Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 733230 - net-analyzer/ossec-hids-3.6.0 - ossec-testrule: ERROR: Configuration error at '/etc/decoder.xml'. Exiting.
Summary: net-analyzer/ossec-hids-3.6.0 - ossec-testrule: ERROR: Configuration error at...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Ralph Seichter
URL:
Whiteboard:
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2020-07-19 17:08 UTC by 5836000
Modified: 2020-09-14 00:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description 5836000 2020-07-19 17:08:59 UTC
1)
After update for ossec it failed to start

ebuild U ] net-analyzer/ossec-hids-3.6.0::gentoo [3.2.0-r1::gentoo] USE="server -agent -hybrid -local -mysql -postgres -sqlite -test%" 1877 KiB


tail --lines=100 /var/ossec/logs/ossec.log
2020/07/19 12:13:58 ossec-analysisd(1450): ERROR: Syntax error on regex: '\(pam_unix\)$': 9.
2020/07/19 12:13:58 ossec-testrule(1202): ERROR: Configuration error at '/etc/decoder.xml'. Exiting.

2)
It looks like know issue , see upstream details below :
https://github.com/ossec/ossec-hids/issues/1847

bin/ossec-control start

Starting OSSEC HIDS v3.6.0...
ossec-analysisd: Configuration error. Exiting.

bin/ossec-analysisd -t

2020/02/28 18:04:10 ossec-analysisd(1450): ERROR: Syntax error on regex: '\(pam_unix\)$': 9.
2020/02/28 18:04:10 ossec-analysisd(1202): ERROR: Configuration error at '/etc/decoder.xml'. Exiting.
Comment 1 Ralph Seichter 2020-08-02 22:08:52 UTC
I cannot reproduce this:

  gentoo ~ # /var/ossec/bin/ossec-control start
  Starting OSSEC HIDS v3.6.0...
  Started ossec-execd...
  Started ossec-analysisd...
  Started ossec-logcollector...
  Started ossec-remoted...
  Started ossec-syscheckd...
  Started ossec-monitord...
  Completed.
  gentoo ~ # /var/ossec/bin/ossec-analysisd -t && echo OK
  OK

My tests were run on a freshly setup Gentoo server with only stable packets.
Comment 2 5836000 2020-08-10 19:56:30 UTC
Hello Ralph
I was able to reproduce an issue . 
It is related to jit support for dev-libs/libpcre2
logs during ossec build ( emerge -v net-analyzer/ossec-hids ) said that it uses
USE_PCRE2_JIT: yes in configuration

but dev-libs/libpcre2 was compiled without jit support , so regex is not working at all

echo "antotio" | /var/ossec/bin/ossec-regex '^a'
pattern does not compile with OSRegex_Compile


#and after adding jit support to dev-libs/libpcre2 , it start working again
#new version working
echo "antotio" | /var/ossec/bin/ossec-regex '^a'
+OSRegex_Execute: antotio
+OS_Regex : antotio
+OSMatch_Compile: antotio
+OS_Match2 : antotio

May be it should be USE flags pcre2 pcre2-jit added to ebuild ( similar to net-proxy/haproxy have )

 


#workaround to fix it :

ufed
(+)jit
( or
package.use
>=dev-libs/libpcre2-10.34 jit
)

then
emerge -pv --update --newuse --deep --with-bdeps=y @world

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild R ] dev-libs/libpcre-8.43:3::gentoo USE="bzip2 cxx jit* readline recursion-limit (split-usr) (unicode) zlib -libedit -pcre16 -pcre32 -static-libs" 0 KiB
[ebuild R ] dev-libs/libpcre2-10.34::gentoo USE="bzip2 jit* readline recursion-limit (split-usr) unicode zlib -libedit -pcre16 -pcre32 -static-libs" 0 KiB

#after this new version start without an issue
rc-service ossec start
* /etc/init.d/ossec uses runscript, please convert to openrc-run.
* Use of the opts variable is deprecated and will be
* removed in the future.
* Please use extra_commands, extra_started_commands or extra_stopped_commands.
* Starting ossec-hids ... [ ok ]
ossec /var/ossec/etc # rc-service ossec status
* /etc/init.d/ossec uses runscript, please convert to openrc-run.
* Use of the opts variable is deprecated and will be
* removed in the future.
* Please use extra_commands, extra_started_commands or extra_stopped_commands.
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...
Comment 3 Ralph Seichter 2020-08-14 13:59:46 UTC
(In reply to 5836000 from comment #2)

> dev-libs/libpcre2 was compiled without jit support , so regex is not
> working at all
I checked, and all currently available libpcre2 ebuilds have the jit flag enabled by default (IUSE="+jit"). If somebody turns this off, it is a deliberate choice.
Comment 4 Joonas Niilola gentoo-dev 2020-08-14 15:16:41 UTC
If it's required runtime by this package, can't you just RDEPEND on dev-libs/libpcre2[jit] for a working solution?
Comment 5 Ralph Seichter 2020-08-14 15:41:15 UTC
I have not yet verified that it is a runtime-only dependency, and I'd also like to check if this dependency on pcre-jit can be turned off altogether. That likely won't happen during August, though.
Comment 6 Larry the Git Cow gentoo-dev 2020-09-14 00:56:06 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f67522bc95ac63b1090bceaf85ef9d08f4c0f54a

commit f67522bc95ac63b1090bceaf85ef9d08f4c0f54a
Author:     Ralph Seichter <github@seichter.de>
AuthorDate: 2020-09-02 10:10:05 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-09-14 00:56:01 +0000

    net-analyzer/ossec-hids: Add libpcre2[jit] dependency
    
    Closes: https://bugs.gentoo.org/733230
    Package-Manager: Portage-3.0.4, Repoman-2.3.23
    Signed-off-by: Ralph Seichter <gentoo@seichter.de>
    Closes: https://github.com/gentoo/gentoo/pull/17372
    Signed-off-by: Sam James <sam@gentoo.org>

 net-analyzer/ossec-hids/ossec-hids-3.6.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)