[ossec-list] OSSEC WUI can't read alerts.log
I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I configured a few domain controllers to send it their logs. When I came in today, the WUI is displaying an error of: "Warning: fopen(/var/ossec/logs/alerts/alerts.log): failed to open stream: Value too large for defined data type in /opt/lampp/htdocs/ossec-wui/lib/os_lib_alerts.php on line 839" My alerts.log file is 3.5G. If I delete it and restart ossec services, the file is recreated at 3.5G. Is this an issue with file size? If so, can I up the log rotation to more than just once a day? And how would I flush whatever buffer keeps recreating the 3.5G alerts.log file so I can get back to reviewing logs? Similar, but unanswered message from 2013: https://groups.google.com/forum/#!msg/ossec-list/topCxSvvmBk/5t4YEfPTTYUJ Thanks. Dan -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC WUI can't read alerts.log
Well, you need to give correct permissions to apache as wui is running under apache uid.. Eeeo 8.8.2015 8.27 ip. "Daniel Twardowski" kirjoitti: > > I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I configured > a few domain controllers to send it their logs. When I came in today, the > WUI is displaying an error of: > "Warning: fopen(/var/ossec/logs/alerts/alerts.log): failed to open > stream: Value too large for defined data type in > /opt/lampp/htdocs/ossec-wui/lib/os_lib_alerts.php on line 839" > > My alerts.log file is 3.5G. If I delete it and restart ossec services, the > file is recreated at 3.5G. Is this an issue with file size? If so, can I up > the log rotation to more than just once a day? And how would I flush > whatever buffer keeps recreating the 3.5G alerts.log file so I can get back > to reviewing logs? > > Similar, but unanswered message from 2013: > https://groups.google.com/forum/#!msg/ossec-list/topCxSvvmBk/5t4YEfPTTYUJ > > Thanks. > > Dan > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC WUI can't read alerts.log
Thanks for the quick response. I chown'ed alerts.log from ossec.ossec to ossec.apache and still got the error. I then chmod'ed alerts.log from 640 to 666 and still got the error. Alerts.log is still growing, though. Up to 4.2G. On Saturday, August 8, 2015 at 3:29:32 PM UTC-4, Eero Volotinen wrote: > > Well, you need to give correct permissions to apache as wui is running > under apache uid.. > > Eeeo > 8.8.2015 8.27 ip. "Daniel Twardowski" > > kirjoitti: > >> >> I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I >> configured a few domain controllers to send it their logs. When I came in >> today, the WUI is displaying an error of: >> "Warning: fopen(/var/ossec/logs/alerts/alerts.log): failed to open >> stream: Value too large for defined data type in >> /opt/lampp/htdocs/ossec-wui/lib/os_lib_alerts.php on line 839" >> >> My alerts.log file is 3.5G. If I delete it and restart ossec services, >> the file is recreated at 3.5G. Is this an issue with file size? If so, can >> I up the log rotation to more than just once a day? And how would I flush >> whatever buffer keeps recreating the 3.5G alerts.log file so I can get back >> to reviewing logs? >> >> Similar, but unanswered message from 2013: >> https://groups.google.com/forum/#!msg/ossec-list/topCxSvvmBk/5t4YEfPTTYUJ >> >> Thanks. >> >> Dan >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC WUI can't read alerts.log
Well, Check memory_limit on php also. Ossec wui is no longer supported. You should use kibana+elastic search instead of it. Eero Eero Thanks for the quick response. I chown'ed alerts.log from ossec.ossec to ossec.apache and still got the error. I then chmod'ed alerts.log from 640 to 666 and still got the error. Alerts.log is still growing, though. Up to 4.2G. On Saturday, August 8, 2015 at 3:29:32 PM UTC-4, Eero Volotinen wrote: > > Well, you need to give correct permissions to apache as wui is running > under apache uid.. > > Eeeo > 8.8.2015 8.27 ip. "Daniel Twardowski" kirjoitti: > >> >> I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I >> configured a few domain controllers to send it their logs. When I came in >> today, the WUI is displaying an error of: >> "Warning: fopen(/var/ossec/logs/alerts/alerts.log): failed to open >> stream: Value too large for defined data type in >> /opt/lampp/htdocs/ossec-wui/lib/os_lib_alerts.php on line 839" >> >> My alerts.log file is 3.5G. If I delete it and restart ossec services, >> the file is recreated at 3.5G. Is this an issue with file size? If so, can >> I up the log rotation to more than just once a day? And how would I flush >> whatever buffer keeps recreating the 3.5G alerts.log file so I can get back >> to reviewing logs? >> >> Similar, but unanswered message from 2013: >> https://groups.google.com/forum/#!msg/ossec-list/topCxSvvmBk/5t4YEfPTTYUJ >> >> Thanks. >> >> Dan >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC WUI can't read alerts.log
Interesting that ossec-wui isn't supported. I downloaded the appliance right from ossec.net and was following the instructions. Went through my running processes and checked out their configs... sure enough, kibana is also included. Opened up a browser to localhost:5601 and Kibana is still running like a champ. Not even going to try to fix the wui since I'm more familiar with ELK. Thanks for the help, Eero. On Saturday, August 8, 2015 at 4:31:42 PM UTC-4, Eero Volotinen wrote: > > Well, > > Check memory_limit on php also. > > Ossec wui is no longer supported. You should use kibana+elastic search > instead of it. > > Eero > > Eero > Thanks for the quick response. > > I chown'ed alerts.log from ossec.ossec to ossec.apache and still got the > error. > > I then chmod'ed alerts.log from 640 to 666 and still got the error. > > Alerts.log is still growing, though. Up to 4.2G. > > On Saturday, August 8, 2015 at 3:29:32 PM UTC-4, Eero Volotinen wrote: >> >> Well, you need to give correct permissions to apache as wui is running >> under apache uid.. >> >> Eeeo >> 8.8.2015 8.27 ip. "Daniel Twardowski" kirjoitti: >> >>> >>> I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I >>> configured a few domain controllers to send it their logs. When I came in >>> today, the WUI is displaying an error of: >>> "Warning: fopen(/var/ossec/logs/alerts/alerts.log): failed to open >>> stream: Value too large for defined data type in >>> /opt/lampp/htdocs/ossec-wui/lib/os_lib_alerts.php on line 839" >>> >>> My alerts.log file is 3.5G. If I delete it and restart ossec services, >>> the file is recreated at 3.5G. Is this an issue with file size? If so, can >>> I up the log rotation to more than just once a day? And how would I flush >>> whatever buffer keeps recreating the 3.5G alerts.log file so I can get back >>> to reviewing logs? >>> >>> Similar, but unanswered message from 2013: >>> https://groups.google.com/forum/#!msg/ossec-list/topCxSvvmBk/5t4YEfPTTYUJ >>> >>> Thanks. >>> >>> Dan >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC WUI can't read alerts.log
such a shame that WUI is no longer supported/developed. i understand that they rather focus on improving OSSEC than work on a web tool that displays the alerts. i understand that ELK (especially logstash and kibana) do the job nicely... but WUI was the perfect pick for my thesis project (test environment) as I'm running the OSSEC appliance on a 2gb VM, and I don't have the possibility to add more RAM.. alas elasticsearch and logstash are a memory eating slug therefore I'm unable to run ELK on my test server... also it would be a bit overkill just for one OSSEC master and one agent. Am Samstag, 8. August 2015 22:49:16 UTC+2 schrieb Daniel: > > Interesting that ossec-wui isn't supported. I downloaded the appliance > right from ossec.net and was following the instructions. > > Went through my running processes and checked out their configs... sure > enough, kibana is also included. > > Opened up a browser to localhost:5601 and Kibana is still running like a > champ. Not