Dear list,
We have compiled Ossec on AIX 5.1 and deployed on another AIX 5.1 system and have choosen Local as the installation type. Compiltaion is without errors. Debugging for Analysisd is set to 2. When Ossec is started all processes start. After a few seconds logcollector and analysisd stop with the following error (see ossec.log below) # more ./logs/ossec.log 2007/01/30 13:32:55 ossec-maild: E-Mail notification disabled. Clean Exit. 2007/01/30 13:32:56 ossec-execd: Started (pid: 843924). 2007/01/30 13:32:56 ossec-analysisd: Total rules enabled: '0' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/mtab' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/mnttab' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/hosts.deny' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/mail/statistics' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/random-seed' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/adjtime' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/httpd/logs' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/utmpx' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/wtmpx' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/cups/certs' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/System32/LogFiles' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Debug' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/WindowsUpdate.log' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/iis6.log' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/system32/wbem/Logs' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/system32/wbem/Repository' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Prefetch' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/SoftwareDistribution' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Temp' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/system32/config' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/system32/spool' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/system32/CatRoot' 2007/01/30 13:32:56 ossec-logcollector: DEBUG: Waiting main daemons to settle. 2007/01/30 13:32:58 ossec-syscheckd: Started (pid: 573470). 2007/01/30 13:33:02 ossec-logcollector: DEBUG: Entering LogCollectorStart(). 2007/01/30 13:33:02 ossec-logcollector(1950): Analyzing file: '/var/log/messages'. 2007/01/30 13:33:02 ossec-logcollector(1950): Analyzing file: '/var/log/syslog'. 2007/01/30 13:33:02 ossec-logcollector(1950): Analyzing file: '/data/PD/logs/www/request.log'. 2007/01/30 13:33:02 ossec-logcollector: Started (pid: 704610). 2007/01/30 13:33:22 ossec-logcollector: DEBUG: Reading syslog message: 'x.x.x.x - Unauth [30/Jan/2007:13:33:03 +0100] "HEAD / HTTP/1.0" 200 0' 2007/01/30 13:33:22 ossec-logcollector: socketerr. 2007/01/30 13:33:22 ossec-logcollector(1224): Error sending message to queue. 2007/01/30 13:33:25 ossec-logcollector(1210): Queue '/var/ossec/queue/ossec/queue' not accessible. 2007/01/30 13:33:25 ossec-logcollector(1211): Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. And I end up with the following status for the Ossec processes. # ./bin/ossec-control status ossec-monitord is running... ossec-logcollector not running... ossec-syscheckd is running... ossec-analysisd not running... ossec-maild not running... ossec-execd is running... [EMAIL PROTECTED]:/var/ossec >From the Ossec site I gather that the queue error is because analysisd is not running. - Ossec does not seem to be able to read in the rules I think that Ossec is a beautiful product and has exactly the functionality that we need. Running Ossec on AIX however isn't that straightforward and I cannot find that much info about it. I've already changed from a server-client setup to a Local setup in the hope that that would be running smoothly. I very much hope that somebody can give me a clue about what to change in order to make Ossec function well. Very much hope for any info. Jos van Hout The Netherlands
