Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
On Mon, Apr 10, 2017 at 2:46 PM, Anoop Perayilwrote: > I am running OSSEC on a Security Onion build Ubuntu 14.04.5 LTS. > The issue started after I added in more disk since I ran out of space in / > I really wish SO would partition their system properly. Big /, nothing else is very annoying. Check permissions. Maybe things didn't copy over properly? > On Monday, 10 April 2017 23:52:07 UTC+5:30, Joshua Gimer wrote: >> >> Do you have SELinux running in an enforcing mode? What is the output of >> sestatus? >> >> Josh >> >> On Wed, Oct 12, 2016 at 8:58 AM, Kernel Panic wrote: >>> >>> Really do not know, just installed it from repo and tried to start the >>> service. >>> >>> Thanks >>> Regards >>> >>> El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic >>> escribió: Hi guys, Yes, I've been reading the error on the list, lots of cases and I got it too but I run out of idea. The log: 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. The queue srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue Also read the local_rules may have issues, tested with -t and no errors displayed also with xmllint xmllint local_rules.xml --SNIP- There is a file also under /var/ossec/etc/decoder.xml that seems not good , is that correct? xmllint decoder.xml decoder.xml:52: parser error : Extra content at the end of the document ^ And found this: xmllint ossec.conf ossec.conf:74: parser error : Comment not terminated Line 74, what's missing here? 72000 ossec-hids-2.8.3-53.el6.art.x86_64 ossec-hids-server-2.8.3-53.el6.art.x86_64 ossec-wui-0.8-4.el6.art.noarch Thanks for your time and support Regards >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> -- >> Thanks, >> Joshua Gimer >> >> --- >> >> http://www.linkedin.com/in/jgimer >> http://twitter.com/jgimer > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
On Mon, Apr 10, 2017 at 2:34 PM, Felix Martelwrote: > Perhaps this is way off base, but have you added an agent for localhost ? In > my context of a new install, a ton of issues went away after I added an > agent for the localhost (name=localhost, IP=127.0.0.1). Didn't export the > key or anything. Once I did that, my queue errors went away and my agents > started reporting. > You shouldn't have to add an agent for the localhost, it's automatically considered agent 000. > If I have one rant regarding OSSEC HIDS, it's the structure and quality of > documentation: Sketchy at best... Doing a lot of poking in the dark to solve > issues. > Please help: https://github.com/ossec/ossec-docs > > On Tuesday, October 11, 2016 at 2:22:03 PM UTC-4, Kernel Panic wrote: >> >> Hi guys, >> Yes, I've been reading the error on the list, lots of cases and I got it >> too but I run out of idea. >> >> The log: >> >> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access >> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: >> '/var/ossec/queue/ossec/queue'. Giving up.. >> >> The queue >> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue >> >> Also read the local_rules may have issues, tested with -t and no errors >> displayed also with xmllint >> >> xmllint local_rules.xml >> >> --SNIP- >> >> >> >> >> There is a file also under /var/ossec/etc/decoder.xml that seems not good >> , is that correct? >> xmllint decoder.xml >> decoder.xml:52: parser error : Extra content at the end of the document >> >> ^ >> >> And found this: >> >> xmllint ossec.conf >> ossec.conf:74: parser error : Comment not terminated >> >> >> Line 74, what's missing here? >> >> >> >> 72000 >> >> >> >> >> >> ossec-hids-2.8.3-53.el6.art.x86_64 >> ossec-hids-server-2.8.3-53.el6.art.x86_64 >> ossec-wui-0.8-4.el6.art.noarch >> >> Thanks for your time and support >> Regards >> >> >> >> >> >> >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