even going to try to fix the wui since I'm more familiar with > ELK. > > Thanks for the help, Eero. > > On Saturday, August 8, 2015 at 4:31:42 PM UTC-4, Eero Volotinen wrote: >> >> Well, >> >> Check memory_limit on php also. >> >> Ossec wui is no longer supported. You should use kibana+elastic search >> instead of it. >> >> Eero >> >> Eero >> Thanks for the quick response. >> >> I chown'ed alerts.log from ossec.ossec to ossec.apache and still got the >> error. >> >> I then chmod'ed alerts.log from 640 to 666 and still got the error. >> >> Alerts.log is still growing, though. Up to 4.2G. >> >> On Saturday, August 8, 2015 at 3:29:32 PM UTC-4, Eero Volotinen wrote: >>> >>> Well, you need to give correct permissions to apache as wui is running >>> under apache uid.. >>> >>> Eeeo >>> 8.8.2015 8.27 ip. "Daniel Twardowski" kirjoitti: >>> I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I configured a few domain controllers to send it their logs. When I came in today, the WUI is displaying an error of: "Warning: fopen(/var/ossec/logs/alerts/alerts.log): failed to open stream: Value too large for defined data type in /opt/lampp/htdocs/ossec-wui/lib/os_lib_alerts.php on line 839" My alerts.log file is 3.5G. If I delete it and restart ossec services, the file is recreated at 3.5G. Is this an issue with file size? If so, can I up the log rotation to more than just once a day? And how would I flush whatever buffer keeps recreating the 3.5G alerts.log file so I can get back to reviewing logs? Similar, but unanswered message from 2013: https://groups.google.com/forum/#!msg/ossec-list/topCxSvvmBk/5t4YEfPTTYUJ Thanks. Dan -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC WUI can't read alerts.log
Hello, Daniel! You can also try LightSIEM: https://github.com/dsvetlov/lightsiem It's free and open source project based on ELK stack. It allows search in alerts and logs and create visualizations based on received alerts. If you are familiar with ELK stack, it will be very easy for you to adjust LightSIEM for your requirements. Also feel free to make any pull requests or open issues. вс, 9 авг. 2015 г. в 19:29, theresa mic-snare : > such a shame that WUI is no longer supported/developed. > i understand that they rather focus on improving OSSEC than work on a web > tool that displays the alerts. > i understand that ELK (especially logstash and kibana) do the job nicely... > > but WUI was the perfect pick for my thesis project (test environment) as > I'm running the OSSEC appliance on a 2gb VM, and I don't have the > possibility to add more RAM.. > alas elasticsearch and logstash are a memory eating slug therefore I'm > unable to run ELK on my test server... > also it would be a bit overkill just for one OSSEC master and one agent. > > > > Am Samstag, 8. August 2015 22:49:16 UTC+2 schrieb Daniel: >> >> Interesting that ossec-wui isn't supported. I downloaded the appliance >> right from ossec.net and was following the instructions. >> >> Went through my running processes and checked out their configs... sure >> enough, kibana is also included. >> >> Opened up a browser to localhost:5601 and Kibana is still running like a >> champ. Not even going to try to fix the wui since I'm more familiar with >> ELK. >> >> Thanks for the help, Eero. >> >> On Saturday, August 8, 2015 at 4:31:42 PM UTC-4, Eero Volotinen wrote: >>> >>> Well, >>> >>> Check memory_limit on php also. >>> >>> Ossec wui is no longer supported. You should use kibana+elastic search >>> instead of it. >>> >>> Eero >>> >>> Eero >>> Thanks for the quick response. >>> >>> I chown'ed alerts.log from ossec.ossec to ossec.apache and still got the >>> error. >>> >>> I then chmod'ed alerts.log from 640 to 666 and still got the error. >>> >>> Alerts.log is still growing, though. Up to 4.2G. >>> >>> On Saturday, August 8, 2015 at 3:29:32 PM UTC-4, Eero Volotinen wrote: Well, you need to give correct permissions to apache as wui is running under apache uid.. Eeeo 8.8.2015 