On Tue, Jul 24, 2012 at 8:57 AM, Kashirin, Anton <[email protected]> wrote: > Dan, sorry: > > 1. "step 1.5: are you using linux? If so, are you using selinix? If so, have > you checked those logs to make sure it's not blocking access?" > > Yes, Im using Linux - CentOS > > When I see about selinux and logs? (Im new in linux)
/var/log/auditd or something maybe? Ask your admin. Depending on the version of CentOS it could be enabled by default, so definitely find the logs and see if that's blocking the access. > > 2. "Perhaps it's corrupted. Clear it out and restart the OSSEC processes." > > I cleared logs and restart OSSEC processes. In /var/ossec/logs/ossec.log now > I have next: > > Nothing about the corrupted entries, so I guess running syscheck_control for that database helped get rid of those logs. > > 2012/07/24 10:50:20 ossec-remoted(1213): WARN: Message from 10.14.252.17 not > allowed. > You should fix that. > 2012/07/24 10:50:26 ossec-remoted(1213): WARN: Message from 10.14.252.17 not > allowed. > > 2012/07/24 12:01:48 ossec-rootcheck: INFO: Starting rootcheck scan. > > 2012/07/24 12:05:59 ossec-rootcheck: INFO: Ending rootcheck scan. > > 2012/07/24 12:33:06 ossec-remoted(1213): WARN: Message from 10.14.252.17 not > allowed. > > 2012/07/24 12:33:12 ossec-remoted(1213): WARN: Message from 10.14.252.17 not > allowed. > > 2012/07/24 12:33:16 ossec-remoted(1213): WARN: Message from 10.14.252.17 not > allowed. > > 2012/07/24 12:33:21 ossec-remoted(1213): WARN: Message from 10.14.252.17 not > allowed. > > 2012/07/24 12:33:27 ossec-remoted(1213): WARN: Message from 10.14.252.17 not > allowed. > > 2012/07/24 13:55:59 ossec-syscheckd: INFO: Starting syscheck scan. > > 2012/07/24 14:04:13 ossec-syscheckd: INFO: Ending syscheck scan. > > 2012/07/24 14:16:27 ossec-remoted(1213): WARN: Message from 10.14.252.17 not > allowed. > > 2012/07/24 14:16:33 ossec-remoted(1213): WARN: Message from 10.14.252.17 not > allowed. > > 2012/07/24 14:16:37 ossec-remoted(1213): WARN: Message from 10.14.252.17 not > allowed. > > 2012/07/24 14:16:42 ossec-remoted(1213): WARN: Message from 10.14.252.17 not > allowed. > > 2012/07/24 14:16:48 ossec-remoted(1213): WARN: Message from 10.14.252.17 not > allowed. > > 2012/07/24 16:00:08 ossec-remoted(1213): WARN: Message from 10.14.252.17 not > allowed. > > 2012/07/24 16:00:14 ossec-remoted(1213): WARN: Message from 10.14.252.17 not > allowed. > > 2012/07/24 16:00:18 ossec-remoted(1213): WARN: Message from 10.14.252.17 not > allowed. > > 2012/07/24 16:00:23 ossec-remoted(1213): WARN: Message from 10.14.252.17 not > allowed. > > 2012/07/24 16:00:29 ossec-remoted(1213): WARN: Message from 10.14.252.17 not > allowed. > > > > > > > > Best regards, > > Anton Kashirin > > > > > > > > -----Original Message----- > From: [email protected] [mailto:ossec-list@googlegrou > ps.com] On Behalf Of dan (ddp) > > Sent: Tuesday, July 24, 2012 4:11 PM > To: [email protected] > Subject: Re: [ossec-list] Permission denied in > /var/www/html/lib/os_lib_syscheck.php > > > > On Tue, Jul 24, 2012 at 7:08 AM, Kashirin, Anton <[email protected]> > wrote: > >> Ок. But I still receive next notification