Yeap, I have an agent on the localhost; actually now that is the only active one. Rest all are disconnected since ossec-remoted is not running On Tuesday, 11 April 2017 00:04:46 UTC+5:30, Felix Martel wrote: > > Perhaps this is way off base, but have you added an agent for localhost ? > In my context of a new install, a ton of issues went away after I added an > agent for the localhost (name=localhost, IP=127.0.0.1). Didn't export the > key or anything. Once I did that, my queue errors went away and my agents > started reporting. > > If I have one rant regarding OSSEC HIDS, it's the structure and quality of > documentation: Sketchy at best... Doing a lot of poking in the dark to > solve issues. > > On Tuesday, October 11, 2016 at 2:22:03 PM UTC-4, Kernel Panic wrote: >> >> Hi guys, >> Yes, I've been reading the error on the list, lots of cases and I got it >> too but I run out of idea. >> >> The log: >> >> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access >> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: >> '/var/ossec/queue/ossec/queue'. Giving up.. >> >> The queue >> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue >> >> Also read the local_rules may have issues, tested with -t and no errors >> displayed also with xmllint >> >> xmllint local_rules.xml >> >> --SNIP- >> >> >> >> >> There is a file also under /var/ossec/etc/decoder.xml that seems not good >> , is that correct? >> xmllint decoder.xml >> decoder.xml:52: parser error : Extra content at the end of the document >> >> ^ >> >> And found this: >> >> xmllint ossec.conf >> ossec.conf:74: parser error : Comment not terminated >> >> >> Line 74, what's missing here? >> >> >> >> 72000 >> >> >> >> >> >> ossec-hids-2.8.3-53.el6.art.x86_64 >> ossec-hids-server-2.8.3-53.el6.art.x86_64 >> ossec-wui-0.8-4.el6.art.noarch >> >> Thanks for your time and support >> Regards >> >> >> >> >> >> >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
I am running OSSEC on a Security Onion build Ubuntu 14.04.5 LTS. The issue started after I added in more disk since I ran out of space in / On Monday, 10 April 2017 23:52:07 UTC+5:30, Joshua Gimer wrote: > > Do you have SELinux running in an enforcing mode? What is the output of > sestatus? > > Josh > > On Wed, Oct 12, 2016 at 8:58 AM, Kernel Panic> wrote: > >> Really do not know, just installed it from repo and tried to start the >> service. >> >> Thanks >> Regards >> >> El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió: >> >>> Hi guys, >>> Yes, I've been reading the error on the list, lots of cases and I got it >>> too but I run out of idea. >>> >>> The log: >>> >>> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access >>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access >>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>> >>> The queue >>> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue >>> >>> Also read the local_rules may have issues, tested with -t and no errors >>> displayed also with xmllint >>> >>> xmllint local_rules.xml >>> >>> --SNIP- >>> >>> >>> >>> >>> There is a file also under /var/ossec/etc/decoder.xml that seems not >>> good , is that correct? >>> xmllint decoder.xml >>> decoder.xml:52: parser error : Extra content at the end of the document >>> >>> ^ >>> >>> And found this: >>> >>> xmllint ossec.conf >>> ossec.conf:74: parser error : Comment not terminated >>> >>> >>> Line 74, what's missing here? >>> >>> >>> >>> 72000 >>> >>> >>> >>> >>> >>> ossec-hids-2.8.3-53.el6.art.x86_64 >>> ossec-hids-server-2.8.3-53.el6.art.x86_64 >>> ossec-wui-0.8-4.el6.art.noarch >>> >>> Thanks for your time and support >>> Regards >>> >>> >>> >>> >>> >>> >>> >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Thanks, > Joshua Gimer > > --- > > http://www.linkedin.com/in/jgimer > http://twitter.com/jgimer > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
