Re: [ossec-list] ossec-analysisd(1450): ERROR: Syntax error on regex: '(pam_u nix)$': 9.
On Tue, Oct 8, 2019 at 11:42 AM Jerry Lowry wrote: > > Dan, > Well my test system has been running since last Thursday without any database > problems. I install MariaDB 13.4. Still not getting email to work but will > continue to check on that. > So, If the Mysql database has an agent table and you don't add any agents to > it, Why is it there? > I can't say for sure (I didn't write it). But my assumption is that this was for a planned feature that never materialized. My "never" response wasn't quite right. I guess it should have been "whenever someone adds that feature." I'd like to do some work in dbd, but I don't have a lot of time. I feel like the time I do have would be better spent elsewhere right now. > jerry > > On Thu, Oct 3, 2019 at 10:12 AM dan (ddp) wrote: >> >> On Thu, Oct 3, 2019 at 12:09 PM Jerry Lowry wrote: >> > >> > Dan, >> > trying to add the agent I get this: >> > *** >> > * OSSEC HIDS v3.3.0 Agent manager. * >> > * The following options are available: * >> > >> >(I)mport key from the server (I). >> >(Q)uit. >> > Choose your action: I or Q: i >> > >> > * Provide the Key generated by the server. >> > * The best approach is to cut and paste it. >> > *** OBS: Do not include spaces or new lines. >> > >> > Paste it here (or '\q' to quit): >> > Agent information: >> >ID:002 >> >Name:tcpdiag >> >IP Address:10.10.10.29 >> > >> > Confirm adding it?(y/n): y >> > Not Adding. >> > >> >> That's very odd, haven't seen that. I only see 2 places in the source >> for that, and both assume the user didn't type y or Y. >> >> > Also, when does the agent get added to the database? If it's done on the >> > server the manage_agents is not working! >> >> The mysql database? Never. >> >> > jerry >> > >> > On Wed, Oct 2, 2019 at 4:55 PM dan (ddp) wrote: >> >> >> >> On Wed, Oct 2, 2019 at 6:32 PM Jerry Lowry wrote: >> >> > >> >> > Well, I have the agent running and the server running but they are not >> >> > talking. From the agent log file : >> >> > Started ossec-agentd... >> >> > 2019/10/02 15:24:23 ossec-logcollector: Remote commands are not >> >> > accepted from the manager. Ignoring it on the agent.conf >> >> > 2019/10/02 15:24:23 ossec-logcollector(1202): ERROR: Configuration >> >> > error at '/var/ossec/etc/shared/agent.conf'. Exiting. >> >> > Started ossec-logcollector... >> >> >> >> Start removing configurations from the agent.conf until you find the >> >> right one. >> >> >> >> > 2019/10/02 15:11:34 ossec-agentd: INFO: Trying to connect to server >> >> > 10.10.10.108, port 1514. >> >> > 2019/10/02 15:11:34 INFO: Connected to 10.10.10.108 at address >> >> > 10.10.10.108, port 1514 >> >> > 2019/10/02 15:11:44 ossec-agentd(1218): ERROR: Unable to send message >> >> > to 'server'. >> >> > 2019/10/02 15:11:56 ossec-agentd(1218): ERROR: Unable to send message >> >> > to 'server'. >> >> > 2019/10/02 15:11:57 ossec-agentd(4101): WARN: Waiting for server reply >> >> > (not started). Tried: '10.10.10.108'. >> >> > >> >> > I get this message but it does not say what the error is? >> >> > >> >> > How do they communicate? >> >> > >> >> >> >> UDP port 1514. This needs to be not blocked by iptables on the server >> >> side. >> >> >> >> > From the server log file: >> >> > >> >> > 2019/10/02 15:21:42 INFO: Connected to >> >> > west.smtp.exch083.serverdata.net. at address 199.193.205.130, port 25 >> >> > 2019/10/02 15:21:42 os_sendmail(1765): WARN: RCPT TO not accepted by >> >> > server - 'jlo...@edt.com'. >> >> > 2019/10/02 15:21:42 ossec-maild(1223): ERROR: Error Sending email to >> >> > west.smtp.exch083.serverdata.net. (smtp server) >> >> > >> >> > How can you specify the smtp port and connection security? >> >> > >> >> >> >> ossec-maild doesn't do tls, auth, or custom ports. I usually use the >> >> local mail server to relay the emails. >> >> >> >> > thanks >> >> > >> >> > On Wed, Oct 2, 2019 at 10:08 AM Jerry Lowry >> >> > wrote: >> >> >> >> >> >> Dan, >> >> >> I have noticed that when the application is started and there are >> >> >> errors like : >> >> >> 2019/10/02 10:03:15 ossec-maild(1235): ERROR: Invalid value for >> >> >> element 'format': sms. >> >> >> 019/10/02 10:03:15 ossec-dbd(5202): ERROR: Error connecting to >> >> >> database '10.10.10.108'(ossec): ERROR: Access denied for user >> >> >> ''@'ossec' to database 'ossec'. >> >> >> >> >> >> When you stop ossec it does NOT kill the ossec-dbd process. Also, the >> >> >> book specifies the use of 'format' sms for email alerts but it says >> >> >> its and invalid value. >> >> >> >> >> >> jerry >> >> >> >> >> >> On Wed, Oct 2, 2019 at 9:00 AM Jerry Lowry >> >> >> wrote: >> >> >>> >> >> >>> thanks Dan! >> >> >>> That was the problem. Rebuilt Pcre with --enable-jit=no and it is off >> >> >>> and running. This is my test VM where I installed MariaDB. I will >> >> >>> add an agent to it and see if it has the same problem
Re: [ossec-list] ossec-analysisd(1450): ERROR: Syntax error on regex: '(pam_u nix)$': 9.
