Fails to start on macOS: Syntax error on regex: '$pam_unix$$': 9

m4rkw commented 2 years ago

I've compiled ossec-hids-3.7.0 on macOS using pcre2 from Macports and also from: https://sourceforge.net/projects/pcre/

but I get this on startup:

2022/02/19 21:07:09 ossec-analysisd(1450): ERROR: Syntax error on regex: '\(pam_unix\)$': 9.
2022/02/19 21:07:09 ossec-testrule(1202): ERROR: Configuration error at '/etc/decoder.xml'. Exiting.

I suspect my version of pcre2 is wrong, what version does it require?

m4rkw commented 2 years ago

This: https://ossec-docs.readthedocs.io/en/latest/docs/manual/installation/installation-requirements.html

says pcre2-10.32. Tried that, same issue.

m4rkw commented 2 years ago

Tried this:

PCRE2_SYSTEM=no ./install.sh

but that doesn't work either, it's expecting files that don't exist

  CC       src/libpcre2_8_la-pcre2_study.lo
  CC       src/libpcre2_8_la-pcre2_substitute.lo
  CC       src/libpcre2_8_la-pcre2_substring.lo
  CC       src/libpcre2_8_la-pcre2_tables.lo
  CC       src/libpcre2_8_la-pcre2_ucd.lo
  CC       src/libpcre2_8_la-pcre2_valid_utf.lo
  CC       src/libpcre2_8_la-pcre2_xclass.lo
  CC       src/libpcre2_8_la-pcre2_chartables.lo
  CCLD     libpcre2-8.la
  CC       src/libpcre2_posix_la-pcre2posix.lo
  CCLD     libpcre2-posix.la
 ./install-sh -c -d '/Users/mark/Downloads/ossec-hids-3.7.0/src/external/pcre2-10.32//install/lib'
 /bin/sh ./libtool   --mode=install /usr/bin/install -c   libpcre2-8.la libpcre2-posix.la '/Users/mark/Downloads/ossec-hids-3.7.0/src/external/pcre2-10.32//install/lib'
libtool: install: /usr/bin/install -c .libs/libpcre2-8.lai /Users/mark/Downloads/ossec-hids-3.7.0/src/external/pcre2-10.32//install/lib/libpcre2-8.la
libtool: install: /usr/bin/install -c .libs/libpcre2-posix.lai /Users/mark/Downloads/ossec-hids-3.7.0/src/external/pcre2-10.32//install/lib/libpcre2-posix.la
libtool: install: /usr/bin/install -c .libs/libpcre2-8.a /Users/mark/Downloads/ossec-hids-3.7.0/src/external/pcre2-10.32//install/lib/libpcre2-8.a
libtool: install: chmod 644 /Users/mark/Downloads/ossec-hids-3.7.0/src/external/pcre2-10.32//install/lib/libpcre2-8.a
libtool: install: ranlib /Users/mark/Downloads/ossec-hids-3.7.0/src/external/pcre2-10.32//install/lib/libpcre2-8.a
libtool: install: /usr/bin/install -c .libs/libpcre2-posix.a /Users/mark/Downloads/ossec-hids-3.7.0/src/external/pcre2-10.32//install/lib/libpcre2-posix.a
libtool: install: chmod 644 /Users/mark/Downloads/ossec-hids-3.7.0/src/external/pcre2-10.32//install/lib/libpcre2-posix.a
libtool: install: ranlib /Users/mark/Downloads/ossec-hids-3.7.0/src/external/pcre2-10.32//install/lib/libpcre2-posix.a
 ./install-sh -c -d '/Users/mark/Downloads/ossec-hids-3.7.0/src/external/pcre2-10.32//install/include'
 /usr/bin/install -c -m 644 src/pcre2.h '/Users/mark/Downloads/ossec-hids-3.7.0/src/external/pcre2-10.32//install/include'
cp external/pcre2-10.32//install/lib/libpcre2-8.a libpcre2-8.a
ranlib libpcre2-8.a
