Hi guys The remote service was not starting, now it up and running, and have to say that this was pure pain!!
*/var/ossec/bin/ossec-remoted -df* 2016/10/12 09:08:05 ossec-remoted: DEBUG: Starting ... 2016/10/12 09:08:05 ossec-remoted: INFO: Started (pid: 21609). 2016/10/12 09:08:05 ossec-remoted: DEBUG: Forking remoted: '0'. z77s-tpuppetm01:/var/ossec/etc# 2016/10/12 09:08:05 ossec-remoted: INFO: Started (pid: 21610). 2016/10/12 09:08:05 ossec-remoted: DEBUG: Running manager_init 2016/10/12 09:08:05 ossec-remoted: INFO: (unix_domain) Maximum send buffer set to: '4194304'. 2016/10/12 09:08:05 ossec-remoted(4111): INFO: Maximum number of agents allowed: '16384'. 2016/10/12 09:08:05 ossec-remoted(1410): INFO: Reading authentication keys file. 2016/10/12 09:08:05 ossec-remoted: DEBUG: OS_StartCounter. 2016/10/12 09:08:05 ossec-remoted: OS_StartCounter: keysize: 1 2016/10/12 09:08:05 ossec-remoted: Unable to open agent file. errno: 13 *2016/10/12 09:08:05 ossec-remoted(1103): ERROR: Unable to open file '/queue/rids/001'.* netstat -antuwp | grep ossec udp 0 0 0.0.0.0:1514 0.0.0.0:* 21908/ossec-remoted Thank you very much! Regards El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió: > > Hi guys, > Yes, I've been reading the error on the list, lots of cases and I got it > too but I run out of idea. > > The log: > > 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > > The queue > srw-rw----. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue > > Also read the local_rules may have issues, tested with -t and no errors > displayed also with xmllint > > xmllint local_rules.xml > <?xml version="1.0"?> > --SNIP- > </group> > <!-- SYSLOG,LOCAL --> > <!-- EOF --> > > There is a file also under /var/ossec/etc/decoder.xml that seems not good > , is that correct? > xmllint decoder.xml > decoder.xml:52: parser error : Extra content at the end of the document > <decoder name="pam"> > ^ > > And found this: > > xmllint ossec.conf > ossec.conf:74: parser error : Comment not terminated > <!-- Frequency that syscheck is executed > <!-- Frequency that syscheck is executed -- default every 20 hours --> > > Line 74, what's missing here? > > <syscheck> > <!-- Frequency that syscheck is executed -- default every 20 hours --> > <frequency>72000</frequency> > > > > > > ossec-hids-2.8.3-53.el6.art.x86_64 > ossec-hids-server-2.8.3-53.el6.art.x86_64 > ossec-wui-0.8-4.el6.art.noarch > > Thanks for your time and support > Regards > > > > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