Dan, Well my test system has been running since last Thursday without any database problems. I install MariaDB 13.4. Still not getting email to work but will continue to check on that. So, If the Mysql database has an agent table and you don't add any agents to it, Why is it there? jerry On Thu, Oct 3, 2019 at 10:12 AM dan (ddp) wrote: > On Thu, Oct 3, 2019 at 12:09 PM Jerry Lowry > wrote: > > > > Dan, > > trying to add the agent I get this: > > *** > > * OSSEC HIDS v3.3.0 Agent manager. * > > * The following options are available: * > > > >(I)mport key from the server (I). > >(Q)uit. > > Choose your action: I or Q: i > > > > * Provide the Key generated by the server. > > * The best approach is to cut and paste it. > > *** OBS: Do not include spaces or new lines. > > > > Paste it here (or '\q' to quit): > > Agent information: > >ID:002 > >Name:tcpdiag > >IP Address:10.10.10.29 > > > > Confirm adding it?(y/n): y > > Not Adding. > > > > That's very odd, haven't seen that. I only see 2 places in the source > for that, and both assume the user didn't type y or Y. > > > Also, when does the agent get added to the database? If it's done on > the server the manage_agents is not working! > > The mysql database? Never. > > > jerry > > > > On Wed, Oct 2, 2019 at 4:55 PM dan (ddp) wrote: > >> > >> On Wed, Oct 2, 2019 at 6:32 PM Jerry Lowry > wrote: > >> > > >> > Well, I have the agent running and the server running but they are > not talking. From the agent log file : > >> > Started ossec-agentd... > >> > 2019/10/02 15:24:23 ossec-logcollector: Remote commands are not > accepted from the manager. Ignoring it on the agent.conf > >> > 2019/10/02 15:24:23 ossec-logcollector(1202): ERROR: Configuration > error at '/var/ossec/etc/shared/agent.conf'. Exiting. > >> > Started ossec-logcollector... > >> > >> Start removing configurations from the agent.conf until you find the > right one. > >> > >> > 2019/10/02 15:11:34 ossec-agentd: INFO: Trying to connect to server > 10.10.10.108, port 1514. > >> > 2019/10/02 15:11:34 INFO: Connected to 10.10.10.108 at address > 10.10.10.108, port 1514 > >> > 2019/10/02 15:11:44 ossec-agentd(1218): ERROR: Unable to send message > to 'server'. > >> > 2019/10/02 15:11:56 ossec-agentd(1218): ERROR: Unable to send message > to 'server'. > >> > 2019/10/02 15:11:57 ossec-agentd(4101): WARN: Waiting for server > reply (not started). Tried: '10.10.10.108'. > >> > > >> > I get this message but it does not say what the error is? > >> > > >> > How do they communicate? > >> > > >> > >> UDP port 1514. This needs to be not blocked by iptables on the server > side. > >> > >> > From the server log file: > >> > > >> > 2019/10/02 15:21:42 INFO: Connected to > west.smtp.exch083.serverdata.net. at address 199.193.205.130, port 25 > >> > 2019/10/02 15:21:42 os_sendmail(1765): WARN: RCPT TO not accepted by > server - 'jlo...@edt.com'. > >> > 2019/10/02 15:21:42 ossec-maild(1223): ERROR: Error Sending email to > west.smtp.exch083.serverdata.net. (smtp server) > >> > > >> > How can you specify the smtp port and connection security? > >> > > >> > >> ossec-maild doesn't do tls, auth, or custom ports. I usually use the > >> local mail server to relay the emails. > >> > >> > thanks > >> > > >> > On Wed, Oct 2, 2019 at 10:08 AM Jerry Lowry > wrote: > >> >> > >> >> Dan, > >> >> I have noticed that when the application is started and there are > errors like : > >> >> 2019/10/02 10:03:15 ossec-maild(1235): ERROR: Invalid value for > element 'format': sms. > >> >> 019/10/02 10:03:15 ossec-dbd(5202): ERROR: Error connecting to > database '10.10.10.108'(ossec): ERROR: Access denied for user ''@'ossec' to > database 'ossec'. > >> >> > >> >> When you stop ossec it does NOT kill the ossec-dbd process. Also, > the book specifies the use of 'format' sms for email alerts but it says its > and invalid value. > >> >> > >> >> jerry > >> >> > >> >> On Wed, Oct 2, 2019 at 9:00 AM Jerry Lowry > wrote: > >> >>> > >> >>> thanks Dan! > >> >>> That was the problem. Rebuilt Pcre with --enable-jit=no and it is > off and running. This is my test VM where I installed MariaDB. I will add > an agent to it and see if it has the same problem as my physical server. > >> >>> > >> >>> jerry > >> >>> > >> >>> On Wed, Oct 2, 2019 at 4:00 AM dan (ddp) wrote: > >> > >> On Tue, Oct 1, 2019 at 1:13 PM Jerry Lowry > wrote: > >> > > >> > List, > >> > > >> > I just installed a test VM running Centos 7 and installed ossec > 3.3.0. Ran through the script and took all the default questions except > for the email. When I try to start ossec these are the errors I get in the > log: > >> > 019/09/27 16:21:53 ossec-analysisd(1450): ERROR: Syntax error on > regex: '(pam_unix)$': 9. > >> > 2019/09/27 16:21:53 ossec-testrule(1202): ERROR: Configuration > error at '/etc/decoder.xml'. Exiting. > >> >
Re: [ossec-list] ossec-analysisd(1450): ERROR: Syntax error on regex: '(pam_u nix)$': 9.
