On Sep 24, 2015 8:54 AM, "Valentin Yefimov" <tbapb...@gmail.com> wrote: > > Greetings friends! > > I use ossec version 0.8-beta. In log: /var/ossec/logs/ossec.log I see strange things... timestamps: > > 2015/09/24 05:25:55 ossec-analysisd: INFO: 3 IPs in the white list for active response. > 2015/09/24 05:25:55 ossec-analysisd: INFO: White listing Hostname: 'localhost.localdomain' > 2015/09/24 05:25:55 ossec-analysisd: INFO: 1 Hostname(s) in the white list for active response. > 2015/09/24 05:25:55 ossec-analysisd: INFO: Started (pid: 30568). > 2015/09/24 05:25:56 ossec-monitord: INFO: Started (pid: 30587). > 2015/09/24 05:25:58 ossec-analysisd: INFO: Connected to '/queue/alerts/ar' (active-response queue) > 2015/09/24 05:25:58 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' (exec queue) > 2015/09/24 05:25:58 ossec-analysisd: No sid search!! XXX > 2015/09/24 15:26:03 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection > refused'. > 2015/09/24 15:26:03 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection > refused'. > 2015/09/24 15:26:04 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connecti > on refused'. > 2015/09/24 15:26:04 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving > up.. > 2015/09/24 05:26:09 ossec-monitord(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'. > 2015/09/24 05:26:09 ossec-monitord(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up.. > 2015/09/24 15:26:11 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection > refused'. > 2015/09/24 15:26:11 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection > refused'. > 2015/09/24 15:26:20 ossec-execd(1314): INFO: Shutdown received. Deleting responses. > 2015/09/24 15:26:20 ossec-execd(1225): INFO: SIGNAL Received. Exit Cleaning... > 2015/09/24 15:26:24 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection > refused'. > 2015/09/24 15:26:24 ossec-syscheckd(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up > .. > 2015/09/24 15:27:09 ossec-testrule: INFO: Reading local decoder file. > 2015/09/24 15:27:10 ossec-testrule: INFO: Started (pid: 2584). > 2015/09/24 15:27:11 ossec-maild: INFO: E-Mail notification disabled. Clean Exit. > 2015/09/24 15:27:11 ossec-execd: INFO: Started (pid: 2627). > 2015/09/24 05:27:11 ossec-analysisd: INFO: Reading local decoder file. > 2015/09/24 05:27:11 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml' > 2015/09/24 05:27:11 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml' > > Service ossec-analysisd lives in the past tense! ;) And agents are not active... > The right time on the server: 2015/09/24 15:27 and not 05:25! I setup the NTP client to synchronize time... long before that. > Who can tell me what's wrong? > >
My first guess is that the wrong timezone is set. Copy the tzfile of your timezone to /var/ossec/etc/localtime > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
