Error OSSEC analysisd: Testing rules failed. Configuration error. Exiting.

7,205 views
Skip to first unread message

Maxim Parpaley

unread,
Mar 23, 2017, 6:49:04 AM3/23/17
to Wazuh mailing list
Hi,

I am new in wazuh and want to know what i missed. I've tried configuration for process monitoring (http://santi-bassett.blogspot.com/2015/08/how-to-monitor-running-processes-with-ossec.html)  and after process restart i got error: Error OSSEC analysisd: Testing rules failed. Configuration error. Exiting.

My configuration:

- Added in local_rules.xml:

<rule id="8000001" level="7">
  <if_sid>530</if_sid>
  <match>^ossec: output: 'tasklist'</match>
  <description>Critical process not found.</description>
  <group>process_monitor,</group>
</rule>
<rule id="8000002" level="0">
  <if_sid>8000001</if_sid>
  <match>wordpad.exe</match>
  <description>Processes running as expected.</description>
  <group>process_monitor,</group>
</rule>

- Added in in ossec_conf in /var/ossec/etc/shared/
<logall> yes </logall>

- created file agent.conf in 
<agent_config os="windows">
    <localfile>
        <log_format>full_command</log_format>
        <command>tasklist</command>
        <frequency>60</frequency>
    </localfile>
</agent_config> 


Finally got error:

root@ubuntu:/var/ossec/etc/shared# /var/ossec/bin/ossec-control restart
ossec-monitord not running ..
ossec-logcollector not running ..
ossec-remoted not running ..
ossec-syscheckd not running ..
ossec-analysisd not running ..
ossec-maild not running ..
ossec-execd not running ..
OSSEC HIDS v2.9.0 Stopped
Starting OSSEC HIDS v2.9.0 (by Trend Micro Inc.)...
OSSEC analysisd: Testing rules failed. Configuration error. Exiting.


Thank you 
BR, max





Kat

unread,
Mar 23, 2017, 10:45:00 AM3/23/17
to Wazuh mailing list
check the /var/ossec/logs/ossec.log - it will have details on what line is causing the error.

Santiago Bassett

unread,
Mar 23, 2017, 11:05:29 AM3/23/17
to Kat, Wazuh mailing list
Also try running /var/ossec/bin/ossec-logtest

Most likely what happens is that you need to include the new rules inside a group


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/dc65622a-1fa8-42c2-873e-3239eacd5e71%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Maxim Parpaley

unread,
Mar 23, 2017, 12:51:55 PM3/23/17
to Wazuh mailing list
In logs I see

2017/03/23 18:48:30 ossec-testrule(1230): ERROR: Invalid element in the configuration: 'logall'.
2017/03/23 18:48:30 ossec-testrule(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting.
2017/03/23 18:48:30 ossec-testrule(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting.

Logtest the same error 

root@ubuntu:/var/ossec/etc# /var/ossec/bin/ossec-logtest
2017/03/23 18:50:29 ossec-testrule(1230): ERROR: Invalid element in the configuration: 'logall'.
2017/03/23 18:50:29 ossec-testrule(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting.
2017/03/23 18:50:29 ossec-testrule(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting.



четверг, 23 марта 2017 г., 12:49:04 UTC+2 пользователь Maxim Parpaley написал:

Maxim Parpaley

unread,
Mar 23, 2017, 12:57:15 PM3/23/17
to Wazuh mailing list
I modified ossec.conf (put logall between global)

<global>
    <jsonout_output>yes</jsonout_output>
    <email_notification>no</email_notification>
    <logall>yes</logall>
  </global>


Now I have this error 

017/03/23 18:55:13 rules_op: Invalid root element "rule".Only "group" is allowed
2017/03/23 18:55:13 ossec-testrule(1220): ERROR: Error loading the rules: 'local_rules.xml'.





четверг, 23 марта 2017 г., 12:49:04 UTC+2 пользователь Maxim Parpaley написал:
Hi,

Jesus Linares

unread,
Mar 23, 2017, 1:02:25 PM3/23/17
to Maxim Parpaley, Wazuh mailing list
Hi,

In the local_rules file, you must define the rules inside a "group" tag. Take a look at the default rules.

Regards.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f6888521-2721-46df-b170-5724f9eee410%40googlegroups.com.

