Dave, Thanks for your suggestions.
If I start remoted manually it doesn't complain that the port is already in use. I am also starting it in debug mode and its starts cleanly AND works when I start it manually. I *do* have remoted configured to accept both tcp and udp logs on port 514, but I've used this just fine in the past; the chrooting must account for the use of privileged ports. If you can think of anything else please shout! Thanks, Chris On Friday, December 9, 2016 at 10:15:41 AM UTC-5, Dave Stoddard wrote: > > If remoted is failing, it is likely you have another program running on > that port that remoted is trying to bind to. For example, syslog is a > common application on UNIX/BSD/Linux systems, and uses port 514. If you > also attempt to use port 514 for remoted, you will get a conflict and > remoted will exit. OSSEC uses 1514 for its default event data, so if you > want to collect syslog data for analysis, port 1515 would be a good logical > choice. > > Another issue exists with remoted when you attempt to bind to port numbers > less than 1024 -- anything less than 1024 is privileged (root only). > Because OSSEC runs as user ossec, you cannot bind to ports lower than 1024 > on most *NIX systems unless the attachment occurs prior to the change to > user ossec. This privileged port restriction is by design (for example, it > prevents a non-root user from running a rogue SSH server to collect userids > and passwords on port 22, or a user from running their own email server on > port 25). Unless you write a lot of UNIX socket code or you have extensive > UNIX admin experience, most people are unaware of the privileged port > restriction issue. It would probably be useful to note this information in > the documentation to alleviate confusion. Best, > > Dave Stoddard > Network Alarm Corporation > https://networkalarmcorp.com > 301-850-0668 x101 > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.