On Thu, Oct 3, 2019 at 12:09 PM Jerry Lowry wrote: > > Dan, > trying to add the agent I get this: > *** > * OSSEC HIDS v3.3.0 Agent manager. * > * The following options are available: * > >(I)mport key from the server (I). >(Q)uit. > Choose your action: I or Q: i > > * Provide the Key generated by the server. > * The best approach is to cut and paste it. > *** OBS: Do not include spaces or new lines. > > Paste it here (or '\q' to quit): > Agent information: >ID:002 >Name:tcpdiag >IP Address:10.10.10.29 > > Confirm adding it?(y/n): y > Not Adding. > That's very odd, haven't seen that. I only see 2 places in the source for that, and both assume the user didn't type y or Y. > Also, when does the agent get added to the database? If it's done on the > server the manage_agents is not working! The mysql database? Never. > jerry > > On Wed, Oct 2, 2019 at 4:55 PM dan (ddp) wrote: >> >> On Wed, Oct 2, 2019 at 6:32 PM Jerry Lowry wrote: >> > >> > Well, I have the agent running and the server running but they are not >> > talking. From the agent log file : >> > Started ossec-agentd... >> > 2019/10/02 15:24:23 ossec-logcollector: Remote commands are not accepted >> > from the manager. Ignoring it on the agent.conf >> > 2019/10/02 15:24:23 ossec-logcollector(1202): ERROR: Configuration error >> > at '/var/ossec/etc/shared/agent.conf'. Exiting. >> > Started ossec-logcollector... >> >> Start removing configurations from the agent.conf until you find the right >> one. >> >> > 2019/10/02 15:11:34 ossec-agentd: INFO: Trying to connect to server >> > 10.10.10.108, port 1514. >> > 2019/10/02 15:11:34 INFO: Connected to 10.10.10.108 at address >> > 10.10.10.108, port 1514 >> > 2019/10/02 15:11:44 ossec-agentd(1218): ERROR: Unable to send message to >> > 'server'. >> > 2019/10/02 15:11:56 ossec-agentd(1218): ERROR: Unable to send message to >> > 'server'. >> > 2019/10/02 15:11:57 ossec-agentd(4101): WARN: Waiting for server reply >> > (not started). Tried: '10.10.10.108'. >> > >> > I get this message but it does not say what the error is? >> > >> > How do they communicate? >> > >> >> UDP port 1514. This needs to be not blocked by iptables on the server side. >> >> > From the server log file: >> > >> > 2019/10/02 15:21:42 INFO: Connected to west.smtp.exch083.serverdata.net. >> > at address 199.193.205.130, port 25 >> > 2019/10/02 15:21:42 os_sendmail(1765): WARN: RCPT TO not accepted by >> > server - 'jlo...@edt.com'. >> > 2019/10/02 15:21:42 ossec-maild(1223): ERROR: Error Sending email to >> > west.smtp.exch083.serverdata.net. (smtp server) >> > >> > How can you specify the smtp port and connection security? >> > >> >> ossec-maild doesn't do tls, auth, or custom ports. I usually use the >> local mail server to relay the emails. >> >> > thanks >> > >> > On Wed, Oct 2, 2019 at 10:08 AM Jerry Lowry wrote: >> >> >> >> Dan, >> >> I have noticed that when the application is started and there are errors >> >> like : >> >> 2019/10/02 10:03:15 ossec-maild(1235): ERROR: Invalid value for element >> >> 'format': sms. >> >> 019/10/02 10:03:15 ossec-dbd(5202): ERROR: Error connecting to database >> >> '10.10.10.108'(ossec): ERROR: Access denied for user ''@'ossec' to >> >> database 'ossec'. >> >> >> >> When you stop ossec it does NOT kill the ossec-dbd process. Also, the >> >> book specifies the use of 'format' sms for email alerts but it says its >> >> and invalid value. >> >> >> >> jerry >> >> >> >> On Wed, Oct 2, 2019 at 9:00 AM Jerry Lowry wrote: >> >>> >> >>> thanks Dan! >> >>> That was the problem. Rebuilt Pcre with --enable-jit=no and it is off >> >>> and running. This is my test VM where I installed MariaDB. I will add >> >>> an agent to it and see if it has the same problem as my physical server. >> >>> >> >>> jerry >> >>> >> >>> On Wed, Oct 2, 2019 at 4:00 AM dan (ddp) wrote: >> >> On Tue, Oct 1, 2019 at 1:13 PM Jerry Lowry >> wrote: >> > >> > List, >> > >> > I just installed a test VM running Centos 7 and installed ossec >> > 3.3.0. Ran through the script and took all the default questions >> > except for the email. When I try to start ossec these are the errors >> > I get in the log: >> > 019/09/27 16:21:53 ossec-analysisd(1450): ERROR: Syntax error on >> > regex: '(pam_unix)$': 9. >> > 2019/09/27 16:21:53 ossec-testrule(1202): ERROR: Configuration error >> > at '/etc/decoder.xml'. Exiting. >> > 2019/09/27 16:29:41 ossec-analysisd(1450): ERROR: Syntax error on >> > regex: '(pam_unix)$': 9. >> > 2019/09/27 16:29:41 ossec-testrule(1202): ERROR: Configuration error >> > at '/etc/decoder.xml'. Exiting. >> > 2019/09/30 08:49:07 ossec-analysisd(1450): ERROR: Syntax error on >> > regex: '(pam_unix)$': 9. >> > 2019/09/30 08:49:07 ossec-testrule(1202): ERROR: Configuration error >>
Re: [ossec-list] ossec-analysisd(1450): ERROR: Syntax error on regex: '(pam_u nix)$': 9.
