Don't worry, yes. that's the version of the WUI. In fact, is that the version of the WUI on the OSSEC Web page and is what it said in the README file
And even more is the version I had been used in the others installations. I prefer a fix or solution. I'm not a developer and not intended to be... Regards! On 21 jun, 15:27, "dan (ddp)" <[email protected]> wrote: > On Thu, Jun 21, 2012 at 3:16 PM, Dayco Telecom <[email protected]> wrote: > > Hi Dan, yes I'm reading. In fact I had been read a lot of posts for > > this error and still no luck. In fact if you read this one, earlier in > > these threads I wrote "Hi Mike, I read the post and replace the files > > that Holger attached, restart apache and OSSEC but the Web UI is still > > wrong." > > Apologies, I thought you said you were using 0.3. > > > > > > > I re-install the WUI as you suggest this morning and nothing, I ask > > about the WUI and the DB 'cause the others 2 installations was with > > the same procedure and files. This is the only one with thios error > > and is the only one in DB mode. > > > anyway, I copied again the files os_lib_alerts.php and > > os_lib_syscheck.php in /var/www/html/ossec/lib, restart apache & > > OSSEC but no luck! The WUI still show this: > > > 2012 Jun 21 13:00:42 Rule Id: 502 level: 3 > > Location: ossec->ossec-monitord > > Src IP: ssec started. > > Ossec server started. > > > 2012 Jun 21 12:05:42 Rule Id: 5501 level: 3 > > Location: ossec->/var/log/secure > > Src IP: 2:05:41 ossec sshd[17211]: pam_unix(sshd:session): session > > opened for user accdayco by (uid=0) > > Login session opened. > > ** Alert 1340296548.5315: - pam,syslog,authentication_success, > > 2012 Jun 21 12:05:48 ossec->/var/log/secure > > Rule: 5501 (level 3) -> 'Login session opened.' > > Jun 21 12:05:46 ossec su: pam_unix(su-l:session): session opened for > > user root by accdayco(uid=500) > > > What's next? > > Learn PHP. > > > > > Cheers... > > > On 21 jun, 12:45, "dan (ddp)" <[email protected]> wrote: > >> On Thu, Jun 21, 2012 at 12:35 PM, Dayco Telecom <[email protected]> > >> wrote: > >> > I did download the WUI version on the ossec.net Web page(http:// > >> >www.ossec.net/files/ui/ossec-wui-0.3.tar.gz) > > >> > what patched version do I need? > >> > Where can I get it? > > >> Are you not reading the emails in this > >> thread?https://groups.google.com/forum/#!searchin/ossec-list/wui/ossec-list/... > > >> Good luck with your WUI issues. > > >> > On 21 jun, 12:25, "dan (ddp)" <[email protected]> wrote: > >> >> On Thu, Jun 21, 2012 at 11:58 AM, Dayco Telecom <[email protected]> > >> >> wrote: > >> >> > Hi Dan, I did install the WUI again this morning and the WUI is stil > >> >> > wrong, the WUI is v0.3 > > >> >> > What can I do? > > >> >> Are you using the patched files? The ones that are supposed to work > >> >> with the new logging format? 0.3 is broken, it's dead. You have to use > >> >> the patched version. > > >> >> > cheers... > > >> >> > On 20 jun, 08:48, "dan (ddp)" <[email protected]> wrote: > >> >> >> On Tue, Jun 19, 2012 at 5:31 PM, Dayco Telecom > >> >> >> <[email protected]> wrote: > >> >> >> > Hi people, my OSSEC server show. > > >> >> >> > WUI view: > > >> >> >> > 2012 Jun 19 16:27:44 Rule Id: 18149 level: 3 > >> >> >> > Location: (VDynamic-dayco) 10.0.1.3->WinEvtLog > >> >> >> > Src IP: YNAMIC-DAYCO$ > >> >> >> > Windows User Logoff. > > >> >> >> You're still using a broken WUI. Update it and try again. > > >> >> >> > 2012 Jun 19 16:27:44 Rule Id: 18105 level: 4 > >> >> >> > Location: (VDynamic-dayco) 