cannot get Ossec WUI working
yongzh...@gmail.com
I am newbie to OSSEC. Recently I installed ossec on my Ubuntu server. I downloaded ossec-wui-0.8.tar.gz and install it at /var/www/ossec-wui by following online instruction. I get Apache working and can see its test page for http://IP/. But if I access http://IP/ossec-wui/, the browser prompts me to download/save a file which is called "ossec-wui". Can anyone help me out? Thanks a lot.
Best Regards,
Yongzhi
yongzh...@gmail.com
dan (ddp)
On Oct 23, 2014 5:12 PM, <yongzh...@gmail.com> wrote:
>
> Hi all,
>
> I am newbie to OSSEC. Recently I installed ossec on my Ubuntu server. I downloaded ossec-wui-0.8.tar.gz and install it at /var/www/ossec-wui by following online instruction. I get Apache working and can see its test page for http://IP/. But if I access http://IP/ossec-wui/, the browser prompts me to download/save a file which is called "ossec-wui". Can anyone help me out? Thanks a lot.
>
What if you try to load index.php in ossec-wui?
Does php work on the server?
Anything in the apache logs that might be helpful?
> Best Regards,
> Yongzhi
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
dan (ddp)
On Oct 23, 2014 7:17 PM, <yongzh...@gmail.com> wrote:
>
> Another quick question: could we install/run Ossec server and Ossec agent on the same Linux machine? That is, could Ossec server also analyze its own log files? Thanks.
>
The manager generally runs the applicable ossec daemons to monitor file integrity and log files.
>
>
> On Thursday, October 23, 2014 2:10:57 PM UTC-7, yongzh...@gmail.com wrote:
>>
>> Hi all,
>>
>> I am newbie to OSSEC. Recently I installed ossec on my Ubuntu server. I downloaded ossec-wui-0.8.tar.gz and install it at /var/www/ossec-wui by following online instruction. I get Apache working and can see its test page for http://IP/. But if I access http://IP/ossec-wui/, the browser prompts me to download/save a file which is called "ossec-wui". Can anyone help me out? Thanks a lot.
>>
>> Best Regards,
>> Yongzhi
>
yongzh...@gmail.com
What if you try to load index.php in ossec-wui?
If I tried to load index.php (http://IP/ossec-wui/index.php) the browser will prompt to download/save index.php file.
Does php work on the server?
It should work. I will verify it later.
Anything in the apache logs that might be helpful?
[Wed Oct 22 23:08:01 2014] [error] [client 10.45.10.17] File does not exist: /var/www/ossec
[Wed Oct 22 23:08:01 2014] [error] [client 10.45.10.17] File does not exist: /var/www/favicon.ico
[Wed Oct 22 23:08:01 2014] [error] [client 10.45.10.17] File does not exist: /var/www/favicon.ico
[Wed Oct 22 23:08:10 2014] [error] [client 10.45.10.17] File does not exist: /var/www/ossec
[Thu Oct 23 14:00:22 2014] [error] [client 10.45.19.65] File does not exist: /var/www/favicon.ico
[Thu Oct 23 14:05:21 2014] [error] [client 10.45.19.65] File does not exist: /var/www/ossec
[Thu Oct 23 14:09:02 2014] [error] [client 10.45.19.65] File does not exist: /var/www/favicon.ico
[Thu Oct 23 14:59:35 2014] [error] [client 10.45.19.65] File does not exist: /var/www/ossec
yongzh...@gmail.com
dan (ddp)
On Oct 23, 2014 7:47 PM, <yongzh...@gmail.com> wrote:
>
> Thanks Dan for your prompt response and help.
>
>
> What if you try to load index.php in ossec-wui?
>
> If I tried to load index.php (http://IP/ossec-wui/index.php) the browser will prompt to download/save index.php file.
>
> Does php work on the server?
>
> It should work. I will verify it later.
>
It definitely seems like this is an important step.
dan (ddp)
On Oct 23, 2014 7:47 PM, <yongzh...@gmail.com> wrote:
>
> I am afraid that I didn't get you. I know a ossec server could support multiple machine which install & run ossec agent in most real cases. I just want to clarify if we could run log gathering (agent) & log analysis (server) on the same machine, for example, for learning or training purpose? Thanks a lot.
>
>
Yeah, i don't think you understood my reaponse at all. But then, I guessed your question meant something it did not.
Yes, you can run an agent and the manager on the same system. I do this on my laptop for testing purposes.
You do not need to run a full agent to monitor the manager's logs and file integrity though. The typical manager runs logcollector and syscheck automagically.
yongzh...@gmail.com
yongzh...@gmail.com
I can see the local agent in the ossec-wui main page ("Available agents" field). Not sure if that mean the agent is successfully running on the server. For example, I made a login failure on purpose but I didn't see any corresponding alter for it. At this point, I can see "level 7 - New dpkg (Debian Package) installed" alert for that server but not sure if it is from manager or from agent. Do I need to define a special rule for the local agent to capture that kind of login failure or I really need to start local agent first?
dan (ddp)
> Thank you so much for your confirmation.
>
> I can see the local agent in the ossec-wui main page ("Available agents"
> field). Not sure if that mean the agent is successfully running on the
> server. For example, I made a login failure on purpose but I didn't see any
> corresponding alter for it. At this point, I can see "level 7 - New dpkg
> (Debian Package) installed" alert for that server but not sure if it is from
> manager or from agent. Do I need to define a special rule for the local
> agent to capture that kind of login failure or I really need to start local
> agent first?
>
However, check the alerts.log file on the manager. Does a login alert
appear in there?
If not, what logfile does the login failure message get logged to?
Is that file being monitored by that system's OSSEC installation
(check the ossec.conf localfile options)?
If so, can you provide a sample of the log message? We can try to
create or modify a rule to capture it.