Dan, trying to add the agent I get this: *** * OSSEC HIDS v3.3.0 Agent manager. * * The following options are available: * (I)mport key from the server (I). (Q)uit. Choose your action: I or Q: i * Provide the Key generated by the server. * The best approach is to cut and paste it. *** OBS: Do not include spaces or new lines. Paste it here (or '\q' to quit): Agent information: ID:002 Name:tcpdiag IP Address:10.10.10.29 Confirm adding it?(y/n): y *Not Adding.* Also, when does the agent get added to the database? If it's done on the server the manage_agents is not working! jerry On Wed, Oct 2, 2019 at 4:55 PM dan (ddp) wrote: > On Wed, Oct 2, 2019 at 6:32 PM Jerry Lowry wrote: > > > > Well, I have the agent running and the server running but they are not > talking. From the agent log file : > > Started ossec-agentd... > > 2019/10/02 15:24:23 ossec-logcollector: Remote commands are not accepted > from the manager. Ignoring it on the agent.conf > > 2019/10/02 15:24:23 ossec-logcollector(1202): ERROR: Configuration error > at '/var/ossec/etc/shared/agent.conf'. Exiting. > > Started ossec-logcollector... > > Start removing configurations from the agent.conf until you find the right > one. > > > 2019/10/02 15:11:34 ossec-agentd: INFO: Trying to connect to server > 10.10.10.108, port 1514. > > 2019/10/02 15:11:34 INFO: Connected to 10.10.10.108 at address > 10.10.10.108, port 1514 > > 2019/10/02 15:11:44 ossec-agentd(1218): ERROR: Unable to send message to > 'server'. > > 2019/10/02 15:11:56 ossec-agentd(1218): ERROR: Unable to send message to > 'server'. > > 2019/10/02 15:11:57 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: '10.10.10.108'. > > > > I get this message but it does not say what the error is? > > > > How do they communicate? > > > > UDP port 1514. This needs to be not blocked by iptables on the server side. > > > From the server log file: > > > > 2019/10/02 15:21:42 INFO: Connected to west.smtp.exch083.serverdata.net. > at address 199.193.205.130, port 25 > > 2019/10/02 15:21:42 os_sendmail(1765): WARN: RCPT TO not accepted by > server - 'jlo...@edt.com'. > > 2019/10/02 15:21:42 ossec-maild(1223): ERROR: Error Sending email to > west.smtp.exch083.serverdata.net. (smtp server) > > > > How can you specify the smtp port and connection security? > > > > ossec-maild doesn't do tls, auth, or custom ports. I usually use the > local mail server to relay the emails. > > > thanks > > > > On Wed, Oct 2, 2019 at 10:08 AM Jerry Lowry > wrote: > >> > >> Dan, > >> I have noticed that when the application is started and there are > errors like : > >> 2019/10/02 10:03:15 ossec-maild(1235): ERROR: Invalid value for element > 'format': sms. > >> 019/10/02 10:03:15 ossec-dbd(5202): ERROR: Error connecting to database > '10.10.10.108'(ossec): ERROR: Access denied for user ''@'ossec' to database > 'ossec'. > >> > >> When you stop ossec it does NOT kill the ossec-dbd process. Also, the > book specifies the use of 'format' sms for email alerts but it says its and > invalid value. > >> > >> jerry > >> > >> On Wed, Oct 2, 2019 at 9:00 AM Jerry Lowry > wrote: > >>> > >>> thanks Dan! > >>> That was the problem. Rebuilt Pcre with --enable-jit=no and it is off > and running. This is my test VM where I installed MariaDB. I will add an > agent to it and see if it has the same problem as my physical server. > >>> > >>> jerry > >>> > >>> On Wed, Oct 2, 2019 at 4:00 AM dan (ddp) wrote: > > On Tue, Oct 1, 2019 at 1:13 PM Jerry Lowry > wrote: > > > > List, > > > > I just installed a test VM running Centos 7 and installed ossec > 3.3.0. Ran through the script and took all the default questions except > for the email. When I try to start ossec these are the errors I get in the > log: > > 019/09/27 16:21:53 ossec-analysisd(1450): ERROR: Syntax error on > regex: '(pam_unix)$': 9. > > 2019/09/27 16:21:53 ossec-testrule(1202): ERROR: Configuration > error at '/etc/decoder.xml'. Exiting. > > 2019/09/27 16:29:41 ossec-analysisd(1450): ERROR: Syntax error on > regex: '(pam_unix)$': 9. > > 2019/09/27 16:29:41 ossec-testrule(1202): ERROR: Configuration > error at '/etc/decoder.xml'. Exiting. > > 2019/09/30 08:49:07 ossec-analysisd(1450): ERROR: Syntax error on > regex: '(pam_unix)$': 9. > > 2019/09/30 08:49:07 ossec-testrule(1202): ERROR: Configuration > error at '/etc/decoder.xml'. Exiting. > > 2019/09/30 09:37:55 ossec-analysisd(1450): ERROR: Syntax error on > regex: '(pam_unix)$': 9. > > 2019/09/30 09:37:55 ossec-testrule(1202): ERROR: Configuration > error at '/etc/decoder.xml'. Exiting. > > I have not touched any of the rules or configuration files as they > were setup based on the question in the installation script. > > > > so, what I am I missing. Shouldn't this run with a default install? > > > > I
Re: [ossec-list] ossec-analysisd(1450): ERROR: Syntax error on regex: '(pam_u nix)$': 9.
