Re: [ossec-list] ossec-analysisd(1450): ERROR: Syntax error on regex: '(pam_u nix)$': 9.
On Thu, Oct 3, 2019 at 12:09 PM Jerry Lowry wrote: > > Dan, > trying to add the agent I get this: > *** > * OSSEC HIDS v3.3.0 Agent manager. * > * The following options are available: * > >(I)mport key from the server (I). >(Q)uit. > Choose your action: I or Q: i > > * Provide the Key generated by the server. > * The best approach is to cut and paste it. > *** OBS: Do not include spaces or new lines. > > Paste it here (or '\q' to quit): > Agent information: >ID:002 >Name:tcpdiag >IP Address:10.10.10.29 > > Confirm adding it?(y/n): y > Not Adding. > That's very odd, haven't seen that. I only see 2 places in the source for that, and both assume the user didn't type y or Y. > Also, when does the agent get added to the database? If it's done on the > server the manage_agents is not working! The mysql database? Never. > jerry > > On Wed, Oct 2, 2019 at 4:55 PM dan (ddp) wrote: >> >> On Wed, Oct 2, 2019 at 6:32 PM Jerry Lowry wrote: >> > >> > Well, I have the agent running and the server running but they are not >> > talking. From the agent log file : >> > Started ossec-agentd... >> > 2019/10/02 15:24:23 ossec-logcollector: Remote commands are not accepted >> > from the manager. Ignoring it on the agent.conf >> > 2019/10/02 15:24:23 ossec-logcollector(1202): ERROR: Configuration error >> > at '/var/ossec/etc/shared/agent.conf'. Exiting. >> > Started ossec-logcollector... >> >> Start removing configurations from the agent.conf until you find the right >> one. >> >> > 2019/10/02 15:11:34 ossec-agentd: INFO: Trying to connect to server >> > 10.10.10.108, port 1514. >> > 2019/10/02 15:11:34 INFO: Connected to 10.10.10.108 at address >> > 10.10.10.108, port 1514 >> > 2019/10/02 15:11:44 ossec-agentd(1218): ERROR: Unable to send message to >> > 'server'. >> > 2019/10/02 15:11:56 ossec-agentd(1218): ERROR: Unable to send message to >> > 'server'. >> > 2019/10/02 15:11:57 ossec-agentd(4101): WARN: Waiting for server reply >> > (not started). Tried: '10.10.10.108'. >> > >> > I get this message but it does not say what the error is? >> > >> > How do they communicate? >> > >> >> UDP port 1514. This needs to be not blocked by iptables on the server side. >> >> > From the server log file: >> > >> > 2019/10/02 15:21:42 INFO: Connected to west.smtp.exch083.serverdata.net. >> > at address 199.193.205.130, port 25 >> > 2019/10/02 15:21:42 os_sendmail(1765): WARN: RCPT TO not accepted by >> > server - 'jlo...@edt.com'. >> > 2019/10/02 15:21:42 ossec-maild(1223): ERROR: Error Sending email to >> > west.smtp.exch083.serverdata.net. (smtp server) >> > >> > How can you specify the smtp port and connection security? >> > >> >> ossec-maild doesn't do tls, auth, or custom ports. I usually use the >> local mail server to relay the emails. >> >> > thanks >> > >> > On Wed, Oct 2, 2019 at 10:08 AM Jerry Lowry wrote: >> >> >> >> Dan, >> >> I have noticed that when the application is started and there are errors >> >> like : >> >> 2019/10/02 10:03:15 ossec-maild(1235): ERROR: Invalid value for element >> >> 'format': sms. >> >> 019/10/02 10:03:15 ossec-dbd(5202): ERROR: Error connecting to database >> >> '10.10.10.108'(ossec): ERROR: Access denied for user ''@'ossec' to >> >> database 'ossec'. >> >> >> >> When you stop ossec it does NOT kill the ossec-dbd process. Also, the >> >> book specifies the use of 'format' sms for email alerts but it says its >> >> and invalid value. >> >> >> >> jerry >> >> >> >> On Wed, Oct 2, 2019 at 9:00 AM Jerry Lowry wrote: >> >>> >> >>> thanks Dan! >> >>> That was the problem. Rebuilt Pcre with --enable-jit=no and it is off >> >>> and running. This is my test VM where I installed MariaDB. I will add >> >>> an agent to it and see if it has the same problem as my physical server. >> >>> >> >>> jerry >> >>> >> >>> On Wed, Oct 2, 2019 at 4:00 AM dan (ddp) wrote: >> >> On Tue, Oct 1, 2019 at 1:13 PM Jerry Lowry >> wrote: >> > >> > List, >> > >> > I just installed a test VM running Centos 7 and installed ossec >> > 3.3.0. Ran through the script and took all the default questions >> > except for the email. When I try to start ossec these are the errors >> > I get in the log: >> > 019/09/27 16:21:53 ossec-analysisd(1450): ERROR: Syntax error on >> > regex: '(pam_unix)$': 9. >> > 2019/09/27 16:21:53 ossec-testrule(1202): ERROR: Configuration error >> > at '/etc/decoder.xml'. Exiting. >> > 2019/09/27 16:29:41 ossec-analysisd(1450): ERROR: Syntax error on >> > regex: '(pam_unix)$': 9. >> > 2019/09/27 16:29:41 ossec-testrule(1202): ERROR: Configuration error >> > at '/etc/decoder.xml'. Exiting. >> > 2019/09/30 08:49:07 ossec-analysisd(1450): ERROR: Syntax error on >> > regex: '(pam_unix)$': 9. >> > 2019/09/30 08:49:07 ossec-testrule(1202): ERROR: Configuration error >> >>>
Re: [ossec-list] ossec-analysisd(1450): ERROR: Syntax error on regex: '(pam_u nix)$': 9.
