Hi, yes that's it. I installed the WUI 0.3 (again, from the Web site http://www.ossec.net) and patch it up with the files from the other threads as Mike said. but still no luck.
My system info: SO: Linux ossec 2.6.32-220.17.1.el6.x86_64.debug #1 SMP Thu Apr 26 14:00:35 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux Apache Version: Apache/2.2.15 (Red Hat) PHP Version 5.3.3 Ossec version 2.6 WUI version: OSSEC WEB UI v0.3 Copyright (c) 2006-2008 Daniel B. Cid <[email protected]> So, What to do? Cheers... On 21 jun, 15:47, "dan (ddp)" <[email protected]> wrote: > On Thu, Jun 21, 2012 at 3:43 PM, Dayco Telecom <[email protected]> wrote: > > Don't worry, yes. that's the version of the WUI. In fact, is that the > > version of the WUI on the OSSEC Web page and is what it said in the > > README file > > > And even more is the version I had been used in the others > > installations. > > Wait, I'm confused. Are you using 0.3, or are you using the patches > from that other thread? O_o > > > I prefer a fix or solution. I'm not a developer and not intended to > > be... > > Hire someone who knows PHP. > > WUI is junk. No one seems to be able to get it working properly. > > > > > Regards! > > > On 21 jun, 15:27, "dan (ddp)" <[email protected]> wrote: > >> On Thu, Jun 21, 2012 at 3:16 PM, Dayco Telecom <[email protected]> > >> wrote: > >> > Hi Dan, yes I'm reading. In fact I had been read a lot of posts for > >> > this error and still no luck. In fact if you read this one, earlier in > >> > these threads I wrote "Hi Mike, I read the post and replace the files > >> > that Holger attached, restart apache and OSSEC but the Web UI is still > >> > wrong." > > >> Apologies, I thought you said you were using 0.3. > > >> > I re-install the WUI as you suggest this morning and nothing, I ask > >> > about the WUI and the DB 'cause the others 2 installations was with > >> > the same procedure and files. This is the only one with thios error > >> > and is the only one in DB mode. > > >> > anyway, I copied again the files os_lib_alerts.php and > >> > os_lib_syscheck.php in /var/www/html/ossec/lib, restart apache & > >> > OSSEC but no luck! The WUI still show this: > > >> > 2012 Jun 21 13:00:42 Rule Id: 502 level: 3 > >> > Location: ossec->ossec-monitord > >> > Src IP: ssec started. > >> > Ossec server started. > > >> > 2012 Jun 21 12:05:42 Rule Id: 5501 level: 3 > >> > Location: ossec->/var/log/secure > >> > Src IP: 2:05:41 ossec sshd[17211]: pam_unix(sshd:session): session > >> > opened for user accdayco by (uid=0) > >> > Login session opened. > >> > ** Alert 1340296548.5315: - pam,syslog,authentication_success, > >> > 2012 Jun 21 12:05:48 ossec->/var/log/secure > >> > Rule: 5501 (level 3) -> 'Login session opened.' > >> > Jun 21 12:05:46 ossec su: pam_unix(su-l:session): session opened for > >> > user root by accdayco(uid=500) > > >> > What's next? > > >> Learn PHP. > > >> > Cheers... > > >> > On 21 jun, 12:45, "dan (ddp)" <[email protected]> wrote: > >> >> On Thu, Jun 21, 2012 at 12:35 PM, Dayco Telecom <[email protected]> > >> >> wrote: > >> >> > I did download the WUI version on the ossec.net Web page(http:// > >> >> >www.ossec.net/files/ui/ossec-wui-0.3.tar.gz) > > >> >> > what patched version do I need? > >> >> > Where can I get it? > > >> >> Are you not reading the emails in this > >> >> thread?https://groups.google.com/forum/#!searchin/ossec-list/wui/ossec-list/... > > >> >> Good luck with your WUI issues. > > >> >> > On 21 jun, 12:25, "dan (ddp)" <[email protected]> wrote: > >> >> >> On Thu, Jun 21, 2012 at 11:58 AM, Dayco Telecom > >> >> >> <[email protected]> wrote: > >> >> >> > Hi Dan, I did install the WUI again this morning and the WUI is > >> >> >> > stil > >> >> >> > wrong, the WUI is v0.3 > > >> >> >> > What can I do? > > >> >> >> Are you using the patched files? The ones that are supposed to work > >> >> >> with the new logging format? 