Perhaps this is way off base, but have you added an agent for localhost ? In my context of a new install, a ton of issues went away after I added an agent for the localhost (name=localhost, IP=127.0.0.1). Didn't export the key or anything. Once I did that, my queue errors went away and my agents started reporting. If I have one rant regarding OSSEC HIDS, it's the structure and quality of documentation: Sketchy at best... Doing a lot of poking in the dark to solve issues. On Tuesday, October 11, 2016 at 2:22:03 PM UTC-4, Kernel Panic wrote: > > Hi guys, > Yes, I've been reading the error on the list, lots of cases and I got it > too but I run out of idea. > > The log: > > 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > > The queue > srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue > > Also read the local_rules may have issues, tested with -t and no errors > displayed also with xmllint > > xmllint local_rules.xml > > --SNIP- > > > > > There is a file also under /var/ossec/etc/decoder.xml that seems not good > , is that correct? > xmllint decoder.xml > decoder.xml:52: parser error : Extra content at the end of the document > > ^ > > And found this: > > xmllint ossec.conf > ossec.conf:74: parser error : Comment not terminated > > > Line 74, what's missing here? > > > > 72000 > > > > > > ossec-hids-2.8.3-53.el6.art.x86_64 > ossec-hids-server-2.8.3-53.el6.art.x86_64 > ossec-wui-0.8-4.el6.art.noarch > > Thanks for your time and support > Regards > > > > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
Do you have SELinux running in an enforcing mode? What is the output of sestatus? Josh On Wed, Oct 12, 2016 at 8:58 AM, Kernel Panicwrote: > Really do not know, just installed it from repo and tried to start the > service. > > Thanks > Regards > > El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió: > >> Hi guys, >> Yes, I've been reading the error on the list, lots of cases and I got it >> too but I run out of idea. >> >> The log: >> >> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access >> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: >> '/var/ossec/queue/ossec/queue'. Giving up.. >> >> The queue >> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue >> >> Also read the local_rules may have issues, tested with -t and no errors >> displayed also with xmllint >> >> xmllint local_rules.xml >> >> --SNIP- >> >> >> >> >> There is a file also under /var/ossec/etc/decoder.xml that seems not good >> , is that correct? >> xmllint decoder.xml >> decoder.xml:52: parser error : Extra content at the end of the document >> >> ^ >> >> And found this: >> >> xmllint ossec.conf >> ossec.conf:74: parser error : Comment not terminated >> >> >> Line 74, what's missing here? >> >> >> >> 72000 >> >> >> >> >> >> ossec-hids-2.8.3-53.el6.art.x86_64 >> ossec-hids-server-2.8.3-53.el6.art.x86_64 >> ossec-wui-0.8-4.el6.art.noarch >> >> Thanks for your time and support >> Regards >> >> >> >> >> >> >> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Thanks, Joshua Gimer --- http://www.linkedin.com/in/jgimer http://twitter.com/jgimer -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
I am getting the exact same error - 2017/04/10 18:03:02 ossec-remoted: Unable to open agent file. errno: 13 2017/04/10 18:03:02 ossec-remoted(1103): ERROR: Unable to open file '/queue/rids/1024'. how did you manage to get ossec-remoted back up and running? On Wednesday, 12 October 2016 20:00:47 UTC+5:30, Kernel Panic wrote: > > Hi guys > The remote service was not starting, now it up and running, and have to > say that this was pure pain!! > > */var/ossec/bin/ossec-remoted -df* > 2016/10/12 09:08:05 ossec-remoted: DEBUG: Starting ... > 2016/10/12 09:08:05 ossec-remoted: INFO: Started (pid: 21609). > 2016/10/12 09:08:05 ossec-remoted: DEBUG: Forking remoted: '0'. > z77s-tpuppetm01:/var/ossec/etc# 2016/10/12 09:08:05 ossec-remoted: INFO: > Started (pid: 21610). > 2016/10/12 09:08:05 ossec-remoted: DEBUG: Running manager_init > 2016/10/12 09:08:05 ossec-remoted: INFO: (unix_domain) Maximum send buffer > set to: '4194304'. > 2016/10/12 09:08:05 ossec-remoted(4111): INFO: Maximum number of agents > allowed: '16384'. > 2016/10/12 09:08:05 ossec-remoted(1410): INFO: Reading authentication keys > file. > 2016/10/12 09:08:05 ossec-remoted: DEBUG: OS_StartCounter. > 2016/10/12 09:08:05 ossec-remoted: OS_StartCounter: keysize: 1 > 2016/10/12 09:08:05 ossec-remoted: Unable to open agent file. errno: 13 > *2016/10/12 09:08:05 ossec-remoted(1103): ERROR: Unable to open file > '/queue/rids/001'.