Maxim Parpaley

unread,
Mar 23, 2017, 1:12:38 PM3/23/17
to Wazuh mailing list


Jesus thanks, better but still some error 

<group name="process_monitor,">
 <rule id="8000010" level="7">
  <if_sid>530</if_sid>
  <match>^ossec: output: 'tasklist'</match>
  <description>Critical process not found.</description>
</rule>
<rule id="8000020" level="0">
  <if_sid>8000010</if_sid>
  <match>wordpad.exe</match>
  <description>Processes running as expected.</description>
</rule>
</group> <!-- process_monitor -->



2017/03/23 19:10:03 rules_list: Signature ID '8000010' not found. Invalid 'if_sid'.






четверг, 23 марта 2017 г., 12:49:04 UTC+2 пользователь Maxim Parpaley написал:
Hi,

Victor Fernandez

unread,
Mar 23, 2017, 1:19:33 PM3/23/17
to Maxim Parpaley, Wazuh mailing list
Hi Maxim,

I tested your rule definitions and I detected another problem: the rule ID exceeds of 6 digits. It seems to work if we remove a "0" from the IDs. This is the complete configuration:

<?xml version="1.0" encoding="UTF-8"?> <group name="process_monitor,"> <rule id="800010" level="7"> <if_sid>530</if_sid> <match>^ossec: output: 'tasklist'</match> <description>Critical process not found.</description> </rule> <rule id="800020" level="0"> <if_sid>800010</if_sid> <match>wordpad.exe</match> <description>Processes running as expected.</description> </rule> </group>

Hope it help.

Best regards,
Victor.



--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6e9e0225-cf42-4b65-9776-5bde4a2fbb92%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Victor M. Fernandez-Castro
IT Security Engineer
Wazuh Inc.

Maxim Parpaley

unread,
Mar 23, 2017, 1:29:30 PM3/23/17
to Wazuh mailing list
Thank you all, works!  


четверг, 23 марта 2017 г., 12:49:04 UTC+2 пользователь Maxim Parpaley написал:
Hi,

Maxim Parpaley

unread,
Mar 23, 2017, 2:25:43 PM3/23/17
to Wazuh mailing list
Looks like I missed something. Sorry for easy questions:

- For this new rule what decoder will be used? 
- Why I don't see <tasklist> output in windows agent log?

Can you pls give me short process description ? 
 
 

четверг, 23 марта 2017 г., 12:49:04 UTC+2 пользователь Maxim Parpaley написал:
Hi,

Victor Fernandez

unread,
Mar 23, 2017, 3:13:44 PM3/23/17
to Maxim Parpaley, Wazuh mailing list
Hi,

Your rule's parent is rule 530. Also rule 530 is child of rule 500. If you find it you will see:

<rule id="500" level="0"> <category>ossec</category> <decoded_as>ossec</decoded_as> <description>Grouping of ossec rules.</description> </rule>

The line in bold restricts logs to be decoded with the "ossec" decoder. You can find it at the "decoders" folder.

Received logs pass through a simple pipeline:

(reception) → (decoding) → (rule matching) → (alert output)

The decoding stage's main purpose is to extract some blocks of the log into fields (srcip, id, user, port, etc). Rules are the conditions that make logs become alerts or not.

In the case of rule 500, matching with the "ossec" decoder is a condition.

Regarding your 2nd question, I am not sure I have understood correctly. Agents collect and send logs to the server, but they are not stored in the agent log (it is reserved to the agent itself's running messages). If you enable the archives log, you will have every log sent by agents no matter they become alerts or not. You can do it by editing file "/var/ossec/etc/ossec.conf" at the manager and setting "logall" to "yes":

<global> <jsonout_output>yes</jsonout_output> <alerts_log>yes</alerts_log> <logall>yes</logall> <logall_json>no</logall_json> <email_notification>no</email_notification> <smtp_server>smtp.example.wazuh.com</smtp_server> <email_from>oss...@example.wazuh.com</email_from> <email_to>reci...@example.wazuh.com</email_to> <email_maxperhour>12</email_maxperhour> </global>

Archives logs are stored at file "/var/ossec/logs/archives/archives.log".

Best regards.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/589b7d59-e310-4508-a03f-111fcd150d26%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Maxim Parpaley

unread,
Mar 27, 2017, 6:25:36 AM3/27/17
to Wazuh mailing list
Victor, Thank you very much for detailed explanation! 
 

четверг, 23 марта 2017 г., 12:49:04 UTC+2 пользователь Maxim Parpaley написал:
Hi,
Reply all
Reply to author
Forward
0 new messages