Your mysql server is telling you that ossec from 10.2.5.78 is not
allowed to connect. Since you are running these programs on the same
box, I feel safe to say that your ossec application is connecting to
your database from the interface's IP, not localhost. A simple
tcpdump would verify
I am getting when i restart my ossec server after an install of the latest
snapshot.
2009/06/23 14:19:59 ossec-logcollector(1103): ERROR: Unable to open file
'/queue/ossec/.agent_info'.
2009/06/23 14:19:59 ossec-syscheckd(1103): ERROR: Unable to open file
'/queue/ossec/.agent_info'.
2009/06/23
Did you follow the directions?
http://www.ossec.net/wiki/index.php/Know_How:DatabaseOutput
Make sure you use the right IP/hostname in the following command:
grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to
ossecuser@ossec ip;
I put 127.0.0.1 instead of localhost and got a similar
Has anyone got this working? I have followed instructions on web for 1.6...well
still doesnt work properly
We have created a script that parses through a text file to add
several hundred clients at a time. This script will find the last
index number and the proceed with the next index number.
#!/bin/bash
## this is the last key's index number, taken via bin/agent_control
##
## -chuck
Is there a way to create a new baseline, for example after a major
upgrade? The idea is that this would prevent expected alerts and
clear the slate going forward.
Thank you,
Patrick
Hello,
I was wondering if there was a way to tell ossec to reload its
configuration files without having to restart the process.
For example, running `/etc/init.d/sshd restart` completely shuts down
and starts up the ssh daemon. This contrasts from `/etc/init.d/sshd
reload`in that *reload*
I am at a loss as to figure out which ossec.conf file I am to use to
configure syscheck to monitor specific files.
For example: if on one (or more) agents there is a directory /opt/
appfiles that I need to monitor, do I specify this in the servers's
config file, or the agents'? or both?
Does the
Update: As it turns out enVision is receiving valid syslog alerts
from OSSEC. RSA (enVision vendor) has to write code in order for
enVision to be able to parse the alerts . Even though OSSEC is
sending valid syslog data, we still have to pay RSA for them to be
able to 'decode' it -- (read
Has anyone got this working? I have followed instructions on web for 1.6...well
still doesnt work properly
I am getting when i restart my ossec server after an install of the latest
snapshot.
2009/06/23 14:19:59 ossec-logcollector(1103): ERROR: Unable to open file
'/queue/ossec/.agent_info'.
2009/06/23 14:19:59 ossec-syscheckd(1103): ERROR: Unable to open file
'/queue/ossec/.agent_info'.
2009/06/23
In her defense, I followed these exactly and same issue.
Did you follow the directions?
http://www.ossec.net/wiki/index.php/Know_How:DatabaseOutput
Make sure you use the right IP/hostname in the following command:
grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to
Patrick,
We run RSA envision and have an XML file that I can send you to parse OSSEC
syslog files. RSA enVision had a UDS application that you use to parse log
files that enVision does not already parse. Send me an email or call me and
I'll send you the XML file.
Thanks
Dennis Carter GSNA
Hi Kelly,
This error is generally caused by permission errors on the database
side. You need to
use the same ip address in the ossec config and on the GRANT command:
If you added 10.2.5.78 as the db server, make sure to run:
grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to
Hi Derek,
Did you configure it to use a centralized agent configuration? I have
a fix for it at:
http://ossec.net/files/snapshots/ossec-hids-090624.tar.gz
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, Jun 24, 2009 at 9:33 AM, Derek J.
Morrisdmor...@digitalmorris.com wrote:
I am
I apologize if that seemed like an attack, it wasn't meant as one.
On Wed, Jun 24, 2009 at 10:25 AM, Derek J. Morris dmor...@digitalmorris.com
wrote:
In her defense, I followed these exactly and same issue.
I just set it up with the latest snapshot. i don't have any agents,
but data is going into the database.
What isn't working for you?
dan
On Tue, Jun 23, 2009 at 2:09 PM, Derek J.
Morrisdmor...@digitalmorris.com wrote:
Has anyone got this working? I have followed instructions on web for
17 matches
Mail list logo