OSSEC analysisd: Testing rules failed. Configuration error. Exiting.

[Jesse Cail]

So - I've gotten a few agents deployed following the instructions on both GitHub and the OSSEC page, but I had a sneaking suspicion that nothing was actually communicating. If I do list-agents -c, I get no agent available. I tried stopping and starting the server, but I get the error listed in the subject ("OSSEC analysisd: Testing rules failed. Configuration error. Exiting."). A quick google revealed that there was a known bug in the control script for 2.6. I've also read about issues occurring with agent/server version mismatch. I've downloaded the latest agents from the OSSEC site (2.8.3). Not entirely sure how to see what version is in SO to check. Also, haven't yet run wireshark, but I did use the so-allow to list the agents. I see in ELSA that at least one is communicating, but ONLY one. The other three are not connected.

Any help would be appreciated

[dan (ddp)]

On Thu, May 25, 2017 at 9:07 PM, Jesse Cail <jesse....@gmail.com> wrote:
> So - I've gotten a few agents deployed following the instructions on both GitHub and the OSSEC page, but I had a sneaking suspicion that nothing was actually communicating. If I do list-agents -c, I get no agent available. I tried stopping and starting the server, but I get the error listed in the subject ("OSSEC analysisd: Testing rules failed. Configuration error. Exiting."). A quick google revealed that there was a known bug in the control script for 2.6. I've also read about issues occurring with agent/server version mismatch. I've downloaded the latest agents from the OSSEC site (2.8.3). Not entirely sure how to see what version is in SO to check. Also, haven't yet run wireshark, but I did use the so-allow to list the agents. I see in ELSA that at least one is communicating, but ONLY one. The other three are not connected.
>
> Any help would be appreciated
>

/var/ossec/logs/ossec.log should contain more information on what rule
configuration is causing an issue.

> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.

[Jesse Cail]

It's late, I'm tired... sorry

access denied when attempting to scp to log location or CD to it in putty

[dan (ddp)]

On Thu, May 25, 2017 at 9:51 PM, Jesse Cail <jesse....@gmail.com> wrote:
> It's late, I'm tired... sorry
>
> access denied when attempting to scp to log location or CD to it in putty
>

You will probably need to use sudo to access the file.
Or you can run `sudo /var/ossec/bin/ossec-logtest -t`
It should provide the same output.

[Jesse Cail]

Dan,

Thanks the `sudo /var/ossec/bin/ossec-logtest -t` did the trick. I had fat-fingered the email configuration in the ossec.conf file (groan):

2017/05/26 02:04:56 ossec-config(1226): ERROR: Error reading XML file '/var/ossec/etc/ossec.conf': XMLERR: Element '\email_from' not closed. (line 11)

a quick edit via nano, and all is well!

[Rodolfo Peña]

Dan,

I ran the log query and got ERROR: Definition not found for: ánalysisd.geoip_jsonout.´

Can you shed some light on what this is about?

[Steven J]

Not sure if this is useful but... https://github.com/ossec/ossec-hids/issues/1488

Is your line above a copy/paste or a typo?
I think your accented á  should be 'a instead?
also, is the period needed at the end?

I use italics instead of quoting, because sometimes the quote is part of the actual string. :-)

[Rodolfo Peña]

Sorry, I copy/pasted from the error message but my Spanish spell checker sometimes does funny things. I should have corrected it. I will look into your suggestion. My ossec installation was working fine but I made the mistake of installing the ELK apps and now everything seems to be wrong. Kibana says that the plugins are in 3.x and it is in 4.2.x and therefore incompatible, then I get this ERROR: analysisd.geoip_jasonout which is something I know nothing about. Very frustrating.

Thanks for your help. As I say, I’ll look into the link you sent.

Regards,

Rodolfo

[Rodolfo Peña]

This link was very useful, indeed. Copying the internal_options.conf.rpmnew to the internal_options.conf (after backing up as suggested by the person who posted the original fix) does fix the problem of the ERROR: Definition not found for: analysisd.geoip_jasonout

Thank you for passing the link on and thanks to theuberuser.

Now, if I could find a fix for the Kibana problem...

Rodolfo

[Wes Lambert]

Hi Rodolfo, 

What "ELK apps" have you installed?

You may want to try running so-elastic-configure to see if it helps. 

Thanks,

Wes

--

https://twitter.com/therealwlambert

https://securityonion.net/

[Rodolfo Peña]

Wes,

While trying to learn what this is all about, I installed Ossec 2.9.3 .ova file in my VirtualBox, then I installed Elasticsearch, Kibana, and Logstash. I am running Ossec as an agent in another box and a virtual Windows XP with an agent on it. 

I have also installed in my VirtualBox, Security Onion, and SELKS. 

I am exploring each one of these options and softwares in order to learn what’s what and then report to IT management. 

Regards,

Rodolfo 

[Rodolfo Peña]

Hi Wes,

Run the os-elastic-configure where? Please pardon my ignorance.

Rodolfo

[Wes]

Hi Rodolfo,

I was under the impression that you were installing additional ELK components on top of Security Onion, so if you were having issues with Security Onion, I was recommending you run that on the Security Onion box.

Thanks,
Wes