[RESOLVED] Report error after running asl -s -f

JnascECSI · **Posted:** Thu Jul 21, 2011 8:05 am

Not a major issue but just a little annoying, after running asl -s -f after updating, when it starts to do the Generating Report thingy i get the following error. Any way to fix this?

Code:

Generating Report: Error: could not find whitelist_1
Error: could not find whitelist_1
Error: could not find whitelist_1
Error: could not find whitelist_1
Complete

scott · **Posted:** Thu Jul 21, 2011 10:21 am

Yeah that could be a legacy tag from 2.2 creeping up, what do you get from:

grep whitelist /var/asl/data/test*db

JnascECSI · **Posted:** Thu Jul 21, 2011 10:35 am

Here's the output.

Code:

[xxxxxx@xxxxx-1 ~]# grep whitelist /var/asl/data/test*db
/var/asl/data/test_.db:high            whitelist       1
/var/asl/data/test_ossec-hids.db:low       ossec-hids     whitelist-low       1
[xxxxxx@xxxxx-1 ~]#

scott · **Posted:** Thu Jul 21, 2011 11:00 am

yeah thats the culprit, delete this file:

/var/asl/data/test_.db

JnascECSI · **Posted:** Thu Jul 21, 2011 11:01 am

Thanks Scott.

JnascECSI · **Posted:** Tue Jul 26, 2011 8:55 am

Oops, Well thought it was ok until this morning. I ssh'd into the server and ran asl -u then asl -s -f installe dthe ossec update ran asl -s -f again and the error is back again. I went into /var/asl/data and the test_.db is there again deleted it and ran asl -s -f and found that it created it self again.

Any ideas why this is happening?

mikeshinn · **Posted:** Tue Jul 26, 2011 12:20 pm

Are you running 3.0.2?

JnascECSI · **Posted:** Tue Jul 26, 2011 12:28 pm

Yes,

And like i mentioned it seems every time i run asl -u then asl -s -f the test_.db file recreates it self in var/asl/data folder. There also a bunch more test_ files created also if that helps.

Code:

[xxxxxx@xxx-1 ~]# asl -v
ASL Version 3.0.2: CentOS 5 (SUPPORTED)
[xxxxxx@xxx-1 ~]#

mikeshinn · **Posted:** Tue Jul 26, 2011 12:45 pm

Yeah, thats a null test. The test_foo.db files are for each test category, and should have names like test_php.db, etc. Something may be unique with your system, would it be possible to log in an take a look? If so, please follow this process to provide us with access:

https://www.atomicorp.com/wiki/index.ph ... _system.3F

JnascECSI · **Posted:** Tue Jul 26, 2011 1:02 pm

Mike,
you guys already have access to the server, so i just opened a support ticket in the portal with the information for you. Thanks for taking a look at it for me as it's driving me nuts.

mikeshinn · **Posted:** Tue Jul 26, 2011 1:11 pm

Our pleasure, and thank you for opening the case in the portal. We dont always remember everyone thats given us access, so we appreciate your reminding us and providing us your IP (and port) for ssh again.

[RESOLVED] Report error after running asl -s -f

Who is online