On Jul 15, 2015 1:57 PM, "theresa mic-snare" <[email protected]> wrote: > > > > Am Mittwoch, 15. Juli 2015 19:49:18 UTC+2 schrieb dan (ddpbsd): >> >> >> On Jul 15, 2015 1:44 PM, "theresa mic-snare" <[email protected]> wrote: >> > >> > oh yeah, there are tons of messages like this in the apache error log >> > >> > PHP Warning: fopen(./tmp/output-tmp.1-57-8cd5679a49c37a4583dfa34473436ab4.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 >> > >> >> So make sure that temp file isn't getting created. What are the owner/group and perma of the tmp dir? > > > > hmm there's no tmp dir in /var/www/html/ossec-wui > > the owner/group and perma of the /var/ossec/tmp dir however are: > root:apache and 770 >
What are the mount options for the partition /var/ossec is on? Are there any log messages prior to the one you posted about not being able to create the temp file? Does the temp file exist? If so, what are the perms? > >> >> > @dan: what do you use instead? logstash and kibana? >> > >> >> I don't use anything currently, but the elk stack has worked fine for me in the past. Graylog2 was also decent. Splunk was ok except for the 500mb/day limit on the free version. >> >> > Am Mittwoch, 15. Juli 2015 19:07:32 UTC+2 schrieb dan (ddpbsd): >> >> >> >> >> >> On Jul 9, 2015 5:36 PM, "theresa mic-snare" <[email protected]> wrote: >> >> > >> >> > hi all, >> >> > >> >> > yes, it's me again ;) >> >> > >> >> > i've cloned the ossec-wui from github.com >> >> > and wanted to search my alerts. >> >> > >> >> > in the time frame i put from yesterday (e.g 2017-07-08) and till now >> >> > Minimum Level: all >> >> > SrcIP: a specific IP that I got through the notification emails (and that I can also find in the alerts.log) >> >> > other than that everything is default. >> >> > >> >> > at the bottom of the page it says: >> >> > Total alerts found: 3339 >> >> > Output divided in 4 pages. >> >> > >> >> > and >> >> > Page 1 (338 alerts) >> >> > Nothing returned (or search expired). >> >> > >> >> > which is crazy, because there was only 1 alert from this specific IP. >> >> > >> >> > also no alert is actually showing up, unlike in the alerts.log or in the email notification. >> >> > >> >> > what i'm doing wrong here? >> >> > >> >> > I could also attach a screenshot if need be.... >> >> > >> >> >> >> Are there any related log messages in the webserver's log files? I don't use the wui (it's currently a dead project), but I kinda remember it logging when things went wrong. >> >> >> >> > thanks theresa >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