* > > netstat -antuwp | grep ossec > udp0 0 0.0.0.0:1514 > 0.0.0.0:* 21908/ossec-remoted > > Thank you very much! > Regards > > > El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió: >> >> Hi guys, >> Yes, I've been reading the error on the list, lots of cases and I got it >> too but I run out of idea. >> >> The log: >> >> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access >> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: >> '/var/ossec/queue/ossec/queue'. Giving up.. >> >> The queue >> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue >> >> Also read the local_rules may have issues, tested with -t and no errors >> displayed also with xmllint >> >> xmllint local_rules.xml >> >> --SNIP- >> >> >> >> >> There is a file also under /var/ossec/etc/decoder.xml that seems not good >> , is that correct? >> xmllint decoder.xml >> decoder.xml:52: parser error : Extra content at the end of the document >> >> ^ >> >> And found this: >> >> xmllint ossec.conf >> ossec.conf:74: parser error : Comment not terminated >> >> >> Line 74, what's missing here? >> >> >> >> 72000 >> >> >> >> >> >> ossec-hids-2.8.3-53.el6.art.x86_64 >> ossec-hids-server-2.8.3-53.el6.art.x86_64 >> ossec-wui-0.8-4.el6.art.noarch >> >> Thanks for your time and support >> Regards >> >> >> >> >> >> >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
Really do not know, just installed it from repo and tried to start the service. Thanks Regards El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió: > > Hi guys, > Yes, I've been reading the error on the list, lots of cases and I got it > too but I run out of idea. > > The log: > > 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > > The queue > srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue > > Also read the local_rules may have issues, tested with -t and no errors > displayed also with xmllint > > xmllint local_rules.xml > > --SNIP- > > > > > There is a file also under /var/ossec/etc/decoder.xml that seems not good > , is that correct? > xmllint decoder.xml > decoder.xml:52: parser error : Extra content at the end of the document > > ^ > > And found this: > > xmllint ossec.conf > ossec.conf:74: parser error : Comment not terminated > > > Line 74, what's missing here? > > > > 72000 > > > > > > ossec-hids-2.8.3-53.el6.art.x86_64 > ossec-hids-server-2.8.3-53.el6.art.x86_64 > ossec-wui-0.8-4.el6.art.noarch > > Thanks for your time and support > Regards > > > > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
On Wed, Oct 12, 2016 at 10:30 AM, Kernel Panicwrote: > Hi guys > The remote service was not starting, now it up and running, and have to say > that this was pure pain!! > It would be interesting to find out what happened to your setup to give you such troubles. > /var/ossec/bin/ossec-remoted -df > 2016/10/12 09:08:05 ossec-remoted: DEBUG: Starting ... > 2016/10/12 09:08:05 ossec-remoted: INFO: Started (pid: 21609). > 2016/10/12 09:08:05 ossec-remoted: DEBUG: Forking remoted: '0'. > z77s-tpuppetm01:/var/ossec/etc# 2016/10/12 09:08:05 ossec-remoted: INFO: > Started (pid: 21610). > 2016/10/12 09:08:05 ossec-remoted: DEBUG: Running manager_init > 2016/10/12 09:08:05 ossec-remoted: INFO: (unix_domain) Maximum send buffer > set to: '4194304'. > 2016/10/12 09:08:05 ossec-remoted(4111): INFO: Maximum number of agents > allowed: '16384'. > 2016/10/12 09:08:05 ossec-remoted(1410): INFO: Reading authentication keys > file. > 2016/10/12 09:08:05 ossec-remoted: DEBUG: OS_StartCounter. > 2016/10/12 09:08:05 ossec-remoted: OS_StartCounter: keysize: 1 > 2016/10/12 09:08:05 ossec-remoted: Unable to