On Jul 15, 2015 2:55 PM, "theresa mic-snare" <[email protected]> wrote: > > nope, selinux is disabled (set to permissive) > i am running this on a small VM (with not many ressources) that why I hesitate to get the ELK stack going.... i think it'd be a bit of an overkill for my test environment. >
I can't do any testing right now, but I can try later (time and memory permitting). Other than that, I don't have any other ideas at the moment. Which distro are you using? I'm assuming apache. Which version of the wui? The latest code in the repo or 0.8? > would you mind editing your previous post? I forgot to remove my website url in my previous post..... > > > Am Mittwoch, 15. Juli 2015 20:36:28 UTC+2 schrieb theresa mic-snare: >> >> hmm the partition is mounted rw (no other options) .... it's a single logical volume. >> >> nope, just dozens of this PHP Warning: fopen(./tmp/output-tmp.1-59- >> 9f77eb3ab2892420b85818ac18f09a01.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 >> >> that's the thing: >> the temp file doesn't exist, nor does the tmp directory in the ossec-wui directory exist. >> the whole ossec-wui directory (and its subdirectories) belong to root:root instead of apache:apache >> maybe this is the problem? >> >> i cloned it off of github and followed the instruction. hmm >> >> >> Am Mittwoch, 15. Juli 2015 20:03:06 UTC+2 schrieb dan (ddpbsd): >>> >>> >>> On Jul 15, 2015 1:57 PM, "theresa mic-snare" <[email protected]> wrote: >>> > >>> > >>> > >>> > Am Mittwoch, 15. Juli 2015 19:49:18 UTC+2 schrieb dan (ddpbsd): >>> >> >>> >> >>> >> On Jul 15, 2015 1:44 PM, "theresa mic-snare" <[email protected]> wrote: >>> >> > >>> >> > oh yeah, there are tons of messages like this in the apache error log >>> >> > >>> >> > PHP Warning: fopen(./tmp/output-tmp.1-57-8cd5679a49c37a4583dfa34473436ab4.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 >>> >> > >>> >> >>> >> So make sure that temp file isn't getting created. What are the owner/group and perma of the tmp dir? >>> > >>> > >>> > >>> > hmm there's no tmp dir in /var/www/html/ossec-wui >>> > >>> > the owner/group and perma of the /var/ossec/tmp dir however are: >>> > root:apache and 770 >>> > >>> >>> What are the mount options for the partition /var/ossec is on? >>> Are there any log messages prior to the one you posted about not being able to create the temp file? >>> Does the temp file exist? If so, what are the perms? >>> >>> > >>> >> >>> >> > @dan: what do you use instead? logstash and kibana? >>> >> > >>> >> >>> >> I don't use anything currently, but the elk stack has worked fine for me in the past. Graylog2 was also decent. Splunk was ok except for the 500mb/day limit on the free version. >>> >> >>> >> > Am Mittwoch, 15. Juli 2015 19:07:32 UTC+2 schrieb dan (ddpbsd): >>> >> >> >>> >> >> >>> >> >> On Jul 9, 2015 5:36 PM, "theresa mic-snare" <[email protected]> wrote: >>> >> >> > >>> >> >> > hi all, >>> >> >> > >>> >> >> > yes, it's me again ;) >>> >> >> > >>> >> >> > i've cloned the ossec-wui from github.com >>> >> >> > and wanted to search my alerts. >>> >> >> > >>> >> >> > in the time frame i put from yesterday (e.g 2017-07-08) and till now >>> >> >> > Minimum Level: all >>> >> >> > SrcIP: a specific IP that I got through the notification emails (and that I can also find in the alerts.log) >>> >> >> > other than that everything is default. >>> >> >> > >>> >> >> > at the bottom of the page it says: >>> >> >> > Total alerts found: 3339 >>> >> >> > Output divided in 4 pages. >>> >> >> > >>> >> >> > and >>> >> >> > Page 1 (338 alerts) >>> >> >> > Nothing returned (or search expired). >>> >> >> > >>> >> >> > which is crazy, because there was only 1 alert from this specific IP. >>> >> >> > >>> >> >> > also no alert is actually showing up, unlike in the alerts.log or in the email notification. >>> >> >> > >>> >> >> > what i'm doing wrong here? >>> >> >> > >>> >> >> > I could also attach a screenshot if need be.... >>> >> >> > >>> >> >> >>> >> >> Are there any related log messages in the webserver's log files? I don't use the wui (it's currently a dead project), but I kinda remember it logging when things went wrong. >>> >> >> >>> >> >> > thanks theresa >>> >> >> > >>> >> >> > -- >>> >> >> > >>> >> >> > --- >>> >> >> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >>> >> >> > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >>> >> >> >>> >> >> > For more options, visit https://groups.google.com/d/optout. >>> >> > >>> >> > -- >>> >> > >>> >> > --- >>> >> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >>> >> > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >>> >> > For more options, visit https://groups.google.com/d/optout. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
