I compiled the latest ossec-hids code with mysql database support: cd src make TARGET=server DATABASE=mysql
After running the install.sh script I enable the database and start ossec. /usr/local/etc/ossec/bin/ossec-control enable database /usr/local/etc/ossec/bin/ossec-control start The start fails with: OSSEC analysisd: Testing rules failed. Configuration error. Exiting. After some debugging it comes down to this: ./ossec-logtest -t -v -c ../etc/ossec.conf -D /usr/local/etc/ossec/ 2015/10/27 14:53:30 ossec-testrule: INFO: Reading local decoder file. 2015/10/27 14:53:30 ossec-testrule(1103): ERROR: Could not open file '/var/ossec/etc/internal_options.conf' due to [(2)-(No such file or directory)]. 2015/10/27 14:53:30 ossec-testrule(2301): ERROR: Definition not found for: 'analysisd.default_timeframe'. The issue is related to the location where ossec is installed. On my system ossec is installed in /usr/local/etc/ossec/ However, logtest still looks in the default location. If I build ossec without database support then ./ossec-logtest -t -v -c ../etc/ossec.conf -D /usr/local/etc/ossec/ 2015/10/27 15:13:26 adding rule: rules_config.xml 2015/10/27 15:13:26 adding rule: pam_rules.xml 2015/10/27 15:13:26 adding rule: sshd_rules.xml 2015/10/27 15:13:26 adding rule: telnetd_rules.xml 2015/10/27 15:13:26 adding rule: syslog_rules.xml 2015/10/27 15:13:26 adding rule: arpwatch_rules.xml 2015/10/27 15:13:26 adding rule: symantec-av_rules.xml 2015/10/27 15:13:26 adding rule: symantec-ws_rules.xml 2015/10/27 15:13:26 adding rule: pix_rules.xml . . . . 2015/10/27 15:13:26 1 : rule:551, level 7, timeout: 0 2015/10/27 15:13:26 2 : rule:595, level 5, timeout: 0 2015/10/27 15:13:26 1 : rule:552, level 7, timeout: 0 2015/10/27 15:13:26 2 : rule:596, level 5, timeout: 0 2015/10/27 15:13:26 1 : rule:553, level 7, timeout: 0 2015/10/27 15:13:26 2 : rule:597, level 5, timeout: 0 2015/10/27 15:13:26 ossec-testrule: INFO: Total rules enabled: '1487' works just fine. Is this a bug, or am I missing something? Any help is appreciated. Paolo -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
