first of all, let me thank you for the time and effort you've put into troubleshooting for me so far.... it's very appreciated. also i'm documenting it all as i'm writing my thesis on ossec :)
oh yeah, sorry forgot to mention: OS: centos 6.6 apache: 2.2 latest version of WUI (cloned it straight off github) Am Mittwoch, 15. Juli 2015 21:01:46 UTC+2 schrieb dan (ddpbsd): > > > On Jul 15, 2015 2:55 PM, "theresa mic-snare" <[email protected] > <javascript:>> wrote: > > > > nope, selinux is disabled (set to permissive) > > i am running this on a small VM (with not many ressources) that why I > hesitate to get the ELK stack going.... i think it'd be a bit of an > overkill for my test environment. > > > > I can't do any testing right now, but I can try later (time and memory > permitting). Other than that, I don't have any other ideas at the moment. > Which distro are you using? I'm assuming apache. Which version of the wui? > The latest code in the repo or 0.8? > > > would you mind editing your previous post? I forgot to remove my website > url in my previous post..... > > > > > > Am Mittwoch, 15. Juli 2015 20:36:28 UTC+2 schrieb theresa mic-snare: > >> > >> hmm the partition is mounted rw (no other options) .... it's a single > logical volume. > >> > >> nope, just dozens of this PHP Warning: fopen(./tmp/output-tmp.1-59- > >> 9f77eb3ab2892420b85818ac18f09a01.php): failed to open stream: No such > file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line > 39 > >> > >> that's the thing: > >> the temp file doesn't exist, nor does the tmp directory in the > ossec-wui directory exist. > >> the whole ossec-wui directory (and its subdirectories) belong to > root:root instead of apache:apache > >> maybe this is the problem? > >> > >> i cloned it off of github and followed the instruction. hmm > >> > >> > >> Am Mittwoch, 15. Juli 2015 20:03:06 UTC+2 schrieb dan (ddpbsd): > >>> > >>> > >>> On Jul 15, 2015 1:57 PM, "theresa mic-snare" <[email protected]> > wrote: > >>> > > >>> > > >>> > > >>> > Am Mittwoch, 15. Juli 2015 19:49:18 UTC+2 schrieb dan (ddpbsd): > >>> >> > >>> >> > >>> >> On Jul 15, 2015 1:44 PM, "theresa mic-snare" <[email protected]> > wrote: > >>> >> > > >>> >> > oh yeah, there are tons of messages like this in the apache error > log > >>> >> > > >>> >> > PHP Warning: > fopen(./tmp/output-tmp.1-57-8cd5679a49c37a4583dfa34473436ab4.php): failed > to open stream: No such file or directory in > /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 > >>> >> > > >>> >> > >>> >> So make sure that temp file isn't getting created. What are the > owner/group and perma of the tmp dir? > >>> > > >>> > > >>> > > >>> > hmm there's no tmp dir in /var/www/html/ossec-wui > >>> > > >>> > the owner/group and perma of the /var/ossec/tmp dir however are: > >>> > root:apache and 770 > >>> > > >>> > >>> What are the mount options for the partition /var/ossec is on? > >>> Are there any log messages prior to the one you posted about not being > able to create the temp file? > >>> Does the temp file exist? If so, what are the perms? > >>> > >>> > > >>> >> > >>> >> > @dan: what do you use instead? logstash and kibana? > >>> >> > > >>> >> > >>> >> I don't use anything currently, but the elk stack has worked fine > for me in the past. Graylog2 was also decent. Splunk was ok except for the > 500mb/day limit on the free version. > >>> >> > >>> >> > Am Mittwoch, 15. Juli 2015 19:07:32 UTC+2 schrieb dan (ddpbsd): > >>> >> >> > >>> >> >> > >>> >> >> On Jul 9, 2015 5:36 PM, "theresa mic-snare" <[email protected]> > wrote: > >>> >> >> > > >>> >> >> > hi all, > >>> >> >> > > >>> >> >> > yes, it's me again ;) > >>> >> >> > > >>> >> >> > i've cloned the ossec-wui from github.com > >>> >> >> > and wanted to search my alerts. > >>> >> >> > > >>> >> >> > in the time frame i put from yesterday (e.g 2017-07-08) and > till now > >>> >> >> > Minimum Level: all > >>> >> >> > SrcIP: a specific IP that I got through the notification > emails (and that I can also find in the alerts.log) > >>> >> >> > other than that everything is default. > >>> >> >> > > >>> >> >> > at the bottom of the page it says: > >>> >> >> > Total alerts found: 3339 > >>> >> >> > Output divided in 4 pages. > >>> >> >> > > >>> >> >> > and > >>> >> >> > Page 1 (338 alerts) > >>> >> >> > Nothing returned (or search expired). > >>> >> >> > > >>> >> >> > which is crazy, because there was only 1 alert from this > specific IP. > >>> >> >> > > >>> >> >> > also no alert is actually showing up, unlike in the alerts.log > or in the email notification. > >>> >> >> > > >>> >> >> > what i'm doing wrong here? > >>> >> >> > > >>> >> >> > I could also attach a screenshot if need be.... > >>> >> >> > > >>> >> >> > >>> >> >> Are there any related log messages in the webserver's log files? > I don't use the wui (it's currently a dead project), but I kinda remember > it logging when things went wrong. > >>> >> >> > >>> >> >> > thanks theresa > >>> >> >> > > >>> >> >> > -- > >>> >> >> > > >>> >> >> > --- > >>> >> >> > You received this message because you are subscribed to the > Google Groups "ossec-list" group. > >>> >> >> > To unsubscribe from this group and stop receiving emails from > it, send an email to [email protected]. > >>> >> >> > >>> >> >> > For more options, visit https://groups.google.com/d/optout. > >>> >> > > >>> >> > -- > >>> >> > > >>> >> > --- > >>> >> > You received this message because you are subscribed to the > Google Groups "ossec-list" group. > >>> >> > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > >>> >> > For more options, visit https://groups.google.com/d/optout. > >>> > > >>> > -- > >>> > > >>> > --- > >>> > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >>> > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > >>> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
