1) After update for ossec it failed to start ebuild U ] net-analyzer/ossec-hids-3.6.0::gentoo [3.2.0-r1::gentoo] USE="server -agent -hybrid -local -mysql -postgres -sqlite -test%" 1877 KiB tail --lines=100 /var/ossec/logs/ossec.log 2020/07/19 12:13:58 ossec-analysisd(1450): ERROR: Syntax error on regex: '\(pam_unix\)$': 9. 2020/07/19 12:13:58 ossec-testrule(1202): ERROR: Configuration error at '/etc/decoder.xml'. Exiting. 2) It looks like know issue , see upstream details below : https://github.com/ossec/ossec-hids/issues/1847 bin/ossec-control start Starting OSSEC HIDS v3.6.0... ossec-analysisd: Configuration error. Exiting. bin/ossec-analysisd -t 2020/02/28 18:04:10 ossec-analysisd(1450): ERROR: Syntax error on regex: '\(pam_unix\)$': 9. 2020/02/28 18:04:10 ossec-analysisd(1202): ERROR: Configuration error at '/etc/decoder.xml'. Exiting.
I cannot reproduce this: gentoo ~ # /var/ossec/bin/ossec-control start Starting OSSEC HIDS v3.6.0... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-remoted... Started ossec-syscheckd... Started ossec-monitord... Completed. gentoo ~ # /var/ossec/bin/ossec-analysisd -t && echo OK OK My tests were run on a freshly setup Gentoo server with only stable packets.
Hello Ralph I was able to reproduce an issue . It is related to jit support for dev-libs/libpcre2 logs during ossec build ( emerge -v net-analyzer/ossec-hids ) said that it uses USE_PCRE2_JIT: yes in configuration but dev-libs/libpcre2 was compiled without jit support , so regex is not working at all echo "antotio" | /var/ossec/bin/ossec-regex '^a' pattern does not compile with OSRegex_Compile #and after adding jit support to dev-libs/libpcre2 , it start working again #new version working echo "antotio" | /var/ossec/bin/ossec-regex '^a' +OSRegex_Execute: antotio +OS_Regex : antotio +OSMatch_Compile: antotio +OS_Match2 : antotio May be it should be USE flags pcre2 pcre2-jit added to ebuild ( similar to net-proxy/haproxy have ) #workaround to fix it : ufed (+)jit ( or package.use >=dev-libs/libpcre2-10.34 jit ) then emerge -pv --update --newuse --deep --with-bdeps=y @world These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] dev-libs/libpcre-8.43:3::gentoo USE="bzip2 cxx jit* readline recursion-limit (split-usr) (unicode) zlib -libedit -pcre16 -pcre32 -static-libs" 0 KiB [ebuild R ] dev-libs/libpcre2-10.34::gentoo USE="bzip2 jit* readline recursion-limit (split-usr) unicode zlib -libedit -pcre16 -pcre32 -static-libs" 0 KiB #after this new version start without an issue rc-service ossec start * /etc/init.d/ossec uses runscript, please convert to openrc-run. * Use of the opts variable is deprecated and will be * removed in the future. * Please use extra_commands, extra_started_commands or extra_stopped_commands. * Starting ossec-hids ... [ ok ] ossec /var/ossec/etc # rc-service ossec status * /etc/init.d/ossec uses runscript, please convert to openrc-run. * Use of the opts variable is deprecated and will be * removed in the future. * Please use extra_commands, extra_started_commands or extra_stopped_commands. ossec-monitord is running... ossec-logcollector is running... ossec-remoted is running... ossec-syscheckd is running... ossec-analysisd is running... ossec-maild is running... ossec-execd is running...
(In reply to 5836000 from comment #2) > dev-libs/libpcre2 was compiled without jit support , so regex is not > working at all I checked, and all currently available libpcre2 ebuilds have the jit flag enabled by default (IUSE="+jit"). If somebody turns this off, it is a deliberate choice.
If it's required runtime by this package, can't you just RDEPEND on dev-libs/libpcre2[jit] for a working solution?
I have not yet verified that it is a runtime-only dependency, and I'd also like to check if this dependency on pcre-jit can be turned off altogether. That likely won't happen during August, though.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f67522bc95ac63b1090bceaf85ef9d08f4c0f54a commit f67522bc95ac63b1090bceaf85ef9d08f4c0f54a Author: Ralph Seichter <github@seichter.de> AuthorDate: 2020-09-02 10:10:05 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-09-14 00:56:01 +0000 net-analyzer/ossec-hids: Add libpcre2[jit] dependency Closes: https://bugs.gentoo.org/733230 Package-Manager: Portage-3.0.4, Repoman-2.3.23 Signed-off-by: Ralph Seichter <gentoo@seichter.de> Closes: https://github.com/gentoo/gentoo/pull/17372 Signed-off-by: Sam James <sam@gentoo.org> net-analyzer/ossec-hids/ossec-hids-3.6.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
