On Mon, Nov 23, 2015 at 4:29 PM, Greg Nowicki <gnowi...@gmail.com> wrote: > Hello, > > Hoping someone can help me. > > New server install on RHEL 6 using source file ossec-hids-2.8.3.tar.gz, it > appears the very important daemon, ossec-analysisd, does not fully start, > thus preventing other processes from running. The log pasted below shows no > smoking gun. Debug has been turned on for all processes (and performing a > '/var/ossec/bin/ossec-control enable debug' command). I've cut out my local > rules and pared down the config file to a bare minimum with no resolution. > What am I missing here? >
Check the permissions and ownership of the directories: [ddp@arrakis] :; ls -ld queue dr-xr-x--- 11 root ossec 512 Nov 6 13:02 queue [ddp@arrakis] :; ls -ld queue/ossec drwxr-x--- 2 ossec ossec 512 Nov 27 08:14 queue/ossec [ddp@arrakis] :; ls -ld queue/ossec/queue srw-rw---- 1 ossec ossec 0 Nov 27 08:14 queue/ossec/queue Make sure selinux or similar things aren't blocking OSSEC. > Thanks, > > Greg > > uname -a: > Linux ossec.example.com 2.6.32-573.1.1.el6.x86_64 #1 SMP Tue Jul 14 02:46:51 > EDT 2015 x86_64 x86_64 x86_64 GNU/Linux > > /var/ossec/logs/ossec.log: > 2015/11/23 15:53:49 ossec-testrule: INFO: Reading local decoder file. > 2015/11/23 15:53:50 ossec-testrule: INFO: Started (pid: 10488). > 2015/11/23 15:53:50 ossec-maild: DEBUG: Starting ... > 2015/11/23 15:53:50 ossec-execd(1350): INFO: Active response disabled. > Exiting. > 2015/11/23 15:53:50 ossec-analysisd: DEBUG: Starting ... > 2015/11/23 15:53:50 ossec-analysisd: DEBUG: Found user/group ... > 2015/11/23 15:53:50 ossec-analysisd: DEBUG: Active response initialized ... > 2015/11/23 15:53:50 adding rule: rules_config.xml > 2015/11/23 15:53:50 adding rule: pam_rules.xml > 2015/11/23 15:53:50 adding rule: sshd_rules.xml > 2015/11/23 15:53:50 adding rule: telnetd_rules.xml > 2015/11/23 15:53:50 adding rule: syslog_rules.xml > 2015/11/23 15:53:50 adding rule: arpwatch_rules.xml > 2015/11/23 15:53:50 adding rule: symantec-av_rules.xml > 2015/11/23 15:53:50 adding rule: symantec-ws_rules.xml > 2015/11/23 15:53:50 adding rule: pix_rules.xml > 2015/11/23 15:53:50 adding rule: named_rules.xml > 2015/11/23 15:53:50 adding rule: smbd_rules.xml > 2015/11/23 15:53:50 adding rule: vsftpd_rules.xml > 2015/11/23 15:53:50 adding rule: pure-ftpd_rules.xml > 2015/11/23 15:53:50 adding rule: proftpd_rules.xml > 2015/11/23 15:53:50 adding rule: ms_ftpd_rules.xml > 2015/11/23 15:53:50 adding rule: ftpd_rules.xml > 2015/11/23 15:53:50 adding rule: hordeimp_rules.xml > 2015/11/23 15:53:50 adding rule: roundcube_rules.xml > 2015/11/23 15:53:50 adding rule: wordpress_rules.xml > 2015/11/23 15:53:50 adding rule: cimserver_rules.xml > 2015/11/23 15:53:50 adding rule: vpopmail_rules.xml > 2015/11/23 15:53:50 adding rule: vmpop3d_rules.xml > 2015/11/23 15:53:50 adding rule: courier_rules.xml > 2015/11/23 15:53:50 adding rule: web_rules.xml > 2015/11/23 15:53:50 adding rule: web_appsec_rules.xml > 2015/11/23 15:53:50 adding rule: apache_rules.xml > 2015/11/23 15:53:50 adding rule: nginx_rules.xml > 2015/11/23 15:53:50 adding rule: php_rules.xml > 2015/11/23 15:53:50 adding rule: mysql_rules.xml > 2015/11/23 15:53:50 adding rule: postgresql_rules.xml > 2015/11/23 15:53:50 adding rule: ids_rules.xml > 2015/11/23 15:53:50 adding rule: squid_rules.xml > 2015/11/23 15:53:50 adding rule: firewall_rules.xml > 2015/11/23 15:53:50 adding rule: cisco-ios_rules.xml > 2015/11/23 15:53:50 adding rule: netscreenfw_rules.xml > 2015/11/23 15:53:50 adding rule: sonicwall_rules.xml > 2015/11/23 15:53:50 adding rule: postfix_rules.xml > 2015/11/23 15:53:50 adding