On Wed, Oct 2, 2019 at 6:32 PM Jerry Lowry wrote: > > Well, I have the agent running and the server running but they are not > talking. From the agent log file : > Started ossec-agentd... > 2019/10/02 15:24:23 ossec-logcollector: Remote commands are not accepted from > the manager. Ignoring it on the agent.conf > 2019/10/02 15:24:23 ossec-logcollector(1202): ERROR: Configuration error at > '/var/ossec/etc/shared/agent.conf'. Exiting. > Started ossec-logcollector... Start removing configurations from the agent.conf until you find the right one. > 2019/10/02 15:11:34 ossec-agentd: INFO: Trying to connect to server > 10.10.10.108, port 1514. > 2019/10/02 15:11:34 INFO: Connected to 10.10.10.108 at address 10.10.10.108, > port 1514 > 2019/10/02 15:11:44 ossec-agentd(1218): ERROR: Unable to send message to > 'server'. > 2019/10/02 15:11:56 ossec-agentd(1218): ERROR: Unable to send message to > 'server'. > 2019/10/02 15:11:57 ossec-agentd(4101): WARN: Waiting for server reply (not > started). Tried: '10.10.10.108'. > > I get this message but it does not say what the error is? > > How do they communicate? > UDP port 1514. This needs to be not blocked by iptables on the server side. > From the server log file: > > 2019/10/02 15:21:42 INFO: Connected to west.smtp.exch083.serverdata.net. at > address 199.193.205.130, port 25 > 2019/10/02 15:21:42 os_sendmail(1765): WARN: RCPT TO not accepted by server - > 'jlo...@edt.com'. > 2019/10/02 15:21:42 ossec-maild(1223): ERROR: Error Sending email to > west.smtp.exch083.serverdata.net. (smtp server) > > How can you specify the smtp port and connection security? > ossec-maild doesn't do tls, auth, or custom ports. I usually use the local mail server to relay the emails. > thanks > > On Wed, Oct 2, 2019 at 10:08 AM Jerry Lowry wrote: >> >> Dan, >> I have noticed that when the application is started and there are errors >> like : >> 2019/10/02 10:03:15 ossec-maild(1235): ERROR: Invalid value for element >> 'format': sms. >> 019/10/02 10:03:15 ossec-dbd(5202): ERROR: Error connecting to database >> '10.10.10.108'(ossec): ERROR: Access denied for user ''@'ossec' to database >> 'ossec'. >> >> When you stop ossec it does NOT kill the ossec-dbd process. Also, the book >> specifies the use of 'format' sms for email alerts but it says its and >> invalid value. >> >> jerry >> >> On Wed, Oct 2, 2019 at 9:00 AM Jerry Lowry wrote: >>> >>> thanks Dan! >>> That was the problem. Rebuilt Pcre with --enable-jit=no and it is off and >>> running. This is my test VM where I installed MariaDB. I will add an >>> agent to it and see if it has the same problem as my physical server. >>> >>> jerry >>> >>> On Wed, Oct 2, 2019 at 4:00 AM dan (ddp) wrote: On Tue, Oct 1, 2019 at 1:13 PM Jerry Lowry wrote: > > List, > > I just installed a test VM running Centos 7 and installed ossec 3.3.0. > Ran through the script and took all the default questions except for the > email. When I try to start ossec these are the errors I get in the log: > 019/09/27 16:21:53 ossec-analysisd(1450): ERROR: Syntax error on regex: > '(pam_unix)$': 9. > 2019/09/27 16:21:53 ossec-testrule(1202): ERROR: Configuration error at > '/etc/decoder.xml'. Exiting. > 2019/09/27 16:29:41 ossec-analysisd(1450): ERROR: Syntax error on regex: > '(pam_unix)$': 9. > 2019/09/27 16:29:41 ossec-testrule(1202): ERROR: Configuration error at > '/etc/decoder.xml'. Exiting. > 2019/09/30 08:49:07 ossec-analysisd(1450): ERROR: Syntax error on regex: > '(pam_unix)$': 9. > 2019/09/30 08:49:07 ossec-testrule(1202): ERROR: Configuration error at > '/etc/decoder.xml'. Exiting. > 2019/09/30 09:37:55 ossec-analysisd(1450): ERROR: Syntax error on regex: > '(pam_unix)$': 9. > 2019/09/30 09:37:55 ossec-testrule(1202): ERROR: Configuration error at > '/etc/decoder.xml'. Exiting. > I have not touched any of the rules or configuration files as they were > setup based on the question in the installation script. > > so, what I am I missing. Shouldn't this run with a default install? > I think this is a pcre2 issue. I ran into it a bunch of times when I didn't disable JIT on a system that didn't support the JIT. > jerry > > psno errors during the installation/compilation > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/c9a3f10d-b29c-444c-a678-0bb0d18f7b38%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To
Re: [ossec-list] ossec-analysisd(1450): ERROR: Syntax error on regex: '(pam_u nix)$': 9.
