su: pam_unix(su-l:session): session opened for >> > > user root by accdayco(uid=500) Login session opened. >> > > ** Alert 1339794683.22885: mail - ossec, >> > > 2012 Jun 15 16:41:23 ossec->ossec-monitord >> > > Rule: 502 (level 3) -> 'Ossec server started.' >> > > ossec: Ossec started. >> > > 2012 Jun 15 16:35:01 Rule Id: 5501 level: 3 >> > > Location: ossec->/var/log/secure >> > > Src IP: 6:35:00 ossec sshd[8458]: pam_unix(sshd:session): session >> > > opened for user accdayco by (uid=0) Login session opened. >> > > ** Alert 1339794307.22371: - pam,syslog,authentication_success, >> > > 2012 Jun 15 16:35:07 ossec->/var/log/secure >> > > Rule: 5501 (level 3) -> 'Login session opened.' >> > > Jun 15 16:35:06 ossec su: pam_unix(su-l:session): session opened for >> > > user root by accdayco(uid=500) >> >> > > Can you help me? >> >> > > Kind regards! >> >> > > Oscar D'Lima >> > > Especialista I | Coordinación de Mejora Continua de los Servicios >> > > Tlf: +58 212 999.90.38 | +58 414 236.78.02 >> >> > > Torre Dayco, Calle Londres, Urb. Las Mercedes, >> > > Caracas, Venezuela. ZP 1060-A >> > > Master +58 212 999.9100 >> >> > > daycohost.com >> >> > It's a known issue in the WUI 0.3 release. Some people have fixed it, >> > look in the archives for links.