rule: sendmail_rules.xml > 2015/11/23 15:53:50 adding rule: imapd_rules.xml > 2015/11/23 15:53:50 adding rule: mailscanner_rules.xml > 2015/11/23 15:53:50 adding rule: dovecot_rules.xml > 2015/11/23 15:53:50 adding rule: ms-exchange_rules.xml > 2015/11/23 15:53:50 adding rule: racoon_rules.xml > 2015/11/23 15:53:50 adding rule: vpn_concentrator_rules.xml > 2015/11/23 15:53:50 adding rule: spamd_rules.xml > 2015/11/23 15:53:50 adding rule: msauth_rules.xml > 2015/11/23 15:53:50 adding rule: mcafee_av_rules.xml > 2015/11/23 15:53:50 adding rule: trend-osce_rules.xml > 2015/11/23 15:53:50 adding rule: ms-se_rules.xml > 2015/11/23 15:53:50 adding rule: zeus_rules.xml > 2015/11/23 15:53:50 adding rule: solaris_bsm_rules.xml > 2015/11/23 15:53:50 adding rule: vmware_rules.xml > 2015/11/23 15:53:50 adding rule: ms_dhcp_rules.xml > 2015/11/23 15:53:50 adding rule: asterisk_rules.xml > 2015/11/23 15:53:50 adding rule: ossec_rules.xml > 2015/11/23 15:53:50 adding rule: attack_rules.xml > 2015/11/23 15:53:50 adding rule: openbsd_rules.xml > 2015/11/23 15:53:50 adding rule: clam_av_rules.xml > 2015/11/23 15:53:50 adding rule: dropbear_rules.xml > 2015/11/23 15:53:50 ossec-analysisd: DEBUG: Read configuration ... > 2015/11/23 15:53:50 ossec-logcollector: DEBUG: Starting ... > 2015/11/23 15:53:50 ossec-logcollector: DEBUG: Waiting main daemons to > settle. > 2015/11/23 15:53:50 ossec-remoted: DEBUG: Starting ... > 2015/11/23 15:53:50 ossec-syscheckd: DEBUG: Starting ... > 2015/11/23 15:53:50 ossec-rootcheck: DEBUG: Starting ... > 2015/11/23 15:53:50 ossec-rootcheck: Starting queue ... > 2015/11/23 15:53:53 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2015/11/23 15:53:53 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2015/11/23 15:53:59 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2015/11/23 15:53:59 ossec-logcollector(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > 2015/11/23 15:54:01 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2015/11/23 15:54:01 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2015/11/23 15:54:14 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2015/11/23 15:54:14 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > > /etc/ossec-init.conf: > DIRECTORY="/var/ossec" > VERSION="v2.8.3" > DATE="Mon Nov 16 11:51:12 EST 2015" > TYPE="server" > > /var/ossec/etc/ossec.conf (sanitized): > <ossec_config> > <global> > <email_notification>yes</email_notification> > <email_to>sec...@example.com</email_to> > <smtp_server>smtpmail.example.com</smtp_server> > <email_from>oss...@ossec.example.com</email_from> > <!-- Be sure to set the email_maxperhour to something pretty high, > since > -- we've disabled the grouping of alerts into single messages. --> > <email_maxperhour>500</email_maxperhour> > <memory_size>2048</memory_size> > </global> > > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>79200</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin</directories> > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > <!-- Windows files to ignore --> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > <ignore>C:\WINDOWS/Debug</ignore> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > <ignore>C:\WINDOWS/iis6.log</ignore> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > <ignore>C:\WINDOWS/Prefetch</ignore> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > <ignore>C:\WINDOWS/Temp</ignore> > <ignore>C:\WINDOWS/system32/config</ignore> > <ignore>C:\WINDOWS/system32/spool</ignore> > <ignore>C:\WINDOWS/system32/CatRoot</ignore> > </syscheck> > > <rootcheck> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> > </rootcheck> > > <active-response> > <disabled>yes</disabled> > </active-response> > > <remote> > <connection>syslog</connection> > </remote> > > <remote> > <connection>secure</connection> > </remote> > > <alerts> > <log_alert_level>1</log_alert_level> > <email_alert_level>7</email_alert_level> > </alerts> > <!