every 1-2 minutes: > >> > > > > Ok what? What have you done? Why haven't you answered the questions I > > asked? You're asking for help, but not accepting it. Many of us have > > better things to do than try to force you to accept help. > > > >> > >> > >> OSSEC HIDS Notification. > >> > >> 2012 Jul 24 12:17:11 > >> > >> > >> > >> Received From: SRVAP280->/var/log/httpd/error_log > >> > >> Rule: 31412 fired (level 5) -> "PHP internal error (missing file)." > >> > >> Portion of the log(s): > >> > >> > >> > >> [Tue Jul 24 12:17:10 2012] [error] [client 10.14.64.18] PHP Warning: > >> fopen(/var/ossec/queue/syscheck/(SRV008) >> 10.12.198.133->syscheck-registry): > >> failed to open stream: Permission denied in > >> /var/www/html/lib/os_lib_syscheck.php on line 165, referer: > >> http://srvap280.rccf.ru/index.php > >> > >> > >> > >> > >> > >> > >> > >> --END OF NOTIFICATION > >> > >> > >> > >> Information for Tshoot: > >> > >> > >> > >> [root@SRVAP280 syscheck]# uname -a > >> > >> Linux SRVAP280.rccf.ru 2.6.32-71.el6.i686 #1 SMP Fri Nov 12 04:17:17 GMT > >> 2010 i686 i686 i386 GNU/Linux > >> > >> > >> > >> [root@SRVAP280 ossec]# ll > >> > >> total 40 > >> > >> dr-xr-x---. 3 root ossec 4096 Jul 9 18:05 active-response > >> > >> dr-xr-x---. 2 root ossec 4096 Jul 9 18:05 agentless > >> > >> dr-xr-x---. 2 root ossec 4096 Jul 9 18:05 bin > >> > >> dr-xr-x---. 3 root ossec 4096 Jul 13 11:25 etc > >> > >> drwxr-x---. 5 ossec ossec 4096 Jul 9 18:05 logs > >> > >> drwxrwx---. 11 root ossec 4096 Jul 9 18:05 queue > >> > >> dr-xr-x---. 3 root ossec 4096 Jul 9 18:05 rules > >> > >> drwxr-x---. 5 ossec ossec 4096 Jul 9 18:09 stats > >> > >> dr-xr-x---. 2 root ossec 4096 Jul 9 18:05 tmp > >> > >> dr-xr-x---. 3 root ossec 4096 Jul 23 15:43 var > >> > >> > >> > >> [root@SRVAP280 queue]# ll > >> > >> total 36 > >> > >> drwxr-xr-x. 2 ossecr ossec 4096 Jul 13 12:30 agent-info > >> > >> drwxr-xr-x. 2 ossec ossec 4096 Jul 9 18:05 agentless > >> > >> drwxrwx---. 2 ossec ossec 4096 Jul 23 15:43 alerts > >> > >> drwxr-x---. 2 ossec ossec 4096 Jul 9 18:05 diff > >> > >> drwxr-x---. 2 ossec ossec 4096 Jul 9 18:09 fts > >> > >> drwxrwx---. 2 ossec ossec 4096 Jul 23 15:43 ossec > >> > >> drwxr-xr-x. 2 ossecr ossec 4096 Jul 13 12:30 rids > >> > >> drwxr-x---. 2 ossec ossec 4096 Jul 13 12:31 rootcheck > >> > >> drwxrwxrwx. 2 ossec ossec 4096 Jul 24 14:04 syscheck > >> > >> > >> > >> [root@SRVAP280 syscheck]# ll > >> > >> total 384 > >> > >> -rw-rw-rw-. 1 ossec ossec 0 Jul 23 15:45 (SRV008) > >> 10.12.198.133->syscheck > >> > >> -rw-rw-rw-. 1 ossec ossec 1434 Jul 24 08:53 (SRV008) > >> 10.12.198.133->syscheck-registry > >> > >> -rw-rw-rw-. 1 ossec ossec 0 Jul 23 15:45 (SRVAP295) > >> 10.15.129.182->syscheck > >> > >> -rw-rw-rw-. 1 ossec ossec 131 Jul 24 10:51 (SRVAP295) > >> 10.15.129.182->syscheck-registry > >> > >> -rw-rw-rw-. 1 ossec ossec 449938 Jul 23 15:52 syscheck > >> > >> > >> > >> [root@SRVAP280 etc]# cat /etc/group > >> > >> … > >> > >> apache:x:48: > >> > >> ossec:x:500:apache > >> > >> > >> > >> Please help me! > >> > >> > >> > >> Best regards, > >> > >> Anton Kashirin > >> > >> > >> > >> > >> > >> > >>
