[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: Integrity Checking Not Working <-- BREAKTHROUGH ;-)
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: Integrity Checking Not Working <-- BREAKTHROUGH ;-)
- From: "Erik Delfgaauw" <erik.delfgaauw@xxxxxxxxx>
- Date: Thu, 21 Jun 2007 20:29:49 +0200
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=EcZi5/pFWPsvvUD65GrzTuZKRujnLGKvDY0LZFHvNaCEXyI6izzznpZl6Y2gwvqDZ08sNBpupdDzFWha0viGD1QxlSpiv/LM5oFLJcXxfdGzHFZO7wNEhp36waC3ZZfaK05xIrVfA+BERihblag8S/Mgnk6IgzeD6tU81ZQiPBs=
Yeah, a thousand times or so ;-)
Will dig further and let you know when fixed...
2007/6/21, Daniel Cid <daniel.cid@xxxxxxxxx>:
Hi Erik,
Did you restart Apache after making the group changes? This is the only thing
I can think of... OSSEC WUI only requires PHP 4 or above with Posix support...
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 6/19/07, Erik Delfgaauw <
erik.delfgaauw@xxxxxxxxx> wrote:
> Hi Brad,
>
> Wish that was the case, both times I run the script as the apache user, one
> time from command line, and one time through the web server, think
> something might be wrong with my Apache / PHP configuration, but I can't
> figure out what. "phpinfo" doesn't show anything strange. There are no
> errors. I was thinking of environment settings, but there's nothing OSSEC
> related in the environment of the apache user.
>
> Is there anything in addition that OSSEC requires, besides PHP? Does it need
> any additional PHP modules or libraries?
>
> E.
>
> 2007/6/19, Brad Lhotsky < lhotskyb@xxxxxxxxxxxx>:
> >
> > Perhaps you're running them as different users and it's a permissions
> > problem?
> >
> > Erik Delfgaauw wrote:
> > > Hi folks,
> > >
> > > I have found out that when I do:
> > >
> > > apache@<host>:/var/www/website/ossec-wui> php
index.php
> f=i
> > >
> > > ...I get a correct output with an "Agent name" picklist containing all
> > > the agents, plus the Integrity Check information displayed below.
> > >
> > > However, when I go to:
> > >
> > > http://<host>/ossec-wui/index.php?f=i
> > >
> > > ...I get an incorrect output with an empty "Agent name" picklist (or
> > > merely containing ossec-server), and no Integrity Check information is
> > > displayed.
> > >
> > > So, apparently OSSEC-WUI is working fine, but somehow it goes wrong
> > > between Apache and PHP.
> > >
> > > We have tried PHP debugging, but apparently it's not that there are any
> > > errors occuring, it is just not working properly ;-)
> > >
> > > Does anybody have any idea or hint on where to look regarding this
> > > strange behavior? A PHP script that returns different information when
> > > launched on the command line than when launched through Apache web
> > > server, without returning errors?
> > >
> > > Thanks in advance !
> > >
> > > E.
> > >
> > >
> > > 2007/5/30, Erik Delfgaauw <
erik.delfgaauw@xxxxxxxxx
> > > <mailto:erik.delfgaauw@xxxxxxxxx >>:
> > >
> > > Hi Daniel,
> > >
> > > Verified once more, the web user is apache, and it has definitely
> > > access to the OSSEC-WUI tmp directory.
> > >
> > > In a different environment which IS working, in the OSSEC-WUI tmp
> > > directory, I see a file called output-tmp-<some-id>.php, and this
> > > file does not exist in the NOT working environment.
> > >
> > > How to proceed, where else can I look? Can it also be an Apache
> > > setting that is causing the problem?
> > >
> > > E.
> > >
> > > 2007/5/28, Daniel Cid < daniel.cid@xxxxxxxxx
> > > <mailto: daniel.cid@xxxxxxxxx>>:
> > >
> > > Hi Erik,
> > >
> > > Yes, I mean the ossec-wui tmp directory :) sorry for not being
> > > specific. Also,
> > > make sure to restart apache, otherwise the group permissions
> > > will not apply.
> > >
> > > Let me know how it goes :)
> > >
> > > Thanks,
> > >
> > > Daniel
> > >
> > > On 5/27/07, Erik Delfgaauw <
erik.delfgaauw@xxxxxxxxx
> > > <mailto:erik.delfgaauw@xxxxxxxxx>> wrote:
> > > > Hi Daniel,
> > > >
> > > > I guess you mean the OSSEC-WUI tmp directory right? Just to be
> > > 100% sure,
> > > > because there's also a /tmp and a /var/ossec/tmp.
> > > >
> > > > I will verify once more, gotta admit that it already makes me
> > > feel stupid
> > > > now, if this is the case ;-)
> > > >
> > > > Thanks, will get back to you this Tuesday !
> > > >
> > > > E.