open agent file. errno: 13 > 2016/10/12 09:08:05 ossec-remoted(1103): ERROR: Unable to open file > '/queue/rids/001'. > > > netstat -antuwp | grep ossec > udp0 0 0.0.0.0:15140.0.0.0:* > 21908/ossec-remoted > > Thank you very much! > Regards > > > El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió: >> >> Hi guys, >> Yes, I've been reading the error on the list, lots of cases and I got it >> too but I run out of idea. >> >> The log: >> >> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access >> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: >> '/var/ossec/queue/ossec/queue'. Giving up.. >> >> The queue >> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue >> >> Also read the local_rules may have issues, tested with -t and no errors >> displayed also with xmllint >> >> xmllint local_rules.xml >> >> --SNIP- >> >> >> >> >> There is a file also under /var/ossec/etc/decoder.xml that seems not good >> , is that correct? >> xmllint decoder.xml >> decoder.xml:52: parser error : Extra content at the end of the document >> >> ^ >> >> And found this: >> >> xmllint ossec.conf >> ossec.conf:74: parser error : Comment not terminated >> >> >> Line 74, what's missing here? >> >> >> >> 72000 >> >> >> >> >> >> ossec-hids-2.8.3-53.el6.art.x86_64 >> ossec-hids-server-2.8.3-53.el6.art.x86_64 >> ossec-wui-0.8-4.el6.art.noarch >> >> Thanks for your time and support >> Regards >> >> >> >> >> >> >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
Hi guys The remote service was not starting, now it up and running, and have to say that this was pure pain!! */var/ossec/bin/ossec-remoted -df* 2016/10/12 09:08:05 ossec-remoted: DEBUG: Starting ... 2016/10/12 09:08:05 ossec-remoted: INFO: Started (pid: 21609). 2016/10/12 09:08:05 ossec-remoted: DEBUG: Forking remoted: '0'. z77s-tpuppetm01:/var/ossec/etc# 2016/10/12 09:08:05 ossec-remoted: INFO: Started (pid: 21610). 2016/10/12 09:08:05 ossec-remoted: DEBUG: Running manager_init 2016/10/12 09:08:05 ossec-remoted: INFO: (unix_domain) Maximum send buffer set to: '4194304'. 2016/10/12 09:08:05 ossec-remoted(4111): INFO: Maximum number of agents allowed: '16384'. 2016/10/12 09:08:05 ossec-remoted(1410): INFO: Reading authentication keys file. 2016/10/12 09:08:05 ossec-remoted: DEBUG: OS_StartCounter. 2016/10/12 09:08:05 ossec-remoted: OS_StartCounter: keysize: 1 2016/10/12 09:08:05 ossec-remoted: Unable to open agent file. errno: 13 *2016/10/12 09:08:05 ossec-remoted(1103): ERROR: Unable to open file '/queue/rids/001'.* netstat -antuwp | grep ossec udp0 0 0.0.0.0:1514 0.0.0.0:* 21908/ossec-remoted Thank you very much! Regards El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió: > > Hi guys, > Yes, I've been reading the error on the list, lots of cases and I got it > too but I run out of idea. > > The log: > > 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > > The queue > srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue > > Also read the local_rules may have issues, tested with -t and no errors > displayed also with xmllint > > xmllint local_rules.xml > > --SNIP- > > > > > There is a file also under /var/ossec/etc/decoder.xml that seems not good > , is that correct? > xmllint decoder.xml > decoder.xml:52: parser error : Extra content at the end of the document > > ^ > > And found this: > > xmllint ossec.conf > ossec.conf:74: parser error : Comment not terminated > > > Line 74, what's missing here? > > > > 72000 > > > > > > ossec-hids-2.8.3-53.el6.art.x86_64 > ossec-hids-server-2.8.3-53.el6.art.x86_64 > ossec-wui-0.8-4.el6.art.noarch > > Thanks for your time and support > Regards > > > > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