0.3 is broken, it's dead. You have to > >> >> >> use > >> >> >> the patched version. > > >> >> >> > cheers... > > >> >> >> > On 20 jun, 08:48, "dan (ddp)" <[email protected]> wrote: > >> >> >> >> On Tue, Jun 19, 2012 at 5:31 PM, Dayco Telecom > >> >> >> >> <[email protected]> wrote: > >> >> >> >> > Hi people, my OSSEC server show. > > >> >> >> >> > WUI view: > > >> >> >> >> > 2012 Jun 19 16:27:44 Rule Id: 18149 level: 3 > >> >> >> >> > Location: (VDynamic-dayco) 10.0.1.3->WinEvtLog > >> >> >> >> > Src IP: YNAMIC-DAYCO$ > >> >> >> >> > Windows User Logoff. > > >> >> >> >> You're still using a broken WUI. Update it and try again. > > >> >> >> >> > 2012 Jun 19 16:27:44 Rule Id: 18105 level: 4 > >> >> >> >> > Location: (VDynamic-dayco) 10.0.1.3->WinEvtLog > >> >> >> >> > Src IP: o user) > >> >> >> >> > Windows audit failure event. > > >> >> >> >> > 2012 Jun 19 16:27:44 Rule Id: 18105 level: 4 > >> >> >> >> > Location: (VDynamic-dayco) 10.0.1.3->WinEvtLog > >> >> >> >> > Src IP: o user) > >> >> >> >> > Windows audit failure event. > > >> >> >> >> > 2012 Jun 19 16:27:44 Rule Id: 18105 level: 4 > >> >> >> >> > Location: (VDynamic-dayco) 10.0.1.3->WinEvtLog > >> >> >> >> > Src IP: o user) > >> >> >> >> > Windows audit failure event. > > >> >> >> >> > OSSEC Alert log view: > > >> >> >> >> > ** Alert 1340139464.176284: - windows, > >> >> >> >> > 2012 Jun 19 16:27:44 (VDynamic-dayco) 10.0.1.3->WinEvtLog > >> >> >> >> > Rule: 18105 (level 4) -> 'Windows audit failure event.' > >> >> >> >> > User: (no user) > >> >> >> >> > WinEvtLog: Security: AUDIT_FAILURE(5159): > >> >> >> >> > Microsoft-Windows-Security- > >> >> >> >> > Auditing: (no user): no domain: VDynamic-dayco.daycohost.local: > >> >> >> >> > The > >> >> >> >> > Windows Filtering Platform has blocked a bind to a local port. > >> >> >> >> > Application Information: Process ID: 680 Application Name: > >> >> >> >> > \device > >> >> >> >> > \harddiskvolume1\windows\system32\lsass.exe Network > >> >> >> >> > Information: > >> >> >> >> > Source Address: 0.0.0.0 Source Port: 53661 Protocol: 17 > >> >> >> >> > Filter > >> >> >> >> > Information: Filter Run-Time ID: 0 Layer Name: %%14608 > >> >> >> >> > Layer Run- > >> >> >> >> > Time ID: 36 > > >> >> >> >> > ** Alert 1340139464.176940: - windows, > >> >> >> >> > 2012 Jun 19 16:27:44 (VDynamic-dayco) 10.0.1.3->WinEvtLog > >> >> >> >> > Rule: 18105 (level 4) -> 'Windows audit failure event.' > >> >> >> >> > User: (no user) > >> >> >> >> > WinEvtLog: Security: AUDIT_FAILURE(5159): > >> >> >> >> > Microsoft-Windows-Security- > >> >> >> >> > Auditing: (no user): no domain: VDynamic-dayco.daycohost.local: > >> >> >> >> > The > >> >> >> >> > Windows Filtering Platform has blocked a bind to a local port. > >> >> >> >> > Application Information: Process ID: 680 Application Name: > >> >> >> >> > \device > >> >> >> >> > \harddiskvolume1\windows\system32\lsass.exe Network > >> >> >> >> > Information: > >> >> >> >> > Source Address: 0.0.0.0 Source Port: 53662 Protocol: 17 > >> >> >> >> > Filter > >> >> >> >> > Information: Filter Run-Time ID: 0 Layer Name: %%14608 > >> >> >> >> > Layer Run- > >> >> >> >> > Time ID: 36 > > >> >> >> >> > ** Alert 1340139464.177596: - windows, > >> >> >> >> > 2012 Jun 19 16:27:44 (VDynamic-dayco) 10.0.1.3->WinEvtLog > >> >> >> >> > Rule: 18105 (level 4) -> 'Windows audit failure event.'User: > >> >> >> >> > (no user) > >> >> >> >> > WinEvtLog: Security: AUDIT_FAILURE(5159): > >> >> >> >> > Microsoft-Windows-Security- > >> >> >> >> > Auditing: (no user): no domain: VDynamic-dayco.daycohost.local: > >> >> >> >> > The > >> >> >> >> > Windows Filtering Platform has blocked a bind to a local port. > >> >> >> >> > Application Information: Process ID: 1296 Application Name: > >> >> >> >> > \device > >> >> >> >> > \harddiskvolume1\windows\system32\svchost.exe Network > >> >> >> >> > Information: > >> >> >> >> > Source Address: 0.0.0.0 Source Port: 56759 Protocol: 17 > >> >> >> >> > Filter > >> >> >> >> > Information: Filter Run-Time ID: 0 Layer Name: %%14608 > >> >> >> >> > Layer Run- > >> >> >> >> > Time ID: 36 > > >> >> >> >> > ** Alert 1340139464.178255: - windows, > >> >> >> >> > 2012 Jun 19 16:27:44 (VDynamic-dayco) 10.0.1.3->WinEvtLog > >> >> >> >> > Rule: 18149 (level 3) -> 'Windows User Logoff.'User: > >> >> >> >> > VDYNAMIC-DAYCO$ > >> >> >> >> > WinEvtLog: Security: AUDIT_SUCCESS(4634): > >> >> >> >> > Microsoft-Windows-Security- > >> >> >> >> > Auditing: VDYNAMIC-DAYCO$: DAYCOHOST: > >> >> >> >> > VDynamic-dayco.daycohost.local: > >> >> >> >> > An account was logged off. Subject: Security ID: S-1-5-18 > >> >> >> >> > Account > >> >> >> >> > Name: VDYNAMIC-DAYCO$ Account Domain: DAYCOHOST Logon ID: > >> >> >> >> > 0x6060269 Logon Type: 3 This event is generated when a logon > >> >> >> >> > session is destroyed. It may be positively correlated with a > >> >> >> >> > logon > >> >> >> >> > event using the Logon ID value. Logon IDs are only unique > >> >> >> >> > between > >> >> >> >> > reboots on the same computer." 4646,1 > > >> >> >> >> > DB (MySQL) view, table Data: > > >> >> >> >> > '997', '1', '(no user)', 'WinEvtLog: Security: > >> >> >> >> > AUDIT_FAILURE(5159): > >> >> >> >> > Microsoft-Windows-Security-Auditing: (no user): no domain: > >> >> >> >> > VDynamic- > >> >> >> >> > dayco.daycohost.local: The Windows Filtering Platform has > >> >> >> >> > blocked a > >> >> >> >> > bind to a local port. Application Information: Process ID: > >> >> >> >> > 1296 > >> >> >> >> > Application Name: /device/harddiskvolume1/windows/system32/ > >> >> >> >> > svchost.exe Network Information: Source Address: 0.0.0.0 > >> >> >> >> > Source > >> >> >> >> > Port: 64330 Protocol: 17 Filter Information: Filter > >> >> >> >> > Run-Time ID: > >> >> >> >> > 0 Layer Name: %%14608 Layer Run-Time ID: 36', NULL > >> >> >> >> > '998', '1', '(no user)', 'WinEvtLog: System: ERROR(7001): > >> >> >> >> > Service > >> >> >> >> > Control Manager: (no user): no domain: DYC-ACCUNETIX: The > >> >> >> >> > WinHTTP Web > >> >> >> >> > Proxy Auto-Discovery Service service depends on the DHCP Client > >> >> >> >> > service which failed to start because of the following error: > >> >> >> >> > % > >> >> >> >> > %1058 ', NULL > >> >> >> >> > '999', '1', '(no user)', 'WinEvtLog: Security: > >> >> >> >> > AUDIT_FAILURE(5159): > >> >> >> >> > Microsoft-Windows-Security-Auditing: (no user): no domain: > >> >> >> >> > VDynamic- > >> >> >> >> > dayco.daycohost.local: The Windows Filtering Platform has > >> >> >> >> > blocked a > >> >> >> >> > bind to a local port. Application Information: Process ID: 680 > >> >> >> >> > Application Name: > >> >> >> >> > /device/harddiskvolume1/windows/system32/lsass.exe > >> >> >> >> > Network Information: Source Address: 0.0.0.0 Source Port: > >> >> >> >> > 64331 > >> >> >> >> > Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer > >> >> >> >> > Name: %%14608 Layer Run-Time ID: 36', NULL > >> >> >> >> > '1000', '1', '(no user)', 'WinEvtLog: Security: > >> >> >> >> > AUDIT_FAILURE(5159): > >> >> >> >> > Microsoft-Windows-Security-Auditing: (no user): no domain: > >> >> >> >> > VDynamic- > >> >> >> >> > dayco.daycohost.local: The Windows Filtering Platform has > >> >> >> >> > blocked a > >> >> >> >> > bind to a local port. Application Information:... > > leer más »
