2019/06/10 15:59:15 ossec-testrule(2301): ERROR: Definition not found for: 'analysisd.decoder_order

Erik Bixby

unread,

Jun 10, 2019, 7:43:46 PM6/10/19

to ossec-list

I have an inherited OSSEC install that currently will not start. Repeated in /var/ossec/logs/ossec.log are a bunch of entries similar to the subject line of this message "2019/06/10 15:59:15 ossec-testrule(2301): ERROR: Definition not found for: 'analysisd.decoder_order_size'."

In order to try and get you the information you need to help:

[root@centos etc]# /var/ossec/bin/ossec-analysisd -V

OSSEC HIDS v3.3.0 - OSSEC Foundation

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License (version 2) as
published by the Free Software Foundation. For more details, go to
http://www.ossec.net/main/license/

[root@centos etc]#

[root@centos etc]# cat /etc/ossec-init.conf

DIRECTORY="/var/ossec"

VERSION="3.3.0"

DATE="Fri Apr 19 17:18:04 EDT 2019"

TYPE="server"

[root@centos etc]#

[root@centos etc]# cat /var/ossec/etc/ossec.conf

<ossec_config>

<global>

<email_notification>yes</email_notification>

<email_to>it.se...@COMPANY.com</email_to>

<smtp_server>IP</smtp_server>

<email_from>os...@COMPANY.com</email_from>

<email_maxperhour>1</email_maxperhour>

</global>

<rules>

<include>rules_config.xml</include>

<include>pam_rules.xml</include>

<include>sshd_rules.xml</include>

<include>telnetd_rules.xml</include>

<include>syslog_rules.xml</include>

<include>arpwatch_rules.xml</include>

<include>symantec-av_rules.xml</include>

<include>symantec-ws_rules.xml</include>

<include>pix_rules.xml</include>

<include>named_rules.xml</include>

<include>smbd_rules.xml</include>

<include>vsftpd_rules.xml</include>

<include>pure-ftpd_rules.xml</include>

<include>proftpd_rules.xml</include>

<include>ms_ftpd_rules.xml</include>

<include>ftpd_rules.xml</include>

<include>hordeimp_rules.xml</include>

<include>roundcube_rules.xml</include>

<include>wordpress_rules.xml</include>

<include>cimserver_rules.xml</include>

<include>vpopmail_rules.xml</include>

<include>vmpop3d_rules.xml</include>

<include>courier_rules.xml</include>

<include>web_rules.xml</include>

<include>web_appsec_rules.xml</include>

<include>apache_rules.xml</include>

<include>nginx_rules.xml</include>

<include>php_rules.xml</include>

<include>mysql_rules.xml</include>

<include>postgresql_rules.xml</include>

<include>ids_rules.xml</include>

<include>squid_rules.xml</include>

<include>firewall_rules.xml</include>

<include>cisco-ios_rules.xml</include>

<include>netscreenfw_rules.xml</include>

<include>sonicwall_rules.xml</include>

<include>postfix_rules.xml</include>

<include>sendmail_rules.xml</include>

<include>imapd_rules.xml</include>

<include>mailscanner_rules.xml</include>

<include>dovecot_rules.xml</include>

<include>ms-exchange_rules.xml</include>

<include>racoon_rules.xml</include>

<include>vpn_concentrator_rules.xml</include>

<include>spamd_rules.xml</include>

<include>msauth_rules.xml</include>

<include>mcafee_av_rules.xml</include>

<include>trend-osce_rules.xml</include>

<include>ms-se_rules.xml</include>

<include>zeus_rules.xml</include>

<include>solaris_bsm_rules.xml</include>

<include>vmware_rules.xml</include>

<include>ms_dhcp_rules.xml</include>

<include>asterisk_rules.xml</include>

<include>ossec_rules.xml</include>

<include>attack_rules.xml</include>

<include>openbsd_rules.xml</include>

<include>clam_av_rules.xml</include>

<include>dropbear_rules.xml</include>

<include>local_rules.xml</include>

</rules>

<syscheck>

<frequency>79200</frequency>

<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>

<directories check_all="yes">/bin,/sbin</directories>

<directories realtime="yes" check_all="yes">/var/ossec/logs</directories>

<directories realtime="yes" check_all="yes">/var/ossec/etc</directories>

<ignore type="sregex">.log$|.tmp</ignore>

<ignore>/etc/mtab</ignore>

<ignore>/etc/mnttab</ignore>

<ignore>/etc/hosts.deny</ignore>

<ignore>/etc/mail/statistics</ignore>

<ignore>/etc/random-seed</ignore>

<ignore>/etc/adjtime</ignore>

<ignore>/etc/httpd/logs</ignore>

<ignore>/etc/utmpx</ignore>

<ignore>/etc/wtmpx</ignore>

<ignore>/etc/cups/certs</ignore>

<ignore>/etc/dumpdates</ignore>

<ignore>/etc/svc/volatile</ignore>

<ignore>C:\WINDOWS/System32/LogFiles</ignore>

<ignore>C:\WINDOWS/Debug</ignore>

<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>

<ignore>C:\WINDOWS/iis6.log</ignore>

<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>

<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>

<ignore>C:\WINDOWS/Prefetch</ignore>

<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>

<ignore>C:\WINDOWS/SoftwareDistribution</ignore>

<ignore>C:\WINDOWS/Temp</ignore>

<ignore>C:\WINDOWS/system32/config</ignore>

<ignore>C:\WINDOWS/system32/spool</ignore>

<ignore>C:\WINDOWS/system32/CatRoot</ignore>

</syscheck>

<rootcheck>

<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>

<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>