On Wed, Oct 2, 2019 at 1:06 PM Jerry Lowry wrote: > > Dan, > I have noticed that when the application is started and there are errors like > : > 2019/10/02 10:03:15 ossec-maild(1235): ERROR: Invalid value for element > 'format': sms. I think I removed this fairly recently. > 019/10/02 10:03:15 ossec-dbd(5202): ERROR: Error connecting to database > '10.10.10.108'(ossec): ERROR: Access denied for user ''@'ossec' to database > 'ossec'. > That's an odd error, like the username wasn't specified? > When you stop ossec it does NOT kill the ossec-dbd process. Also, the book > specifies the use of 'format' sms for email alerts but it says its and > invalid value. > How are you stopping it? /var/ossec/bin/ossec-control stop? > jerry > > On Wed, Oct 2, 2019 at 9:00 AM Jerry Lowry wrote: >> >> thanks Dan! >> That was the problem. Rebuilt Pcre with --enable-jit=no and it is off and >> running. This is my test VM where I installed MariaDB. I will add an agent >> to it and see if it has the same problem as my physical server. >> >> jerry >> >> On Wed, Oct 2, 2019 at 4:00 AM dan (ddp) wrote: >>> >>> On Tue, Oct 1, 2019 at 1:13 PM Jerry Lowry wrote: >>> > >>> > List, >>> > >>> > I just installed a test VM running Centos 7 and installed ossec 3.3.0. >>> > Ran through the script and took all the default questions except for the >>> > email. When I try to start ossec these are the errors I get in the log: >>> > 019/09/27 16:21:53 ossec-analysisd(1450): ERROR: Syntax error on regex: >>> > '(pam_unix)$': 9. >>> > 2019/09/27 16:21:53 ossec-testrule(1202): ERROR: Configuration error at >>> > '/etc/decoder.xml'. Exiting. >>> > 2019/09/27 16:29:41 ossec-analysisd(1450): ERROR: Syntax error on regex: >>> > '(pam_unix)$': 9. >>> > 2019/09/27 16:29:41 ossec-testrule(1202): ERROR: Configuration error at >>> > '/etc/decoder.xml'. Exiting. >>> > 2019/09/30 08:49:07 ossec-analysisd(1450): ERROR: Syntax error on regex: >>> > '(pam_unix)$': 9. >>> > 2019/09/30 08:49:07 ossec-testrule(1202): ERROR: Configuration error at >>> > '/etc/decoder.xml'. Exiting. >>> > 2019/09/30 09:37:55 ossec-analysisd(1450): ERROR: Syntax error on regex: >>> > '(pam_unix)$': 9. >>> > 2019/09/30 09:37:55 ossec-testrule(1202): ERROR: Configuration error at >>> > '/etc/decoder.xml'. Exiting. >>> > I have not touched any of the rules or configuration files as they were >>> > setup based on the question in the installation script. >>> > >>> > so, what I am I missing. Shouldn't this run with a default install? >>> > >>> >>> I think this is a pcre2 issue. I ran into it a bunch of times when I >>> didn't disable JIT on a system that didn't support the JIT. >>> >>> > jerry >>> > >>> > psno errors during the installation/compilation >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send an >>> > email to ossec-list+unsubscr...@googlegroups.com. >>> > To view this discussion on the web visit >>> > https://groups.google.com/d/msgid/ossec-list/c9a3f10d-b29c-444c-a678-0bb0d18f7b38%40googlegroups.com. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to ossec-list+unsubscr...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMo4L5rb6Jgsm3tOnyLt7OX9Yn9huZp9FNKwm%3D_ey1L%2BTQ%40mail.gmail.com. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/CAKP%3DcB5SBAD2RD-G60F%2Bh26hsgZXj1oYTfNeoaj08QDnXa_rMQ%40mail.gmail.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMqWx1dP71EADTZgHtgDouQjSyik7787t-4tSUAb-A-Uhw%40mail.gmail.com.
Re: [ossec-list] ossec-analysisd(1450): ERROR: Syntax error on regex: '(pam_u nix)$': 9.
Well, I have the agent running and the server running but they are not talking. From the agent log file : Started ossec-agentd... 2019/10/02 15:24:23 ossec-logcollector: Remote commands are not accepted from the manager. Ignoring it on the agent.conf 2019/10/02 15:24:23 ossec-logcollector(1202): ERROR: Configuration error at '/var/ossec/etc/shared/agent.conf'. Exiting. Started ossec-logcollector... 2019/10/02 15:11:34 ossec-agentd: INFO: Trying to connect to server 10.10.10.108, port 1514. 2019/10/02 15:11:34 INFO: Connected to 10.10.10.108 at address 10.10.10.108, port 1514 2019/10/02 15:11:44 ossec-agentd(1218): ERROR: Unable to send message to 'server'. 2019/10/02 15:11:56 ossec-agentd(1218): ERROR: Unable to send message to 'server'. 2019/10/02 15:11:57 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.10.10.108'. I get this message but it does not say what the error is? How do they communicate? >From the server log file: 2019/10/02 15:21:42 INFO: Connected to west.smtp.exch083.serverdata.net. at address 199.193.205.130, port 25 2019/10/02 15:21:42 os_sendmail(1765): WARN: RCPT TO not accepted by server - 'jlo...@edt.com'. 