On Tue, Jun 19, 2012 at 2:48 PM, Mike Disley <[email protected]> wrote: > Yes, it's a full_command rule but I'm not using OSSEC with a DB. >
Oops, I didn't notice that you weren't the OP. So, yeah, you probably installed the patches incorrectly. Yet another reason I avoid the WUI: I don't know php. > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Tuesday, June 19, 2012 2:30 PM > To: [email protected] > Subject: Re: [ossec-list] Re: Error in message formating on OSSEC Wui > > On Tue, Jun 19, 2012 at 1:35 PM, Mike Disley > <[email protected]> wrote: >> Greetings, >> I have the same prob. I applied the patches but no joy. Enclosed is an >> alert first from the WUI and the corresponding entry in alerts.log. >> >> OSSEC WUI Alert List: >> >> 2012 Jun 19 12:45:40 Rule Id: 140123 level: 7 >> Location: (someonesPC) 1x.21.1.1x4->netstat -an | findstr "\80\> >> \443\>" | findstr TCP Src IP: utput: 'netstat -an | findstr "\80\> >> \443\>" | findstr TCP': TCP 1X.21.1.1X4:34594 66.35.45.157:443 >> ESTABLISHED Outbound Internet Access Detected >> ossec: output: 'netstat -an | findstr "\80\> \443\>" | findstr TCP': >> TCP 1X.21.1.1x4:22697 23.9.96.60:443 CLOSE_WAIT >> >> OSSEC Server alerts.log >> >> ** Alert 1340124340.19381: mail - local >> 2012 Jun 19 12:45:40 (someonesPC) 1x.21.1.1x4->netstat -an | findstr >> "\80\> \443\>" | findstr TCP >> Rule: 140123 (level 7) -> 'Outbound Internet Access Detected' >> ossec: output: 'netstat -an | findstr "\80\> \443\>" | findstr TCP': >> TCP 1x.21.1.1x4:34594 66.35.45.157:443 ESTABLISHED Previous >> output: >> ossec: output: 'netstat -an | findstr "\80\> \443\>" | findstr TCP': >> TCP 1x.21.1.1x4:22697 23.9.96.60:443 CLOSE_WAIT >> >> > > I'm guessing that this is some full_command based rule. If so, add an alias > to it to make it a little more manageable. > > This rule is parsed correctly on the non-db systems? If so, you've done > something wrong with the WUI on the db system. > >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] >> On Behalf Of dan (ddp) >> Sent: Tuesday, June 19, 2012 12:46 PM >> To: [email protected] >> Subject: Re: [ossec-list] Re: Error in message formating on OSSEC Wui >> >> On Tue, Jun 19, 2012 at 12:34 PM, Dayco Telecom <[email protected]> wrote: >>> Hi Mike, I read the post and replace the files that Holger attached, >>> restart apache and OSSEC but the Web UI is still wrong. I was reading >>> and someone said around that the WUI isn't interact with the DB >>> (MySQL in my case) to show the alerts and it just extract the info >>> from the log files directly. The thing is I see this behaviour only >>> with this server that I compiled to DB. >>> >>> I just installed another 2 OSSEC servers and everything is fine. >>> >>> >>> Do you know something about it o another idea? >>> >>> >>> Thanks a lot for all your help, it's really appreciated!!! >>> >>> >>> Kind regards! >>> >> >> What kind of problems does it show on the server with the db? What does the >> log entry look like in alerts.log? >> >>> >>> On 19 jun, 09:00, Mike Disley <[email protected]> wrote: >>>> Greetings, >>>> I believe this is the thread that discusses the problem. >>>> >>>> https://groups.google.com/forum/#!searchin/ossec-list/wui/ossec-list/... >>>> >>>> Regards, >>>> Mike >>>> >>>> >>>> >>>> -----Original Message----- >>>> From: [email protected] >>>> [mailto:[email protected]] On Behalf Of Dayco Telecom >>>> Sent: Monday, June 18, 2012 3:53 PM >>>> To: ossec-list >>>> Subject: [ossec-list] Re: Error in message formating on OSSEC Wui >>>> >>>> Hi Dan, I had been reading all the posts in the archives like you >>>> suggested, but I don't find the links you mentioned. The only one post >>>> with the symthoms is the message with the ID: >>>> CAMyQvMqSgODHH4qOOVcdUoC0V5baO7J_GiQxrSEEJs-_KXW4hg () mail ! gmail ! >>>> com from 2012-03-01 11:09:16 >>>> But you two are talking about a tool called "splunk" and not about the >>>> solution. >>>> >>>> can you be more specific in where are the links or even the solutions? >>>> >>>> Thanks a lot... >>>> >>>> Kind regards! >>>> >>>> On 18 jun, 13:19, "dan (ddp)" <[email protected]> wrote: >>>> > On Mon, Jun 18, 2012 at 1:12 PM, Dayco Telecom <[email protected]> >>>> > wrote: >>>> > > Hi OSSEC Comunity, I have an issue with a new >>>> > > installation of OSSEC 2.6, I just have been installed and >>>> > > configured the server. This server is RHEL 6.2 compiled to MySQL >>>> > > and it's in the network 192.x.x.x and the agents in the network >>>> > > 10.x.x.x with 2 FW between them. The problem is that the Wui >>>> > > show the messasges in an incorrect format, i.e.: >>>> >>>> > > 2012 Jun 15 16:43:38 Rule Id: 11 level: 4 >>>> > > Location: (oraclemanager) 172.28.67.242->WinEvtLog Src IP: >>>> > > mdaycohost Excessive number of events (above normal). >>>> >>>> > > 2012 Jun 15 16:38:40 Rule Id: 5501 level: 3 >>>> > > Location: ossec->/var/log/secure Src IP: 6:38:39 ossec su: >>>> > > pam_unix(su-l:session): session opened for user root by >>>> > > accdayco(uid=500) Login session opened. >>>> > > ** Alert 1339794683.22885: mail - ossec, >>>> > > 2012 Jun 15 16:41:23 ossec->ossec-monitord >>>> > > Rule: 502 (level 3) -> 'Ossec server started.' >>>> > > ossec: Ossec started. >>>> > > 2012 Jun 15 16:35:01 Rule Id: 5501 level: 3 >>>> > > Location: ossec->/var/log/secure Src IP: 6:35:00 ossec >>>> > > sshd[8458]: pam_unix(sshd:session): session opened for user >>>> > > accdayco by (uid=0) Login session opened. >>>> > > ** Alert 1339794307.22371: - pam,syslog,authentication_success, >>>> > > 2012 Jun 15 16:35:07 ossec->/var/log/secure >>>> > > Rule: 5501 (level 3) -> 'Login session opened.' >>>> > > Jun 15 16:35:06 ossec su: pam_unix(su-l:session): session opened >>>> > > for user root by accdayco(uid=500) >>>> >>>> > > Can you help me? >>>> >>>> > > Kind regards! >>>> >>>> > > Oscar D'Lima >>>> > > Especialista I | Coordinación de Mejora Continua de los >>>> > > Servicios >>>> > > Tlf: +58 212 999.90.38 | +58 414 236.78.02 >>>> >>>> > > Torre Dayco, Calle Londres, Urb. Las Mercedes, >>>> > > Caracas, Venezuela. ZP 1060-A >>>> > > Master +58 212 999.9100 >>>> >>>> > > daycohost.com >>>> >>>> > It's a known issue in the WUI 0.3 release. Some people have fixed >>>> > it, look in the archives for links.
