No joy, Daniel. I installed/updated to the 060910 snapshot and set all of the permissions according to the wiki; ossec-remoted starts but does not stay running.
When I tried starting ossec-remoted manually (or with strace), I received the following error in the ossec log: 2006/09/10 15:22:31 ossec-remoted: Started (pid: 13926). 2006/09/10 15:22:31 ossec-remoted: Started (pid: 13927). 2006/09/10 15:22:31 ossec-remoted(1402): Authentication key file '/etc/client.keys' not found. I remember seeing a post about this error from not too long ago but I did not see a solution in the thread. Upon review I found that I did not have a client.keys file in my %ossec-home%/etc/ directory. I created one with touch and set the permissions for the file then tried restarting ossec-remoted again. The result was (no error): 2006/09/10 15:30:10 ossec-remoted: Started (pid: 14213). Now, the only error in my ossec.log is this: 2006/09/10 15:49:29 ossec-analysisd(1210): Queue '/queue/alerts/ar' not accessible. 2006/09/10 15:49:29 ossec-analysisd(1301): Unable to connect to active response queue. I deleted ar from queue/alerts/ and restarted ossec via ossec-control (ar was recreated but not immediately). The status output showed ossec-remoted as not running still. Does remoted require analysisd to start correctly or does it use the ar socket file? What is supposed to be inside the client.keys file? Can it be empty? I started using ossec about mid-August and I am using as vanilla of an install as possible. # uname -a Linux 2.6.15-26-k7 #1 SMP PREEMPT Thu Aug 3 03:40:32 UTC 2006 i686 GNU/Linux (Ubuntu 6.06) # ossec-analysisd -V OSSEC HIDS v0.9-1b - Daniel B. Cid #cat /etc/ossec-init.conf DIRECTORY="/usr/local/ossec" VERSION="v0.9-1" DATE="Sun Sep 10 15:09:11 MDT 2006" TYPE="server" # ossec-control status ossec-monitord is running... ossec-logcollector is running... ossec-remoted not running... ossec-syscheckd is running... ossec-analysisd is running... ossec-maild is running... ossec-execd is running... Thanks, Colby W. Daniel Cid wrote: > Hi Colby and Richard, > > Can you try the latest snapshot? It should have fixed this problem (permission > issues)... > > http://www.ossec.net/files/snapshots/ossec-hids-060910.tar.gz > > *just choose the update option during the install. No need to > reinstall everything. > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net