<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>

</rootcheck>

<active-response>

<disabled>yes</disabled>

</active-response>

<remote>

<connection>syslog</connection>

<allowed-ips>IP</allowed-ips>

</remote>

<remote>

<connection>secure</connection>

</remote>

<alerts>

<email_alert_level>4</email_alert_level>

<log_alert_level>1</log_alert_level>

</alerts>

<localfile>

<log_format>syslog</log_format>

<location>/var/log/messages</location>

</localfile>

<localfile>

<log_format>syslog</log_format>

<location>/var/log/secure</location>

</localfile>

<localfile>

<log_format>syslog</log_format>

<location>/var/log/maillog</location>

</localfile>

<localfile>

<log_format>command</log_format>

<command>df -h</command>

</localfile>

<localfile>

<log_format>full_command</log_format>

<command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>

</localfile>

<localfile>

<log_format>full_command</log_format>

<command>last -n 5</command>

</localfile>

</ossec_config>

[root@centos etc]#

[root@centos etc]# cat /var/ossec/logs/ossec.log
2019/06/10 09:58:30 ossec-testrule(2301): ERROR: Definition not found for: 'analysisd.decoder_order_size'.
2019/06/10 11:48:26 ossec-testrule(2301): ERROR: Definition not found for: 'analysisd.decoder_order_size'.
2019/06/10 14:44:13 ossec-testrule(2301): ERROR: Definition not found for: 'analysisd.decoder_order_size'.
2019/06/10 14:49:13 ossec-testrule(2301): ERROR: Definition not found for: 'analysisd.decoder_order_size'.
2019/06/10 15:22:49 ossec-testrule(2301): ERROR: Definition not found for: 'analysisd.decoder_order_size'.
2019/06/10 15:32:40 ossec-testrule(2301): ERROR: Definition not found for: 'analysisd.decoder_order_size'.
2019/06/10 15:35:23 ossec-testrule(2301): ERROR: Definition not found for: 'analysisd.decoder_order_size'.
2019/06/10 15:39:35 ossec-testrule(2301): ERROR: Definition not found for: 'analysisd.decoder_order_size'.
2019/06/10 15:50:25 ossec-testrule(2301): ERROR: Definition not found for: 'analysisd.decoder_order_size'.
2019/06/10 15:59:15 ossec-testrule(2301): ERROR: Definition not found for: 'analysisd.decoder_order_size'.
[root@centos etc]#

[root@centos etc]# uname -a

Linux centos.COMPANY.local 3.10.0-957.12.2.el7.x86_64 #1 SMP Tue May 14 21:24:32 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

[root@centos etc]#

Please let me know what else I can do to help you help me.

-Erik

dan (ddp)

unread,

Jun 11, 2019, 7:32:29 AM6/11/19

to ossec...@googlegroups.com

On Mon, Jun 10, 2019 at 7:43 PM Erik Bixby <erik....@gmail.com> wrote:
>
> I have an inherited OSSEC install that currently will not start. Repeated in /var/ossec/logs/ossec.log are a bunch of entries similar to the subject line of this message "2019/06/10 15:59:15 ossec-testrule(2301): ERROR: Definition not found for: 'analysisd.decoder_order_size'."
>
> In order to try and get you the information you need to help:
>

Add this to internal_options.conf:

analysis.decoder_order_size=10

It was added with the dynamic decoders, but I’m not sure why it wasn’t updated during an upgrade

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/53a6dcf4-9508-462c-aab5-c84b91f84613%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Erik Bixby

unread,

Jun 11, 2019, 2:51:31 PM6/11/19

to ossec-list

Thank you for the response! It looks like the package manager did something or another untoward with that file. We're back up now! Have a glorious day!

-Erik

On Tuesday, June 11, 2019 at 4:32:29 AM UTC-7, dan (ddpbsd) wrote:

On Mon, Jun 10, 2019 at 7:43 PM Erik Bixby <erik...@gmail.com> wrote:
>
> I have an inherited OSSEC install that currently will not start. Repeated in /var/ossec/logs/ossec.log are a bunch of entries similar to the subject line of this message "2019/06/10 15:59:15 ossec-testrule(2301): ERROR: Definition not found for: 'analysisd.decoder_order_size'."
>
> In order to try and get you the information you need to help:
>

Add this to internal_options.conf:
analysis.decoder_order_size=10

It was added with the dynamic decoders, but I’m not sure why it wasn’t updated during an upgrade

>>> [root@centos etc]# /var/ossec/bin/ossec-analysisd -V
>>>
>>>
>>> OSSEC HIDS v3.3.0 - OSSEC Foundation
>>>
>>>
>>> This program is free software; you can redistribute it and/or modify
>>>
>>> it under the terms of the GNU General Public License (version 2) as
>>>
>>> published by the Free Software Foundation. For more details, go to
>>>
>>> http://www.ossec.net/main/license/
>>>
>>>
>>> [root@centos etc]#
>>
>>
>>
>> [root@centos etc]# cat /etc/ossec-init.conf
>>
>> DIRECTORY="/var/ossec"
>>
>> VERSION="3.3.0"
>>
>> DATE="Fri Apr 19 17:18:04 EDT 2019"
>>
>> TYPE="server"
>>
>> [root@centos etc]#
>
>
>>
>>
>> [root@centos etc]# cat /var/ossec/etc/ossec.conf
>>
>> <ossec_config>
>>
>> <global>
>>
>> <email_notification>yes</email_notification>
>>

>> <email_to>it.services@COMPANY.com</email_to>

> To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.

Reply all

Reply to author

Forward