-- Files to monitor (localfiles) --> > > <!-- Send "savemail" messages (UNix or Windows) to administrators > --> > <email_alerts> > <email_to>monal...@example.com</email_to> > <group>system_error</group> > </email_alerts> > > <!-- Send "low diskspace" messages (UNix or Windows) to administrators > --> > <email_alerts> > <email_to>monal...@example.com</email_to> > <group>low_diskspace</group> > </email_alerts> > --> > > <!-- Send "file system full" messages (UNix or Windows) to administrators > --> > <email_alerts> > <email_to>monal...@example.com</email_to> > <group>service_availability</group> > </email_alerts> > --> > > <localfile> > <log_format>syslog</log_format> > <location>/log/combined.log</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/secure</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/maillog</location> > </localfile> > > <rules> > <include>rules_config.xml</include> > <include>pam_rules.xml</include> > <include>sshd_rules.xml</include> > <include>telnetd_rules.xml</include> > <include>syslog_rules.xml</include> > <include>arpwatch_rules.xml</include> > <include>symantec-av_rules.xml</include> > <include>symantec-ws_rules.xml</include> > <include>pix_rules.xml</include> > <include>named_rules.xml</include> > <include>smbd_rules.xml</include> > <include>vsftpd_rules.xml</include> > <include>pure-ftpd_rules.xml</include> > <include>proftpd_rules.xml</include> > <include>ms_ftpd_rules.xml</include> > <include>ftpd_rules.xml</include> > <include>hordeimp_rules.xml</include> > <include>roundcube_rules.xml</include> > <include>wordpress_rules.xml</include> > <include>cimserver_rules.xml</include> > <include>vpopmail_rules.xml</include> > <include>vmpop3d_rules.xml</include> > <include>courier_rules.xml</include> > <include>web_rules.xml</include> > <include>web_appsec_rules.xml</include> > <include>apache_rules.xml</include> > <include>nginx_rules.xml</include> > <include>php_rules.xml</include> > <include>mysql_rules.xml</include> > <include>postgresql_rules.xml</include> > <include>ids_rules.xml</include> > <include>squid_rules.xml</include> > <include>firewall_rules.xml</include> > <include>cisco-ios_rules.xml</include> > <include>netscreenfw_rules.xml</include> > <include>sonicwall_rules.xml</include> > <include>postfix_rules.xml</include> > <include>sendmail_rules.xml</include> > <include>imapd_rules.xml</include> > <include>mailscanner_rules.xml</include> > <include>dovecot_rules.xml</include> > <include>ms-exchange_rules.xml</include> > <include>racoon_rules.xml</include> > <include>vpn_concentrator_rules.xml</include> > <include>spamd_rules.xml</include> > <include>msauth_rules.xml</include> > <include>mcafee_av_rules.xml</include> > <include>trend-osce_rules.xml</include> > <include>ms-se_rules.xml</include> > <!-- <include>policy_rules.xml</include> --> > <include>zeus_rules.xml</include> > <include>solaris_bsm_rules.xml</include> > <include>vmware_rules.xml</include> > <include>ms_dhcp_rules.xml</include> > <include>asterisk_rules.xml</include> > <include>ossec_rules.xml</include> > <include>attack_rules.xml</include> > <include>openbsd_rules.xml</include> > <include>clam_av_rules.xml</include> > <include>dropbear_rules.xml</include> > </rules> > </ossec_config> <!-- rules global entry --> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