Dan, trying to add the agent I get this: *** * OSSEC HIDS v3.3.0 Agent manager. * * The following options are available: * (I)mport key from the server (I). (Q)uit. Choose your action: I or Q: i * Provide the Key generated by the server. * The best approach is to cut and paste it. *** OBS: Do not include spaces or new lines. Paste it here (or '\q' to quit): Agent information: ID:002 Name:tcpdiag IP Address:10.10.10.29 Confirm adding it?(y/n): y *Not Adding.* Also, when does the agent get added to the database? If it's done on the server the manage_agents is not working! jerry On Wed, Oct 2, 2019 at 4:55 PM dan (ddp) wrote: > On Wed, Oct 2, 2019 at 6:32 PM Jerry Lowry wrote: > > > > Well, I have the agent running and the server running but they are not > talking. From the agent log file : > > Started ossec-agentd... > > 2019/10/02 15:24:23 ossec-logcollector: Remote commands are not accepted > from the manager. Ignoring it on the agent.conf > > 2019/10/02 15:24:23 ossec-logcollector(1202): ERROR: Configuration error > at '/var/ossec/etc/shared/agent.conf'. Exiting. > > Started ossec-logcollector... > > Start removing configurations from the agent.conf until you find the right > one. > > > 2019/10/02 15:11:34 ossec-agentd: INFO: Trying to connect to server > 10.10.10.108, port 1514. > > 2019/10/02 15:11:34 INFO: Connected to 10.10.10.108 at address > 10.10.10.108, port 1514 > > 2019/10/02 15:11:44 ossec-agentd(1218): ERROR: Unable to send message to > 'server'. > > 2019/10/02 15:11:56 ossec-agentd(1218): ERROR: Unable to send message to > 'server'. > > 2019/10/02 15:11:57 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: '10.10.10.108'. > > > > I get this message but it does not say what the error is? > > > > How do they communicate? > > > > UDP port 1514. This needs to be not blocked by iptables on the server side. > > > From the server log file: > > > > 2019/10/02 15:21:42 INFO: Connected to west.smtp.exch083.serverdata.net. > at address 199.193.205.130, port 25 > > 2019/10/02 15:21:42 os_sendmail(1765): WARN: RCPT TO not accepted by > server - 'jlo...@edt.com'. > > 2019/10/02 15:21:42 ossec-maild(1223): ERROR: Error Sending email to > west.smtp.exch083.serverdata.net. (smtp server) > > > > How can you specify the smtp port and connection security? > > > > ossec-maild doesn't do tls, auth, or custom ports. I usually use the > local mail server to relay the emails. > > > thanks > > > > On Wed, Oct 2, 2019 at 10:08 AM Jerry Lowry > wrote: > >> > >> Dan, > >> I have noticed that when the application is started and there are > errors like : > >> 2019/10/02 10:03:15 ossec-maild(1235): ERROR: Invalid value for element > 'format': sms. > >> 019/10/02 10:03:15 ossec-dbd(5202): ERROR: Error connecting to database > '10.10.10.108'(ossec): ERROR: Access denied for user ''@'ossec' to database > 'ossec'. > >> > >> When you stop ossec it does NOT kill the ossec-dbd process. Also, the > book specifies the use of 'format' sms for email alerts but it says its and > invalid value. > >> > >> jerry > >> > >> On Wed, Oct 2, 2019 at 9:00 AM Jerry Lowry > wrote: > >>> > >>> thanks Dan! > >>> That was the problem. Rebuilt Pcre with --enable-jit=no and it is off > and running. This is my test VM where I installed MariaDB. I will add an > agent to it and see if it has the same problem as my physical server. > >>> > >>> jerry > >>> > >>> On Wed, Oct 2, 2019 at 4:00 AM dan (ddp) wrote: > > On Tue, Oct 1, 2019 at 1:13 PM Jerry Lowry > wrote: > > > > List, > > > > I just installed a test VM running Centos 7 and installed ossec > 3.3.0. Ran through the script and took all the default questions except > for the email. When I try to start ossec these are the errors I get in the > log: > > 019/09/27 16:21:53 ossec-analysisd(1450): ERROR: Syntax error on > regex: '(pam_unix)$': 9. > > 2019/09/27 16:21:53 ossec-testrule(1202): ERROR: Configuration > error at '/etc/decoder.xml'. Exiting. > > 2019/09/27 16:29:41 ossec-analysisd(1450): ERROR: Syntax error on > regex: '(pam_unix)$': 9. > > 2019/09/27 16:29:41 ossec-testrule(1202): ERROR: Configuration > error at '/etc/decoder.xml'. Exiting. > > 2019/09/30 08:49:07 ossec-analysisd(1450): ERROR: Syntax error on > regex: '(pam_unix)$': 9. > > 2019/09/30 08:49:07 ossec-testrule(1202): ERROR: Configuration > error at '/etc/decoder.xml'. Exiting. > > 2019/09/30 09:37:55 ossec-analysisd(1450): ERROR: Syntax error on > regex: '(pam_unix)$': 9. > > 2019/09/30 09:37:55 ossec-testrule(1202): ERROR: Configuration > error at '/etc/decoder.xml'. Exiting. > > I have not touched any of the rules or configuration files as they > were setup based on the question in the installation script. > > > > so, what I am I missing. Shouldn't this run with a default install? > > > > I t