2019/10/02 15:21:42 ossec-maild(1223): ERROR: Error Sending email to west.smtp.exch083.serverdata.net. (smtp server) How can you specify the smtp port and connection security? thanks On Wed, Oct 2, 2019 at 10:08 AM Jerry Lowry wrote: > Dan, > I have noticed that when the application is started and there are errors > like : > 2019/10/02 10:03:15 ossec-maild(1235): ERROR: Invalid value for element > 'format': sms. > 019/10/02 10:03:15 ossec-dbd(5202): ERROR: Error connecting to database > '10.10.10.108'(ossec): ERROR: Access denied for user ''@'ossec' to database > 'ossec'. > > When you stop ossec it does NOT kill the ossec-dbd process. Also, the > book specifies the use of 'format' sms for email alerts but it says its and > invalid value. > > jerry > > On Wed, Oct 2, 2019 at 9:00 AM Jerry Lowry wrote: > >> thanks Dan! >> That was the problem. Rebuilt Pcre with --enable-jit=no and it is off and >> running. This is my test VM where I installed MariaDB. I will add an >> agent to it and see if it has the same problem as my physical server. >> >> jerry >> >> On Wed, Oct 2, 2019 at 4:00 AM dan (ddp) wrote: >> >>> On Tue, Oct 1, 2019 at 1:13 PM Jerry Lowry >>> wrote: >>> > >>> > List, >>> > >>> > I just installed a test VM running Centos 7 and installed ossec >>> 3.3.0. Ran through the script and took all the default questions except >>> for the email. When I try to start ossec these are the errors I get in the >>> log: >>> > 019/09/27 16:21:53 ossec-analysisd(1450): ERROR: Syntax error on >>> regex: '(pam_unix)$': 9. >>> > 2019/09/27 16:21:53 ossec-testrule(1202): ERROR: Configuration error >>> at '/etc/decoder.xml'. Exiting. >>> > 2019/09/27 16:29:41 ossec-analysisd(1450): ERROR: Syntax error on >>> regex: '(pam_unix)$': 9. >>> > 2019/09/27 16:29:41 ossec-testrule(1202): ERROR: Configuration error >>> at '/etc/decoder.xml'. Exiting. >>> > 2019/09/30 08:49:07 ossec-analysisd(1450): ERROR: Syntax error on >>> regex: '(pam_unix)$': 9. >>> > 2019/09/30 08:49:07 ossec-testrule(1202): ERROR: Configuration error >>> at '/etc/decoder.xml'. Exiting. >>> > 2019/09/30 09:37:55 ossec-analysisd(1450): ERROR: Syntax error on >>> regex: '(pam_unix)$': 9. >>> > 2019/09/30 09:37:55 ossec-testrule(1202): ERROR: Configuration error >>> at '/etc/decoder.xml'. Exiting. >>> > I have not touched any of the rules or configuration files as they >>> were setup based on the question in the installation script. >>> > >>> > so, what I am I missing. Shouldn't this run with a default install? >>> > >>> >>> I think this is a pcre2 issue. I ran into it a bunch of times when I >>> didn't disable JIT on a system that didn't support the JIT. >>> >>> > jerry >>> > >>> > psno errors during the installation/compilation >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+unsubscr...@googlegroups.com. >>> > To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ossec-list/c9a3f10d-b29c-444c-a678-0bb0d18f7b38%40googlegroups.com >>> . >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+unsubscr...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMo4L5rb6Jgsm3tOnyLt7OX9Yn9huZp9FNKwm%3D_ey1L%2BTQ%40mail.gmail.com >>> . >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to
Re: [ossec-list] ossec-analysisd(1450): ERROR: Syntax error on regex: '(pam_u nix)$': 9.
Dan, I have noticed that when the application is started and there are errors like : 2019/10/02 10:03:15 ossec-maild(1235): ERROR: Invalid value for element 'format': sms. 019/10/02 10:03:15 ossec-dbd(5202): ERROR: Error connecting to database '10.10.10.108'(ossec): ERROR: Access denied for user ''@'ossec' to database 'ossec'. When you stop ossec it does NOT kill the ossec-dbd process. Also, the book specifies the use of 'format' sms for email alerts but it says its and invalid value. jerry On Wed, Oct 2, 2019 at 9:00 AM Jerry Lowry wrote: > thanks Dan! > That was the problem. Rebuilt Pcre with --enable-jit=no and it is off and > running. This is my test VM where I installed MariaDB. I will add an > agent to it and see if it has the same problem as my physical server. > > jerry > > On Wed, Oct 2, 2019 at 4:00 AM dan (ddp) wrote: > >> On Tue, Oct 1, 2019 at 1:13 PM Jerry Lowry >> wrote: >> > >> > List, >> > >> > I just installed a test VM running Centos 7 and installed ossec 3.3.0. >> Ran through the script and took all the default questions except for the >> email. When I try to start ossec these are the errors I get in the log: >> > 019/09/27 16:21:53 ossec-analysisd(1450): ERROR: Syntax error on regex: >> '(pam_unix)$': 9. >> > 2019/09/27 16:21:53 ossec-testrule(1202): ERROR: Configuration error at >> '/etc/decoder.xml'. Exiting. >> > 2019/09/27 16:29:41 ossec-analysisd(1450): ERROR: Syntax error on >> regex: '(pam_unix)$': 9. >> > 2019/09/27 16:29:41 ossec-testrule(1202): ERROR: Configuration error at >> '/etc/decoder.xml'. Exiting. >> > 2019/09/30 08:49:07 ossec-analysisd(1450): ERROR: Syntax error on >> regex: '(pam_unix)$': 9. >> > 2019/09/30 08:49:07 ossec-testrule(1202): ERROR: Configuration error at >> '/etc/decoder.xml'. Exiting. >> > 2019/09/30 09:37:55 ossec-analysisd(1450): ERROR: Syntax error on >> regex: '(pam_unix)$': 9. >> > 2019/09/30 09:37:55 ossec-testrule(1202): ERROR: Configuration error at >> '/etc/decoder.xml'. Exiting. >> > I have not touched any of the rules or configuration files as they were >> setup based on the question in the installation script. >> > >> > so, what I am I missing. Shouldn't this run with a default install? >> > >> >> I think this is a pcre2 issue. I ran into it a bunch of times when I >> didn't disable JIT on a system that didn't support the JIT. >> >> > jerry >> > >> > psno errors during the installation/compilation >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to ossec-list+unsubscr...@googlegroups.com. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/c9a3f10d-b29c-444c-a678-0bb0d18f7b38%40googlegroups.com >> . >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/CAMyQvMo4L5rb6Jgsm3tOnyLt7OX9Yn9huZp9FNKwm%3D_ey1L%2BTQ%40mail.gmail.com >> . >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAKP%3DcB5SBAD2RD-G60F%2Bh26hsgZXj1oYTfNeoaj08QDnXa_rMQ%40mail.gmail.com.
