This is the problem: ossec.log is empty ... The only error is this: OSSEC analysisd: Testing rules failed. Configuration error. Exiting.
.. and It doesn't make sense because it is an agent ... Regards, C. L. Martinez On 01/06/2019 19:25, Gordon Ewasiuk wrote: > I think we need more info! > > Do any errors appear in ossec.log? > > My ossec.log is in /usr/local/ossec-hids/logs > > When I've had configuration errors popup, ossec writes some pretty > detailed stuff. For example: > > 2019/05/05 18:42:53 ossec-monitord(1230): ERROR: Invalid element in the > configuration: 'smtp_server'. > 2019/05/05 18:42:53 ossec-monitord(1202): ERROR: Configuration error at > '/usr/local/ossec-hids/etc/ossec.conf'. Exiting. > 2019/05/05 18:42:53 ossec-monitord(1202): ERROR: Configuration error at > '/usr/local/ossec-hids/etc/ossec.conf'. Exiting. > > > 2019/05/06 00:55:50 ossec-testrule(1226): ERROR: Error reading XML file > '/usr/local/ossec-hids/etc/ossec.conf': XMLERR: Element > 'rule_id="100400"' not clo > sed. (line 392). > 2019/05/06 00:55:50 ossec-testrule(1202): ERROR: Configuration error at > '/usr/local/ossec-hids/etc/ossec.conf'. Exiting. > > 2019/05/16 14:17:32 ossec-testrule(1226): ERROR: Error reading XML file > '/usr/local/ossec-hids/etc/ossec.conf': XMLERR: Attribute 'disabled' has > no value. > (line 275). > 2019/05/16 14:17:32 ossec-testrule(1202): ERROR: Configuration error at > '/usr/local/ossec-hids/etc/ossec.conf'. Exiting. > > and so on... > > check the log...or post it to the list. Let's dig into it! > > > > > > On Saturday, June 1, 2019 at 12:06:52 PM UTC-4, Carlos Lopez wrote: > > Sorry for this late response. Problem continues. When I try to start > agent using ossec-control command, same error is returned: > > Starting OSSEC HIDS v3.3.0... > OSSEC analysisd: Testing rules failed. Configuration error. Exiting. > > On the other side, removing entries about port and protocol in agent > ossec.conf's file like Gordon said, it doesn't work also. > > More ideas? > > Regards, > C. L. Martinez > > On 29/05/2019 13:14, dan (ddp) wrote: > > On Sat, May 25, 2019 at 1:53 PM Carlos Lopez <clo...@outlook.com > <javascript:>> wrote: > >> > >> > >> > >> > >> > >> On 25/05/2019 18:52, Carlos Lopez wrote: > >>> Hi all, > >>> > >>> I have installed Ossec 3.3.0 from source in a FreeBSD 12 > host to work > >>> as an agent, but when I try to start ossec daemons via > ossec-control > >>> script returns this error: > >>> > >>> Starting OSSEC HIDS v3.3.0... > >>> OSSEC analysisd: Testing rules failed. Configuration error. > Exiting. > >>> > > > > This error should only happen on Server and Local installations. > > > >>> My ossec.conf in this agent is pretty simple: > >>> > >>> <ossec_config> > >>> <client> > >>> <server> > >>> <address>172.22.59.11</address> > >>> <port>2312</port> > >>> <protocol>udp</protocol> > >>> </server> > >>> </client> > >>> </ossec_config> > >>> > >>> Any tips? > >>> > >> > >> My install options was: > >> > >> cd ossec-hids-*/src > >> gmake TARGET=agent PCRE2_SYSTEM=yes ZLIB_SYSTEM=yes USE_INOTIFY=yes > >> gmake install-agent > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the > Google Groups "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from > it, send an email to ossec...@googlegroups.com <javascript:>. > >> To view this discussion on the web visit > > https://groups.google.com/d/msgid/ossec-list/VI1PR10MB22536682B88E2CFA0A9B2994DB030%40VI1PR10MB2253.EURPRD10.PROD.OUTLOOK.COM > > <https://groups.google.com/d/msgid/ossec-list/VI1PR10MB22536682B88E2CFA0A9B2994DB030%40VI1PR10MB2253.EURPRD10.PROD.OUTLOOK.COM>. > > >> For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. > > > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+unsubscr...@googlegroups.com > <mailto:ossec-list+unsubscr...@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/e11018f8-fa46-49f8-bd8d-adf1a1da1c50%40googlegroups.com > > <https://groups.google.com/d/msgid/ossec-list/e11018f8-fa46-49f8-bd8d-adf1a1da1c50%40googlegroups.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/VI1PR10MB2253B9F5DE31FA7F2E53F896DB1B0%40VI1PR10MB2253.EURPRD10.PROD.OUTLOOK.COM. For more options, visit https://groups.google.com/d/optout.