(mkdir -p libpcre2_objs && cd libpcre2_objs && ar -x ../libpcre2-8.a)
ar -crs os_regex.a os_regex/os_converter.o os_regex/os_match.o os_regex/os_match_compile.o os_regex/os_match_execute.o os_regex/os_match_free_pattern.o os_regex/os_pcre2.o os_regex/os_pcre2_compile.o os_regex/os_pcre2_execute.o os_regex/os_pcre2_free_pattern.o os_regex/os_pcre2_free_substrings.o os_regex/os_regex.o os_regex/os_regex_compile.o os_regex/os_regex_execute.o os_regex/os_regex_free_pattern.o os_regex/os_regex_free_substrings.o os_regex/os_regex_maps.o os_regex/os_regex_match.o os_regex/os_regex_startswith.o os_regex/os_regex_str.o os_regex/os_regex_strbreak.o libpcre2_objs/__.SYMDEF libpcre2_objs/SORTED libpcre2_objs/libpcre2_8_la-pcre2_auto_possess.o libpcre2_objs/libpcre2_8_la-pcre2_compile.o libpcre2_objs/libpcre2_8_la-pcre2_config.o libpcre2_objs/libpcre2_8_la-pcre2_context.o libpcre2_objs/libpcre2_8_la-pcre2_convert.o libpcre2_objs/libpcre2_8_la-pcre2_dfa_match.o libpcre2_objs/libpcre2_8_la-pcre2_error.o libpcre2_objs/libpcre2_8_la-pcre2_extuni.o libpcre2_objs/libpcre2_8_la-pcre2_find_bracket.o libpcre2_objs/libpcre2_8_la-pcre2_jit_compile.o libpcre2_objs/libpcre2_8_la-pcre2_maketables.o libpcre2_objs/libpcre2_8_la-pcre2_match.o libpcre2_objs/libpcre2_8_la-pcre2_match_data.o libpcre2_objs/libpcre2_8_la-pcre2_newline.o libpcre2_objs/libpcre2_8_la-pcre2_ord2utf.o libpcre2_objs/libpcre2_8_la-pcre2_pattern_info.o libpcre2_objs/libpcre2_8_la-pcre2_serialize.o libpcre2_objs/libpcre2_8_la-pcre2_string_utils.o libpcre2_objs/libpcre2_8_la-pcre2_study.o libpcre2_objs/libpcre2_8_la-pcre2_substitute.o libpcre2_objs/libpcre2_8_la-pcre2_substring.o libpcre2_objs/libpcre2_8_la-pcre2_tables.o libpcre2_objs/libpcre2_8_la-pcre2_ucd.o libpcre2_objs/libpcre2_8_la-pcre2_valid_utf.o libpcre2_objs/libpcre2_8_la-pcre2_xclass.o libpcre2_objs/libpcre2_8_la-pcre2_chartables.o
ar: libpcre2_objs/__.SYMDEF: No such file or directory
ar: libpcre2_objs/SORTED: No such file or directory
make: *** [os_regex.a] Error 1

 Error 0x5.
 Building error. Unable to finish the installation.

m4rkw commented 2 years ago

I think I figured that out, I needed to compile pcre2 with --enable-jit. After doing that I now have a new error:

# /var/ossec/bin/ossec-control start
Starting OSSEC HIDS v3.7.0...
/var/ossec/bin/ossec-control: line 193: 85349 Done                    echo
     85350 Bus error: 10           | ${DIR}/bin/ossec-logtest > /dev/null 2>&1

ossec-logtest and ossec-analysisd both emit Bus error 10 on startup, nothing gets logged.

m4rkw commented 2 years ago

Figured it out, I needed to set:

PCRE2_SYSTEM?=no
USE_PCRE2_JIT=no
USE_SYSTEMD?=no

and untar pcre2-10.33 into external/. Then also needed to do:

# make TARGET=server
# touch libpcre2_objs/__.SYMDEF libpcre2_objs/SORTED
# make clean
# make TARGET=server

not sure why this was all necessary but it seems to be starting and running now.

ossec / ossec-hids

Fails to start on macOS: Syntax error on regex: '\(pam_unix\)$': 9 #2040