Re: [ossec-list] ossec-analysisd(1450): ERROR: Syntax error on regex: '(pam_u nix)$': 9.
thanks Dan! That was the problem. Rebuilt Pcre with --enable-jit=no and it is off and running. This is my test VM where I installed MariaDB. I will add an agent to it and see if it has the same problem as my physical server. jerry On Wed, Oct 2, 2019 at 4:00 AM dan (ddp) wrote: > On Tue, Oct 1, 2019 at 1:13 PM Jerry Lowry wrote: > > > > List, > > > > I just installed a test VM running Centos 7 and installed ossec 3.3.0. > Ran through the script and took all the default questions except for the > email. When I try to start ossec these are the errors I get in the log: > > 019/09/27 16:21:53 ossec-analysisd(1450): ERROR: Syntax error on regex: > '(pam_unix)$': 9. > > 2019/09/27 16:21:53 ossec-testrule(1202): ERROR: Configuration error at > '/etc/decoder.xml'. Exiting. > > 2019/09/27 16:29:41 ossec-analysisd(1450): ERROR: Syntax error on regex: > '(pam_unix)$': 9. > > 2019/09/27 16:29:41 ossec-testrule(1202): ERROR: Configuration error at > '/etc/decoder.xml'. Exiting. > > 2019/09/30 08:49:07 ossec-analysisd(1450): ERROR: Syntax error on regex: > '(pam_unix)$': 9. > > 2019/09/30 08:49:07 ossec-testrule(1202): ERROR: Configuration error at > '/etc/decoder.xml'. Exiting. > > 2019/09/30 09:37:55 ossec-analysisd(1450): ERROR: Syntax error on regex: > '(pam_unix)$': 9. > > 2019/09/30 09:37:55 ossec-testrule(1202): ERROR: Configuration error at > '/etc/decoder.xml'. Exiting. > > I have not touched any of the rules or configuration files as they were > setup based on the question in the installation script. > > > > so, what I am I missing. Shouldn't this run with a default install? > > > > I think this is a pcre2 issue. I ran into it a bunch of times when I > didn't disable JIT on a system that didn't support the JIT. > > > jerry > > > > psno errors during the installation/compilation > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/c9a3f10d-b29c-444c-a678-0bb0d18f7b38%40googlegroups.com > . > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/CAMyQvMo4L5rb6Jgsm3tOnyLt7OX9Yn9huZp9FNKwm%3D_ey1L%2BTQ%40mail.gmail.com > . > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAKP%3DcB6PDjW61Yr7FD146fJ8%3DWT%3DEJO2J3rvkeFL5eXXTQ2MPA%40mail.gmail.com.
Re: [ossec-list] ossec-analysisd(1450): ERROR: Syntax error on regex: '(pam_u nix)$': 9.
On Tue, Oct 1, 2019 at 1:13 PM Jerry Lowry wrote: > > List, > > I just installed a test VM running Centos 7 and installed ossec 3.3.0. Ran > through the script and took all the default questions except for the email. > When I try to start ossec these are the errors I get in the log: > 019/09/27 16:21:53 ossec-analysisd(1450): ERROR: Syntax error on regex: > '(pam_unix)$': 9. > 2019/09/27 16:21:53 ossec-testrule(1202): ERROR: Configuration error at > '/etc/decoder.xml'. Exiting. > 2019/09/27 16:29:41 ossec-analysisd(1450): ERROR: Syntax error on regex: > '(pam_unix)$': 9. > 2019/09/27 16:29:41 ossec-testrule(1202): ERROR: Configuration error at > '/etc/decoder.xml'. Exiting. > 2019/09/30 08:49:07 ossec-analysisd(1450): ERROR: Syntax error on regex: > '(pam_unix)$': 9. > 2019/09/30 08:49:07 ossec-testrule(1202): ERROR: Configuration error at > '/etc/decoder.xml'. Exiting. > 2019/09/30 09:37:55 ossec-analysisd(1450): ERROR: Syntax error on regex: > '(pam_unix)$': 9. > 2019/09/30 09:37:55 ossec-testrule(1202): ERROR: Configuration error at > '/etc/decoder.xml'. Exiting. > I have not touched any of the rules or configuration files as they were setup > based on the question in the installation script. > > so, what I am I missing. Shouldn't this run with a default install? > I think this is a pcre2 issue. I ran into it a bunch of times when I didn't disable JIT on a system that didn't support the JIT. > jerry > > psno errors during the installation/compilation > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/c9a3f10d-b29c-444c-a678-0bb0d18f7b38%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMo4L5rb6Jgsm3tOnyLt7OX9Yn9huZp9FNKwm%3D_ey1L%2BTQ%40mail.gmail.com.
[ossec-list] ossec-analysisd(1450): ERROR: Syntax error on regex: '(pam_u nix)$': 9.
List, I just installed a test VM running Centos 7 and installed ossec 3.3.0. Ran through the script and took all the default questions except for the email. When I try to start ossec these are the errors I get in the log: 019/09/27 16:21:53 ossec-analysisd(1450): ERROR: Syntax error on regex: '(pam_unix)$': 9. 2019/09/27 16:21:53 ossec-testrule(1202): ERROR: Configuration error at '/etc/decoder.xml'. Exiting. 2019/09/27 16:29:41 ossec-analysisd(1450): ERROR: Syntax error on regex: '(pam_unix)$': 9. 2019/09/27 16:29:41 ossec-testrule(1202): ERROR: Configuration error at '/etc/decoder.xml'. Exiting. 2019/09/30 08:49:07 ossec-analysisd(1450): ERROR: Syntax error on regex: '(pam_unix)$': 9. 2019/09/30 08:49:07 ossec-testrule(1202): ERROR: Configuration error at '/etc/decoder.xml'. Exiting. 2019/09/30 09:37:55 ossec-analysisd(1450): ERROR: Syntax error on regex: '(pam_unix)$': 9. 2019/09/30 09:37:55 ossec-testrule(1202): ERROR: Configuration error at '/etc/decoder.xml'. Exiting. I have not touched any of the rules or configuration files as they were setup based on the question in the installation script. so, what I am I missing. Shouldn't this run with a default install? jerry psno errors during the installation/compilation -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/c9a3f10d-b29c-444c-a678-0bb0d18f7b38%40googlegroups.com.
