I've opened an issue on github... I don't know what else to do now to fix this problem :(
Am Mittwoch, 15. Juli 2015 21:11:03 UTC+2 schrieb theresa mic-snare: > > > first of all, let me thank you for the time and effort you've put into > troubleshooting for me so far.... it's very appreciated. > also i'm documenting it all as i'm writing my thesis on ossec :) > > oh yeah, sorry forgot to mention: > > OS: centos 6.6 > apache: 2.2 > latest version of WUI (cloned it straight off github) > > Am Mittwoch, 15. Juli 2015 21:01:46 UTC+2 schrieb dan (ddpbsd): >> >> >> On Jul 15, 2015 2:55 PM, "theresa mic-snare" <[email protected]> wrote: >> > >> > nope, selinux is disabled (set to permissive) >> > i am running this on a small VM (with not many ressources) that why I >> hesitate to get the ELK stack going.... i think it'd be a bit of an >> overkill for my test environment. >> > >> >> I can't do any testing right now, but I can try later (time and memory >> permitting). Other than that, I don't have any other ideas at the moment. >> Which distro are you using? I'm assuming apache. Which version of the >> wui? The latest code in the repo or 0.8? >> >> > would you mind editing your previous post? I forgot to remove my >> website url in my previous post..... >> > >> > >> > Am Mittwoch, 15. Juli 2015 20:36:28 UTC+2 schrieb theresa mic-snare: >> >> >> >> hmm the partition is mounted rw (no other options) .... it's a single >> logical volume. >> >> >> >> nope, just dozens of this PHP Warning: fopen(./tmp/output-tmp.1-59- >> >> 9f77eb3ab2892420b85818ac18f09a01.php): failed to open stream: No such >> file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line >> 39 >> >> >> >> that's the thing: >> >> the temp file doesn't exist, nor does the tmp directory in the >> ossec-wui directory exist. >> >> the whole ossec-wui directory (and its subdirectories) belong to >> root:root instead of apache:apache >> >> maybe this is the problem? >> >> >> >> i cloned it off of github and followed the instruction. hmm >> >> >> >> >> >> Am Mittwoch, 15. Juli 2015 20:03:06 UTC+2 schrieb dan (ddpbsd): >> >>> >> >>> >> >>> On Jul 15, 2015 1:57 PM, "theresa mic-snare" <[email protected]> >> wrote: >> >>> > >> >>> > >> >>> > >> >>> > Am Mittwoch, 15. Juli 2015 19:49:18 UTC+2 schrieb dan (ddpbsd): >> >>> >> >> >>> >> >> >>> >> On Jul 15, 2015 1:44 PM, "theresa mic-snare" <[email protected]> >> wrote: >> >>> >> > >> >>> >> > oh yeah, there are tons of messages like this in the apache >> error log >> >>> >> > >> >>> >> > PHP Warning: >> fopen(./tmp/output-tmp.1-57-8cd5679a49c37a4583dfa34473436ab4.php): failed >> to open stream: No such file or directory in >> /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 >> >>> >> > >> >>> >> >> >>> >> So make sure that temp file isn't getting created. What are the >> owner/group and perma of the tmp dir? >> >>> > >> >>> > >> >>> > >> >>> > hmm there's no tmp dir in /var/www/html/ossec-wui >> >>> > >> >>> > the owner/group and perma of the /var/ossec/tmp dir however are: >> >>> > root:apache and 770 >> >>> > >> >>> >> >>> What are the mount options for the partition /var/ossec is on? >> >>> Are there any log messages prior to the one you posted about not >> being able to create the temp file? >> >>> Does the temp file exist? If so, what are the perms? >> >>> >> >>> > >> >>> >> >> >>> >> > @dan: what do you use instead? logstash and kibana? >> >>> >> > >> >>> >> >> >>> >> I don't use anything currently, but the elk stack has worked fine >> for me in the past. Graylog2 was also decent. Splunk was ok except for the >> 500mb/day limit on the free version. >> >>> >> >> >>> >> > Am Mittwoch, 15. Juli 2015 19:07:32 UTC+2 schrieb dan (ddpbsd): >> >>> >> >> >> >>> >> >> >> >>> >> >> On Jul 9, 2015 5:36 PM, "theresa mic-snare" < >> [email protected]> wrote: >> >>> >> >> > >> >>> >> >> > hi all, >> >>> >> >> > >> >>> >> >> > yes, it's me again ;) >> >>> >> >> > >> >>> >> >> > i've cloned the ossec-wui from github.com >> >>> >> >> > and wanted to search my alerts. >> >>> >> >> > >> >>> >> >> > in the time frame i put from yesterday (e.g 2017-07-08) and >> till now >> >>> >> >> > Minimum Level: all >> >>> >> >> > SrcIP: a specific IP that I got through the notification >> emails (and that I can also find in the alerts.log) >> >>> >> >> > other than that everything is default. >> >>> >> >> > >> >>> >> >> > at the bottom of the page it says: >> >>> >> >> > Total alerts found: 3339 >> >>> >> >> > Output divided in 4 pages. >> >>> >> >> > >> >>> >> >> > and >> >>> >> >> > Page 1 (338 alerts) >> >>> >> >> > Nothing returned (or search expired). >> >>> >> >> > >> >>> >> >> > which is crazy, because there was only 1 alert from this >> specific IP. >> >>> >> >> > >> >>> >> >> > also no alert is actually showing up, unlike in the >> alerts.log or in the email notification. >> >>> >> >> > >> >>> >> >> > what i'm doing wrong here? >> >>> >> >> > >> >>> >> >> > I could also attach a screenshot if need be.... >> >>> >> >> > >> >>> >> >> >> >>> >> >> Are there any related log messages in the webserver's log >> files? I don't use the wui (it's currently a dead project), but I kinda >> remember it logging when things went wrong. >> >>> >> >> >> >>> >> >> > thanks theresa >> >>> >> >> > >> >>> >> >> > -- >> >>> >> >> > >> >>> >> >> > --- >> >>> >> >> > You received this message because you are subscribed to the >> Google Groups "ossec-list" group. >> >>> >> >> > To unsubscribe from this group and stop receiving emails from >> it, send an email to [email protected]. >> >>> >> >> >> >>> >> >> > For more options, visit https://groups.google.com/d/optout. >> >>> >> > >> >>> >> > -- >> >>> >> > >> >>> >> > --- >> >>> >> > You received this message because you are subscribed to the >> Google Groups "ossec-list" group. >> >>> >> > To unsubscribe from this group and stop receiving emails from >> it, send an email to [email protected]. >> >>> >> > For more options, visit https://groups.google.com/d/optout. >> >>> > >> >>> > -- >> >>> > >> >>> > --- >> >>> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> >>> > To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> >>> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