These are my udp ports: udp0 0 0.0.0.0:161 0.0.0.0:* udp0 0 0.0.0.0:82310.0.0.0:* udp0 0 127.0.0.1:703 0.0.0.0:* udp0 0 0.0.0.0:51797 0.0.0.0:* udp0 0 127.0.0.1:3030 0.0.0.0:* udp0 0 0.0.0.0:111 0.0.0.0:* udp0 0 0.0.0.0:627 0.0.0.0:* udp0 0 10.77.1.147:123 0.0.0.0:* udp0 0 127.0.0.1:123 0.0.0.0:* udp0 0 0.0.0.0:123 0.0.0.0:* udp0 0 :::41574:::* udp0 0 :::111 :::* udp0 0 :::627 :::* udp0 0 fe80::250:56ff:fe88:2b2b:123 :::* udp0 0 ::1:123 :::* udp0 0 :::123 :::* On the remote section I've got the following ( the documentation says it will take default values ) secure Thank you for your time and support Regards El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió: > > Hi guys, > Yes, I've been reading the error on the list, lots of cases and I got it > too but I run out of idea. > > The log: > > 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > > The queue > srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue > > Also read the local_rules may have issues, tested with -t and no errors > displayed also with xmllint > > xmllint local_rules.xml > > --SNIP- > > > > > There is a file also under /var/ossec/etc/decoder.xml that seems not good > , is that correct? > xmllint decoder.xml > decoder.xml:52: parser error : Extra content at the end of the document > > ^ > > And found this: > > xmllint ossec.conf > ossec.conf:74: parser error : Comment not terminated > > > Line 74, what's missing here? > > > > 72000 > > > > > > ossec-hids-2.8.3-53.el6.art.x86_64 > ossec-hids-server-2.8.3-53.el6.art.x86_64 > ossec-wui-0.8-4.el6.art.noarch > > Thanks for your time and support > Regards > > > > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
Hi guys Well, after fixing lots of permission it seems it's working now: /var/ossec/bin/ossec-control status ossec-monitord is running... ossec-logcollector is running... ossec-remoted not running... ossec-syscheckd is running... ossec-analysisd is running... ossec-maild is running... ossec-execd is running... Now, which is the port that should be listening for agent connections? >From the client: Trying to connect to server (x.x.x.x:1514) On the server: lsof -i:1514 ( nothing) Thanks in advance. Regards El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió: > > Hi guys, > Yes, I've been reading the error on the list, lots of cases and I got it > too but I run out of idea. > > The log: > > 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > > The queue > srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue > > Also read the local_rules may have issues, tested with -t and no errors > displayed also with xmllint > > xmllint local_rules.xml > > --SNIP- > > > > > There is a file also under /var/ossec/etc/decoder.xml that seems not good > , is that correct? > xmllint decoder.xml > decoder.xml:52: parser error : Extra content at the end of the document > > ^ > > And found this: > > xmllint ossec.conf > ossec.conf:74: parser error : Comment not terminated > > > Line 74, what's missing here? > > > > 72000 > > > > > > ossec-hids-2.8.3-53.el6.art.x86_64 > ossec-hids-server-2.8.3-53.el6.art.x86_64 > ossec-wui-0.8-4.el6.art.noarch > > Thanks for your time and support > Regards > > > > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
On Wed, Oct 12, 2016 at 9:09 AM, Kernel Panicwrote: > > chmod 777 /var/ossec/queue/ossec/queue > z77s-tpuppetm01:/var/ossec/logs# /var/ossec/bin/ossec-syscheckd -df > 2016/10/12 08:09:05 ossec-syscheckd: DEBUG: Starting ... > 2016/10/12 08:09:05 ossec-rootcheck: DEBUG: Starting ... > 2016/10/12 08:09:05 ossec-rootcheck: Starting queue ... > 2016/10/12 08:09:08 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/12 08:09:08 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > Make sure you're starting these in the correct order. Based on an `ossec-control start` I get the following order: ossec-maild ossec-execd ossec-analysisd ossec-logcollector ossec-remoted ossec-syscheckd ossec-monitord -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