> > > >
> > > > 2007/5/27, Daniel Cid <
daniel.cid@xxxxxxxxx
> > > <mailto:daniel.cid@xxxxxxxxx>>:
> > > > > Hi Erik,
> > > > >
> > > > > Can you make sure that your web server is really running as
> > > user "www"?
> > > > Probably
> > > > > a ps auwx |grep http will show you that. It looks like to
> > > me that
> > > > > php can't write
> > > > > to the tmp directory...
> > > > >
> > > > > daniel
> > > > >
> > > > > On 5/25/07, Erik Delfgaauw < erik.delfgaauw@xxxxxxxxx
> > > <mailto:
erik.delfgaauw@xxxxxxxxx>> wrote:
> > > > > > Hi Daniel,
> > > > > >
> > > > > > /var/ossec/queue/syscheck/ contains a bunch of files with
> a
> > > naming
> > > > scheme
> > > > > > like:
> > > > > >
> > > > > > (<host>) <ip>->syscheck
> > > > > > .(<host>) <ip>->syscheck.cpt
> > > > > >
> > > > > > There is a couple for each agent, plus there's:
> > > > > >
> > > > > > syscheck
> > > > > > .syscheck.cpt
> > > > > >
> > > > > > I have executed every single step from the OSSEC WUI
> > > install guide, the
> > > > only
> > > > > > thing about permissions was regarding the ossec-wui/tmp/
> > > directory
> > > > (chmod
> > > > > > 770/chgrp www), there are no errors in the web server log,
> > > and I have
> > > > just
> > > > > > found out that Stats isn't working too, and ONLY real time
> > > search is
> > > > > > working.
> > > > > >
> > > > > > So, very likely a permission problem :-)
> > > > > >
> > > > > > What OSSEC HIDS files / directories are required for the
> > > OSSEC-WUI
> > > > Integrity
> > > > > > Check, Stats and Search functionality?
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > E.
> > > > > >
> > > > > >
> > > > > > 2007/5/22, Daniel Cid < daniel.cid@xxxxxxxxx
> > > <mailto: daniel.cid@xxxxxxxxx
>>:
> > > > > > > Hi Erik,
> > > > > > >
> > > > > > > We first need to determine where the problem is
> (agent/server
> > > > connection
> > > > > > or at
> > > > > > > the ui).
> > > > > > >
> > > > > > > -Did you follow all the steps from the installation
> > > guide? If the
> > > > > > > permissions are
> > > > > > > wrong, it will not work properly. In addition to that,
> > > did you add
> > > > > > > your apache user
> > > > > > > name to the ossec group and restarted apache?
> > > > > > >
> > > > > > > -Do you have any file at /var/ossec/queue/syscheck ? Can
> > > you show what
> > > > is
> > > > > > > in there to us?
> > > > > > >
> > > > > > > -Is there any errors at the apache error log? At the
> > > ossec log (both
> > > > > > server
> > > > > > > and agent side)?
> > > > > > >
> > > > > > >
> > > > > > > With that information we can start troubleshooting :)
> > > > > > >
> > > > > > > thanks,
> > > > > > >
> > > > > > > --
> > > > > > > Daniel B. Cid
> > > > > > > dcid ( at ) ossec.net <
http://ossec.net>
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On 5/11/07, Erik Delfgaauw <
erik.delfgaauw@xxxxxxxxx
> > > <mailto:erik.delfgaauw@xxxxxxxxx>> wrote:
> > > > > > > > Hi folks,
> > > > > > > >
> > > > > > > > The Main screen of the OSSEC WUI shows "ossec-server"
> > > plus 4 agents.
> > > > The
> > > > > > > > ossec-server is receiving information from the agents
> > > correctly,
> > > > BUT:
> > > > > > > >
> > > > > > > > The Integrity checking screen shows:
> > > > > > > >
> > > > > > > > "No integrity checking information available.
> > > > > > > > Nothing reported as changed."
> > > > > > > >
> > > > > > > > The Agent name pick list only contains "ossec-server"
> > > and clicking
> > > > the
> > > > > > Dump
> > > > > > > > database button doesn't have any result but a quick
> > > reload of the
> > > > page.
> > > > > > > >
> > > > > > > > OSSEC ( 1.1) + WUI ( 0.2) are running on RHEL ES
4.4.
> > > Port 1514 is
> > > > > > reachable
> > > > > > > > for the agents.
> > > > > > > >
> > > > > > > > Syscheckd is running on all agents.
> > > > > > > >
> > > > > > > > I'm very curious to what the problem can be, and
> > > especially to what
> > > > > > would be
> > > > > > > > the best way to troubleshoot this.
> > > > > > > >
> > > > > > > > Many thanks in advance !
> > > > > > > >
> > > > > > > > Erik
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> > >
> >
> > --
> > Brad Lhotsky
> <lhotskyb@xxxxxxxxxxxx >
> > NCTS Computer Specialist Phone:
> 410.558.8006
> > "Darkness is a state of mind, I can go where you would stumble."
> > -Wolfsheim, 'Blind'
> >
>
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.