Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OSSEC WUI Unable to retrieve alerts. #1577

Closed
domugtong opened this issue Nov 19, 2018 · 10 comments
Closed

OSSEC WUI Unable to retrieve alerts. #1577

domugtong opened this issue Nov 19, 2018 · 10 comments

Comments

@domugtong
Copy link

Hello @ddpbsd

I am having this error on OSSEC WUI

image

Ive tried to set my /var/ossec/tmp to 777 but still the same. is there anything im missing?
My apologies. im new to this OSSEC thing
@ddpbsd
Copy link
Member

ddpbsd commented Nov 19, 2018

Dis you add your webserver user to the ossec group and restart the webserver processes?

@domugtong
Copy link
Author

yes. my web server user is apache. i found this link do you think it could be the answer?

@ddpbsd
Copy link
Member

ddpbsd commented Nov 19, 2018

No idea. The wui project has been abandoned for years, and I haven’t used it in forever.
You should check your apache logs for errors.

@domugtong
Copy link
Author

alright. ill check it again later and give you an update.

@domugtong
Copy link
Author

@ddpbsd here is the error im getting on my PHP error logs

fopen(/var/ossec/logs/alerts/alerts.log): failed to open stream: Permission denied in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 839, referer: http://192.168.0.1/

@ddpbsd
Copy link
Member

ddpbsd commented Nov 19, 2018

So it looks like /var/ossec/logs/alerts/alerts.log either has too strict of permissions, or apache isn't actually a part of the ossec group.

@domugtong
Copy link
Author

ive tried to set chmod 777 -R * on bot /var/ossec/ and /var/www/html/ossec-wui
here is the results when i execute

[root@rhel-home ossec-wui]# grep ossec /etc/group
ossec:x:995:apache

is the group correct?

@ddpbsd
Copy link
Member

ddpbsd commented Nov 19, 2018

Ok, assuming apche runs as the apache user it should be ok. Make sure apache got restarted so the group takes effect.
You can also look at /var/log/audit/audit.log for any failures.

@sdellenb
Copy link

sdellenb commented Nov 21, 2018
edited
Loading

As @ddpbsd mentioned, it could be an SELinux issue (check /var/log/audit/audit.log).

I have this SELinux module (ossec-wui.te) to allow the webserver running ossec-wui to access the log files:

module ossec-wui 1.1;

require {
        type var_log_t;
        type httpd_t;
        type var_t;
        class file { read getattr open };
}

#============= httpd_t ==============
allow httpd_t var_log_t:file { read open };
allow httpd_t var_t:file { read getattr open };

The error message re-appears after every logrotate and is resolved with

restorecon -Rv /var/ossec/logs

I'm not sure why it messes up the SELinux labels all the time.
This is the fcontext for the log files on my system (might not be there by default):

# semanage fcontext -l | grep ossec
/var/ossec/logs(/.*)?                              all files          system_u:object_r:var_log_t:s0

@aquerubin
Copy link
Contributor

aquerubin commented Nov 21, 2018 via email

@ddpbsd ddpbsd closed this as completed Dec 16, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sdellenb @ddpbsd @aquerubin @domugtong