chmod 777 /var/ossec/queue/ossec/queue z77s-tpuppetm01:/var/ossec/logs# /var/ossec/bin/ossec-syscheckd -df 2016/10/12 08:09:05 ossec-syscheckd: DEBUG: Starting ... 2016/10/12 08:09:05 ossec-rootcheck: DEBUG: Starting ... 2016/10/12 08:09:05 ossec-rootcheck: Starting queue ... 2016/10/12 08:09:08 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/12 08:09:08 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió: > > Hi guys, > Yes, I've been reading the error on the list, lots of cases and I got it > too but I run out of idea. > > The log: > > 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > > The queue > srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue > > Also read the local_rules may have issues, tested with -t and no errors > displayed also with xmllint > > xmllint local_rules.xml > > --SNIP- > > > > > There is a file also under /var/ossec/etc/decoder.xml that seems not good > , is that correct? > xmllint decoder.xml > decoder.xml:52: parser error : Extra content at the end of the document > > ^ > > And found this: > > xmllint ossec.conf > ossec.conf:74: parser error : Comment not terminated > > > Line 74, what's missing here? > > > > 72000 > > > > > > ossec-hids-2.8.3-53.el6.art.x86_64 > ossec-hids-server-2.8.3-53.el6.art.x86_64 > ossec-wui-0.8-4.el6.art.noarch > > Thanks for your time and support > Regards > > > > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
After correcting some permission I've got some upgrades but still some preocess complain about the queue. /var/ossec/bin/ossec-control status ossec-monitord is running... ossec-logcollector is running... ossec-remoted: Process 15564 not used by ossec, removing .. ossec-remoted not running... ossec-syscheckd is running... ossec-analysisd: Process 1 not used by ossec, removing .. ossec-analysisd not running... ossec-maild is running... ossec-execd is running... tail -f ossec.log 2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'. 2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'. 2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: '/bin'. 2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. 2016/10/12 08:05:08 ossec-syscheckd: Setting SCHED_BATCH returned: 0 2016/10/12 08:06:48 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2016/10/12 08:06:48 ossec-syscheckd: socketerr (not available). 2016/10/12 08:06:48 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2016/10/12 08:06:51 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/12 08:06:51 ossec-syscheckd(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2016/10/12 08:07:03 ossec-logcollector: socketerr (not available). 2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/log/authlog'. 2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/log/xferlog'. 2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/www/logs/access_log'. 2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/www/logs/error_log'. El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió: > > Hi guys, > Yes, I've been reading the error on the list, lots of cases and I got it > too but I run out of idea. > > The log: > > 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > > The queue > srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue > > Also read the local_rules may have issues, tested with -t and no errors > displayed also with xmllint > > xmllint local_rules.xml > > --SNIP- > > > > > There is a file also under /var/ossec/etc/decoder.xml that seems not good > , is that correct? > xmllint decoder.xml > decoder.xml:52: parser error : Extra content at the end of the document > > ^ > > And found this: > > xmllint ossec.conf > ossec.conf:74: parser error : Comment not terminated > > > Line 74, what's missing here? > > > > 72000 > > > > > > ossec-hids-2.8.3-53.el6.art.x86_64 > ossec-hids-server-2.8.3-53.el6.art.x86_64 > ossec-wui-0.8-4.el6.art.noarch > > Thanks for your time and support > Regards > > > > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
