On Jul 17, 2015 7:08 AM, "theresa mic-snare" <[email protected]> wrote: > > I've opened an issue on github... > I don't know what else to do now to fix this problem :( >
I think that's the best option. I haven't had a chance to test this (and i can't reasonably duplicate your setup). > > Am Mittwoch, 15. Juli 2015 21:11:03 UTC+2 schrieb theresa mic-snare: >> >> >> first of all, let me thank you for the time and effort you've put into troubleshooting for me so far.... it's very appreciated. >> also i'm documenting it all as i'm writing my thesis on ossec :) >> >> oh yeah, sorry forgot to mention: >> >> OS: centos 6.6 >> apache: 2.2 >> latest version of WUI (cloned it straight off github) >> >> Am Mittwoch, 15. Juli 2015 21:01:46 UTC+2 schrieb dan (ddpbsd): >>> >>> >>> On Jul 15, 2015 2:55 PM, "theresa mic-snare" <[email protected]> wrote: >>> > >>> > nope, selinux is disabled (set to permissive) >>> > i am running this on a small VM (with not many ressources) that why I hesitate to get the ELK stack going.... i think it'd be a bit of an overkill for my test environment. >>> > >>> >>> I can't do any testing right now, but I can try later (time and memory permitting). Other than that, I don't have any other ideas at the moment. >>> Which distro are you using? I'm assuming apache. Which version of the wui? The latest code in the repo or 0.8? >>> >>> > would you mind editing your previous post? I forgot to remove my website url in my previous post..... >>> > >>> > >>> > Am Mittwoch, 15. Juli 2015 20:36:28 UTC+2 schrieb theresa mic-snare: >>> >> >>> >> hmm the partition is mounted rw (no other options) .... it's a single logical volume. >>> >> >>> >> nope, just dozens of this PHP Warning: fopen(./tmp/output-tmp.1-59- >>> >> 9f77eb3ab2892420b85818ac18f09a01.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 >>> >> >>> >> that's the thing: >>> >> the temp file doesn't exist, nor does the tmp directory in the ossec-wui directory exist. >>> >> the whole ossec-wui directory (and its subdirectories) belong to root:root instead of apache:apache >>> >> maybe this is the problem? >>> >> >>> >> i cloned it off of github and followed the instruction. hmm >>> >> >>> >> >>> >> Am Mittwoch, 15. Juli 2015 20:03:06 UTC+2 schrieb dan (ddpbsd): >>> >>> >>> >>> >>> >>> On Jul 15, 2015 1:57 PM, "theresa mic-snare" <[email protected]> wrote: >>> >>> > >>> >>> > >>> >>> > >>> >>> > Am Mittwoch, 15. Juli 2015 19:49:18 UTC+2 schrieb dan (ddpbsd): >>> >>> >> >>> >>> >> >>> >>> >> On Jul 15, 2015 1:44 PM, "theresa mic-snare" <[email protected]> wrote: >>> >>> >> > >>> >>> >> > oh yeah, there are tons of messages like this in the apache error log >>> >>> >> > >>> >>> >> > PHP Warning: fopen(./tmp/output-tmp.1-57-8cd5679a49c37a4583dfa34473436ab4.php): failed to open stream: No such file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39 >>> >>> >> > >>> >>> >> >>> >>> >> So make sure that temp file isn't getting created. What are the owner/group and perma of the tmp dir? >>> >>> > >>> >>> > >>> >>> > >>> >>> > hmm there's no tmp dir in /var/www/html/ossec-wui >>> >>> > >>> >>> > the owner/group and perma of the /var/ossec/tmp dir however are: >>> >>> > root:apache and 770 >>> >>> > >>> >>> >>> >>> What are the mount options for the partition /var/ossec is on? >>> >>> Are there any log messages prior to the one you posted about not being able to create the temp file? >>> >>> Does the temp file exist? If so, what are the perms? >>> >>> >>> >>> > >>> >>> >> >>> >>> >> > @dan: what do you use instead? logstash and kibana? >>> >>> >> > >>> >>> >> >>> >>> >> I don't use anything currently, but the elk stack has worked fine for me in the past. Graylog2 was also decent. Splunk was ok except for the 500mb/day limit on the free version. >>> >>> >> >>> >>> >> > Am Mittwoch, 15. Juli 2015 19:07:32 UTC+2 schrieb dan (ddpbsd): >>> >>> >> >> >>> >>> >> >> >>> >>> >> >> On Jul 9, 2015 5:36 PM, "theresa mic-snare" < [email protected]> wrote: >>> >>> >> >> > >>> >>> >> >> > hi all, >>> >>> >> >> > >>> >>> >> >> > yes, it's me again ;) >>> >>> >> >> > >>> >>> >> >> > i've cloned the ossec-wui from github.com >>> >>> >> >> > and wanted to search my alerts. >>> >>> >> >> > >>> >>> >> >> > in the time frame i put from yesterday (e.g 2017-07-08) and till now >>> >>> >> >> > Minimum Level: all >>> >>> >> >> > SrcIP: a specific IP that I got through the notification emails (and that I can also find in the alerts.log) >>> >>> >> >> > other than that everything is default. >>> >>> >> >> > >>> >>> >> >> > at the bottom of the page it says: >>> >>> >> >> > Total alerts found: 3339 >>> >>> >> >> > Output divided in 4 pages. >>> >>> >> >> > >>> >>> >> >> > and >>> >>> >> >> > Page 1 (338 alerts) >>> >>> >> >> > Nothing returned (or search expired). >>> >>> >> >> > >>> >>> >> >> > which is crazy, because there was only 1 alert from this specific IP. >>> >>> >> >> > >>> >>> >> >> > also no alert is actually showing up, unlike in the alerts.log or in the email notification. >>> >>> >> >> > >>> >>> >> >> > what i'm doing wrong here? >>> >>> >> >> > >>> >>> >> >> > I could also attach a screenshot if need be.... >>> >>> >> >> > >>> >>> >> >> >>> >>> >> >> Are there any related log messages in the webserver's log files? I don't use the wui (it's currently a dead project), but I kinda remember it logging when things went wrong. >>> >>> >> >> >>> >>> >> >> > thanks theresa >>> >>> >> >> > >>> >>> >> >> > -- >>> >>> >> >> > >>> >>> >> >> > --- >>> >>> >> >> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >>> >>> >> >> > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >>> >>> >> >> >>> >>> >> >> > For more options, visit https://groups.google.com/d/optout. >>> >>> >> > >>> >>> >> > -- >>> >>> >> > >>> >>> >> > --- >>> >>> >> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >>> >>> >> > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >>> >>> >> > For more options, visit https://groups.google.com/d/optout. >>> >>> > >>> >>> > -- >>> >>> > >>> >>> > --- >>> >>> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >>> >>> > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >>> >>> > For more options, visit https://groups.google.com/d/optout. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