10.0.1.3->WinEvtLog > >> >> >> > Src IP: o user) > >> >> >> > Windows audit failure event. > > >> >> >> > 2012 Jun 19 16:27:44 Rule Id: 18105 level: 4 > >> >> >> > Location: (VDynamic-dayco) 10.0.1.3->WinEvtLog > >> >> >> > Src IP: o user) > >> >> >> > Windows audit failure event. > > >> >> >> > 2012 Jun 19 16:27:44 Rule Id: 18105 level: 4 > >> >> >> > Location: (VDynamic-dayco) 10.0.1.3->WinEvtLog > >> >> >> > Src IP: o user) > >> >> >> > Windows audit failure event. > > >> >> >> > OSSEC Alert log view: > > >> >> >> > ** Alert 1340139464.176284: - windows, > >> >> >> > 2012 Jun 19 16:27:44 (VDynamic-dayco) 10.0.1.3->WinEvtLog > >> >> >> > Rule: 18105 (level 4) -> 'Windows audit failure event.' > >> >> >> > User: (no user) > >> >> >> > WinEvtLog: Security: AUDIT_FAILURE(5159): > >> >> >> > Microsoft-Windows-Security- > >> >> >> > Auditing: (no user): no domain: VDynamic-dayco.daycohost.local: The > >> >> >> > Windows Filtering Platform has blocked a bind to a local port. > >> >> >> > Application Information: Process ID: 680 Application Name: > >> >> >> > \device > >> >> >> > \harddiskvolume1\windows\system32\lsass.exe Network Information: > >> >> >> > Source Address: 0.0.0.0 Source Port: 53661 Protocol: 17 > >> >> >> > Filter > >> >> >> > Information: Filter Run-Time ID: 0 Layer Name: %%14608 Layer > >> >> >> > Run- > >> >> >> > Time ID: 36 > > >> >> >> > ** Alert 1340139464.176940: - windows, > >> >> >> > 2012 Jun 19 16:27:44 (VDynamic-dayco) 10.0.1.3->WinEvtLog > >> >> >> > Rule: 18105 (level 4) -> 'Windows audit failure event.' > >> >> >> > User: (no user) > >> >> >> > WinEvtLog: Security: AUDIT_FAILURE(5159): > >> >> >> > Microsoft-Windows-Security- > >> >> >> > Auditing: (no user): no domain: VDynamic-dayco.daycohost.local: The > >> >> >> > Windows Filtering Platform has blocked a bind to a local port. > >> >> >> > Application Information: Process ID: 680 Application Name: > >> >> >> > \device > >> >> >> > \harddiskvolume1\windows\system32\lsass.exe Network Information: > >> >> >> > Source Address: 0.0.0.0 Source Port: 53662 Protocol: 17 > >> >> >> > Filter > >> >> >> > Information: Filter Run-Time ID: 0 Layer Name: %%14608 Layer > >> >> >> > Run- > >> >> >> > Time ID: 36 > > >> >> >> > ** Alert 1340139464.177596: - windows, > >> >> >> > 2012 Jun 19 16:27:44 (VDynamic-dayco) 10.0.1.3->WinEvtLog > >> >> >> > Rule: 18105 (level 4) -> 'Windows audit failure event.'User: (no > >> >> >> > user) > >> >> >> > WinEvtLog: Security: AUDIT_FAILURE(5159): > >> >> >> > Microsoft-Windows-Security- > >> >> >> > Auditing: (no user): no domain: VDynamic-dayco.daycohost.local: The > >> >> >> > Windows Filtering Platform has blocked a bind to a local port. > >> >> >> > Application Information: Process ID: 1296 Application Name: > >> >> >> > \device > >> >> >> > \harddiskvolume1\windows\system32\svchost.exe Network Information: > >> >> >> > Source Address: 0.0.0.0 Source Port: 56759 Protocol: 17 > >> >> >> > Filter > >> >> >> > Information: Filter Run-Time ID: 0 Layer Name: %%14608 Layer > >> >> >> > Run- > >> >> >> > Time ID: 36 > > >> >> >> > ** Alert 1340139464.178255: - windows, > >> >> >> > 2012 Jun 19 16:27:44 (VDynamic-dayco) 10.0.1.3->WinEvtLog > >> >> >> > Rule: 18149 (level 3) -> 'Windows User Logoff.'User: > >> >> >> > VDYNAMIC-DAYCO$ > >> >> >> > WinEvtLog: Security: AUDIT_SUCCESS(4634): > >> >> >> > Microsoft-Windows-Security- > >> >> >> > Auditing: VDYNAMIC-DAYCO$: DAYCOHOST: > >> >> >> > VDynamic-dayco.daycohost.local: > >> >> >> > An account was logged off. Subject: Security ID: S-1-5-18 > >> >> >> > Account > >> >> >> > Name: VDYNAMIC-DAYCO$ Account Domain: DAYCOHOST Logon ID: > >> >> >> > 0x6060269 Logon Type: 3 This event is generated when a logon > >> >> >> > session is destroyed. It may be positively correlated with a logon > >> >> >> > event using the Logon ID value. Logon IDs are only unique between > >> >> >> > reboots on the same computer." 