On Oct 27, 2015 6:34 PM, "pgaltieri" <pgalti...@gmail.com> wrote: > > I compiled the latest ossec-hids code with mysql database support: > > cd src > make TARGET=server DATABASE=mysql > > After running the install.sh script I enable the database and start ossec. > > /usr/local/etc/ossec/bin/ossec-control enable database > /usr/local/etc/ossec/bin/ossec-control start > > > The start fails with: > > OSSEC analysisd: Testing rules failed. Configuration error. Exiting. > > After some debugging it comes down to this: > > ./ossec-logtest -t -v -c ../etc/ossec.conf -D /usr/local/etc/ossec/ > 2015/10/27 14:53:30 ossec-testrule: INFO: Reading local decoder file. > 2015/10/27 14:53:30 ossec-testrule(1103): ERROR: Could not open file '/var/ossec/etc/internal_options.conf' due to [(2)-(No such file or directory)]. > 2015/10/27 14:53:30 ossec-testrule(2301): ERROR: Definition not found for: 'analysisd.default_timeframe'. > > The issue is related to the location where ossec is installed. On my system ossec is installed in > > /usr/local/etc/ossec/ > > However, logtest still looks in the default location. > > If I build ossec without database support then > > ./ossec-logtest -t -v -c ../etc/ossec.conf -D /usr/local/etc/ossec/ > > 2015/10/27 15:13:26 adding rule: rules_config.xml > 2015/10/27 15:13:26 adding rule: pam_rules.xml > 2015/10/27 15:13:26 adding rule: sshd_rules.xml > 2015/10/27 15:13:26 adding rule: telnetd_rules.xml > 2015/10/27 15:13:26 adding rule: syslog_rules.xml > 2015/10/27 15:13:26 adding rule: arpwatch_rules.xml > 2015/10/27 15:13:26 adding rule: symantec-av_rules.xml > 2015/10/27 15:13:26 adding rule: symantec-ws_rules.xml > 2015/10/27 15:13:26 adding rule: pix_rules.xml > > . > . > . > . > > 2015/10/27 15:13:26 1 : rule:551, level 7, timeout: 0 > 2015/10/27 15:13:26 2 : rule:595, level 5, timeout: 0 > 2015/10/27 15:13:26 1 : rule:552, level 7, timeout: 0 > 2015/10/27 15:13:26 2 : rule:596, level 5, timeout: 0 > 2015/10/27 15:13:26 1 : rule:553, level 7, timeout: 0 > 2015/10/27 15:13:26 2 : rule:597, level 5, timeout: 0 > 2015/10/27 15:13:26 ossec-testrule: INFO: Total rules enabled: '1487' > > works just fine. > > Is this a bug, or am I missing something? >
Sounds like a bug. > Any help is appreciated. > > Paolo > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