8.27 ip. "Daniel Twardowski" kirjoitti: > > I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I > configured a few domain controllers to send it their logs. When I came in > today, the WUI is displaying an error of: > "Warning: fopen(/var/ossec/logs/alerts/alerts.log): failed to open > stream: Value too large for defined data type in > /opt/lampp/htdocs/ossec-wui/lib/os_lib_alerts.php on line 839" > > My alerts.log file is 3.5G. If I delete it and restart ossec services, > the file is recreated at 3.5G. Is this an issue with file size? If so, can > I up the log rotation to more than just once a day? And how would I flush > whatever buffer keeps recreating the 3.5G alerts.log file so I can get > back > to reviewing logs? > > Similar, but unanswered message from 2013: > > https://groups.google.com/forum/#!msg/ossec-list/topCxSvvmBk/5t4YEfPTTYUJ > > Thanks. > > Dan > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- -- С уважением, Светлов Даниил. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC WUI can't read alerts.log
On Sun, Aug 9, 2015 at 12:29 PM, theresa mic-snare wrote: > such a shame that WUI is no longer supported/developed. > i understand that they rather focus on improving OSSEC than work on a web > tool that displays the alerts. > i understand that ELK (especially logstash and kibana) do the job nicely... > > but WUI was the perfect pick for my thesis project (test environment) as I'm > running the OSSEC appliance on a 2gb VM, and I don't have the possibility to > add more RAM.. > alas elasticsearch and logstash are a memory eating slug therefore I'm > unable to run ELK on my test server... > also it would be a bit overkill just for one OSSEC master and one agent. > There is a github for the wui at https://github.com/ossec/ossec-wui Contributions would definitely be welcome! > > > Am Samstag, 8. August 2015 22:49:16 UTC+2 schrieb Daniel: >> >> Interesting that ossec-wui isn't supported. I downloaded the appliance >> right from ossec.net and was following the instructions. >> >> Went through my running processes and checked out their configs... sure >> enough, kibana is also included. >> >> Opened up a browser to localhost:5601 and Kibana is still running like a >> champ. Not even going to try to fix the wui since I'm more familiar with >> ELK. >> >> Thanks for the help, Eero. >> >> On Saturday, August 8, 2015 at 4:31:42 PM UTC-4, Eero Volotinen wrote: >>> >>> Well, >>> >>> Check memory_limit on php also. >>> >>> Ossec wui is no longer supported. You should use kibana+elastic search >>> instead of it. >>> >>> Eero >>> >>> Eero >>> >>> Thanks for the quick response. >>> >>> I chown'ed alerts.log from ossec.ossec to ossec.apache and still got the >>> error. >>> >>> I then chmod'ed alerts.log from 640 to 666 and still got the error. >>> >>> Alerts.log is still growing, though. Up to 4.2G. >>> >>> On Saturday, August 8, 2015 at 3:29:32 PM UTC-4, Eero Volotinen wrote: Well, you need to give correct permissions to apache as wui is running under apache uid.. Eeeo 8.8.2015 8.27 ip. "Daniel Twardowski" kirjoitti: > > > I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I > configured a few domain controllers to send it their logs. When I came in > today, the WUI is displaying an error of: > "Warning: fopen(/var/ossec/logs/alerts/alerts.log): failed to open > stream: Value too large for defined data type in > /opt/lampp/htdocs/ossec-wui/lib/os_lib_alerts.php on line 839" > > My alerts.log file is 3.5G. If I delete it and restart ossec services, > the file is recreated at 3.5G. Is this an issue with file size? If so, > can I > up the log rotation to more than just once a day? And how would I flush > whatever buffer keeps recreating the 3.5G alerts.log file so I can get > back > to reviewing logs? > > Similar, but unanswered message from 2013: > > https://groups.google.com/forum/#!msg/ossec-list/topCxSvvmBk/5t4YEfPTTYUJ > > Thanks. > > Dan > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