Hi Did not modify that file, I I realized some of them were in xml format just wanted to check This is what I've get running the services manually with -df 2016/10/12 07:31:20 ossec-syscheckd: DEBUG: Starting ... 2016/10/12 07:31:20 ossec-rootcheck: DEBUG: Starting ... 2016/10/12 07:31:20 ossec-rootcheck: Starting queue ... 2016/10/12 07:31:23 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/12 07:31:23 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/12 07:31:31 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/12 07:31:31 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/12 07:31:44 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/12 07:31:44 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2016/10/12 07:34:23 ossec-monitord: DEBUG: Starting ... 2016/10/12 07:34:23 ossec-monitord: INFO: Chrooted to directory: /var/ossec, using user: ossec 2016/10/12 07:34:23 ossec-monitord: INFO: Started (pid: 12499). 2016/10/12 07:34:36 ossec-monitord(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/12 07:34:36 ossec-monitord(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up.. 2016/10/12 07:46:50 ossec-analysisd: DEBUG: FTSInit completed. 2016/10/12 07:46:56 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' not accessible: 'Connection refused'. 2016/10/12 07:46:56 ossec-analysisd(1301): ERROR: Unable to connect to active response queue. 2016/10/12 07:46:59 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/execq' not accessible: 'Connection refused'. 2016/10/12 07:46:59 ossec-analysisd(1301): ERROR: Unable to connect to active response queue. 2016/10/12 07:46:59 ossec-analysisd: DEBUG: Active response Init completed. 2016/10/12 07:46:59 alerts: Error opening logfile: '/logs/alerts/2016/Oct/ossec-alerts-12.log' var/ossec/queue/alerts# ls -la srwxrwxrwx. 1 apache ossec0 Oct 12 07:52 ar srw-rw. 1 apache ossec0 Oct 11 15:55 execq ls -la logs/archives/2016/Oct/ossec-archive-12.log -rw-r-. 2 apache ossec 0 Oct 12 07:43 logs/archives/2016/Oct/ossec-archive-12.log ossec-remoted: Error accessing file '/etc/shared/system_audit_rcl.txt' 2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/win_audit_rcl.txt' 2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/rootkit_trojans.txt' 2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/rootkit_files.txt' 2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/cis_rhel5_linux_rcl.txt' 2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/win_malware_rcl.txt' 2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/cis_debian_linux_rcl.txt' 2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/cis_rhel_linux_rcl.txt' 2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/win_applications_rcl.txt' 2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/system_audit_ssh.txt' 2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/cis_rhel6_linux_rcl.txt' 2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/cis_rhel7_linux_rcl.txt' 2016/10/12 07:58:29 ossec-remoted: DEBUG: Running manager_init 2016/10/12 07:58:32 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/12 07:58:32 ossec-remoted(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up.. /var/ossec/etc/shared# ls -la total 204 drwxrwxr-x. 2 ossec ossec 4096 Oct 11 09:23 . drwxrwxr-x. 6 apache ossec 4096 Oct 11 15:47 .. -rw-rw. 1 ossec ossec 2949 Apr 8 2016 agent.conf -rw-rw. 1 ossec ossec 153 Oct 12 07:53 ar.conf -rw-rw. 1 ossec root 11136 Apr 8 2016 cis_debian_linux_rcl.txt -rw-rw. 1 ossec root 31813 Apr 8 2016 cis_rhel5_linux_rcl.txt -rw-rw. 1 ossec root 30004 Apr 8 2016 cis_rhel6_linux_rcl.txt -rw-rw. 1 ossec root 32808 Apr 8 2016 cis_rhel7_linux_rcl.txt -rw-rw. 1 ossec root 15845 Apr 8 2016 cis_rhel_linux_rcl.txt -rw-rw. 1 ossec ossec 3132 Oct 12 07:58 merged.mg -rw-rw. 1 ossec root 15942 Apr 8 2016 rootkit_files.txt -rw-rw. 1 ossec root 5301 Apr 8 2016 rootkit_trojans.txt -rw-rw. 1 ossec root 4958 Apr 8 2016 system_audit_rcl.txt -rw-rw. 1 ossec root 1774 Apr 8 2016 system_audit_ssh.txt -rw-rw. 1 ossec root 4829 Apr 8 2016 win_applications_rcl.txt -rw-rw. 1 ossec root 3944 Apr 8 2016 win_audit_rcl.txt -rw-rw. 1 ossec root 5005 Apr 8 2016 win_malware_rcl.txt Thanks in advance. El martes, 11 de octubre