On Oct 11, 2016 2:22 PM, "Kernel Panic" <netwarrior...@gmail.com> wrote: > > Hi guys, > Yes, I've been reading the error on the list, lots of cases and I got it too but I run out of idea. > > The log: >
Are there any errors befoew these messages? Maybe try starting the daemons manually one at a time (with -df) to see which fails. > 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. > 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. > > The queue > srw-rw----. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue > > Also read the local_rules may have issues, tested with -t and no errors displayed also with xmllint > > xmllint local_rules.xml > <?xml version="1.0"?> > --SNIP- > </group> > <!-- SYSLOG,LOCAL --> > <!-- EOF --> > > There is a file also under /var/ossec/etc/decoder.xml that seems not good , is that correct? > xmllint decoder.xml > decoder.xml:52: parser error : Extra content at the end of the document > <decoder name="pam"> > ^ > Did you modify this file? Does `ossec-logtest -t` complain about it? > And found this: > > xmllint ossec.conf > ossec.conf:74: parser error : Comment not terminated > <!-- Frequency that syscheck is executed > <!-- Frequency that syscheck is executed -- default every 20 hours --> > > Line 74, what's missing here? > I see the "-->" there. Right after "hours." xmllint doesn't apply to ossec. > <syscheck> > <!-- Frequency that syscheck is executed -- default every 20 hours --> > <frequency>72000</frequency> > > > > > > ossec-hids-2.8.3-53.el6.art.x86_64 > ossec-hids-server-2.8.3-53.el6.art.x86_64 > ossec-wui-0.8-4.el6.art.noarch > > Thanks for your time and support > Regards > > > > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