4646,1 > > >> >> >> > DB (MySQL) view, table Data: > > >> >> >> > '997', '1', '(no user)', 'WinEvtLog: Security: AUDIT_FAILURE(5159): > >> >> >> > Microsoft-Windows-Security-Auditing: (no user): no domain: > >> >> >> > VDynamic- > >> >> >> > dayco.daycohost.local: The Windows Filtering Platform has blocked a > >> >> >> > bind to a local port. Application Information: Process ID: 1296 > >> >> >> > Application Name: /device/harddiskvolume1/windows/system32/ > >> >> >> > svchost.exe Network Information: Source Address: 0.0.0.0 Source > >> >> >> > Port: 64330 Protocol: 17 Filter Information: Filter Run-Time > >> >> >> > ID: > >> >> >> > 0 Layer Name: %%14608 Layer Run-Time ID: 36', NULL > >> >> >> > '998', '1', '(no user)', 'WinEvtLog: System: ERROR(7001): Service > >> >> >> > Control Manager: (no user): no domain: DYC-ACCUNETIX: The WinHTTP > >> >> >> > Web > >> >> >> > Proxy Auto-Discovery Service service depends on the DHCP Client > >> >> >> > service which failed to start because of the following error: % > >> >> >> > %1058 ', NULL > >> >> >> > '999', '1', '(no user)', 'WinEvtLog: Security: AUDIT_FAILURE(5159): > >> >> >> > Microsoft-Windows-Security-Auditing: (no user): no domain: > >> >> >> > VDynamic- > >> >> >> > dayco.daycohost.local: The Windows Filtering Platform has blocked a > >> >> >> > bind to a local port. Application Information: Process ID: 680 > >> >> >> > Application Name: > >> >> >> > /device/harddiskvolume1/windows/system32/lsass.exe > >> >> >> > Network Information: Source Address: 0.0.0.0 Source Port: 64331 > >> >> >> > Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer > >> >> >> > Name: %%14608 Layer Run-Time ID: 36', NULL > >> >> >> > '1000', '1', '(no user)', 'WinEvtLog: Security: > >> >> >> > AUDIT_FAILURE(5159): > >> >> >> > Microsoft-Windows-Security-Auditing: (no user): no domain: > >> >> >> > VDynamic- > >> >> >> > dayco.daycohost.local: The Windows Filtering Platform has blocked a > >> >> >> > bind to a local port. Application Information: Process ID: 680 > >> >> >> > Application Name: > >> >> >> > /device/harddiskvolume1/windows/system32/lsass.exe > >> >> >> > Network Information: Source Address: 0.0.0.0 Source Port: 64332 > >> >> >> > Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer > >> >> >> > Name: %%14608 Layer Run-Time ID: 36', NULL > > >> >> >> > The installation of the compiled OSSEC was install using the OSSEC > >> >> >> > books guide and the OSSEC.net documetation. > >> >> >> > The installation of the OSSEC WUI was install using the OSSEC.net > >> >> >> > documetation. > > >> >> >> > The others OSSEC server I installed before was on a lab with non > >> >> >> > compiled DB mode and another with compiled DB mode w/o enabling it > >> >> >> > and > >> >> >> > all works fine till then > > >> >> >> > I choose DB Compiled this time 'cause it's a OSSEC Server for > >> >> >> > non-lab > >> >> >> > enviroment and it's going to be a Core plattform with around 500 > >> >> >> > Clients, so the amount of logs can be high. > > >> >> >> > I don't know if some aditional configuration is necesary to WUI for > >> >> >> > read the Data from DB or if the... > > leer más »
