Hi Jos
Have you checked on user creation during compile, ossecm, ossecr, ossece, etc and ownership? From my experience with 5.3 it doesnt seem to create the users resulting in wrong ownership of files and directories under the ossec root directory. Note, I ran into different problems on a 5.2 machine (ugly compile errors). Maybe this has something to do with the linux environment on aix machines in general since there are so many different versions for different os levels floating around. Hope this helps. Magnus _____ From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Hout, Jos van Sent: 30. janĂșar 2007 13:48 To: [EMAIL PROTECTED] Subject: [ossec-list] Problems with Ossec on AIX Dear list, We have compiled Ossec on AIX 5.1 and deployed on another AIX 5.1 system and have choosen Local as the installation type. Compiltaion is without errors. Debugging for Analysisd is set to 2. When Ossec is started all processes start. After a few seconds logcollector and analysisd stop with the following error (see ossec.log below) # more ./logs/ossec.log 2007/01/30 13:32:55 ossec-maild: E-Mail notification disabled. Clean Exit. 2007/01/30 13:32:56 ossec-execd: Started (pid: 843924). 2007/01/30 13:32:56 ossec-analysisd: Total rules enabled: '0' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/mtab' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/mnttab' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/hosts.deny' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/mail/statistics' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/random-seed' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/adjtime' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/httpd/logs' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/utmpx' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/wtmpx' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/cups/certs' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/System32/LogFiles' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Debug' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/WindowsUpdate.log' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/iis6.log' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/system32/wbem/Logs' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/system32/wbem/Repository' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Prefetch' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/SoftwareDistribution' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Temp' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/system32/config' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/system32/spool' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/system32/CatRoot' 2007/01/30 13:32:56 ossec-logcollector: DEBUG: Waiting main daemons to settle. 2007/01/30 13:32:58 ossec-syscheckd: Started (pid: 573470). 2007/01/30 13:33:02 ossec-logcollector: DEBUG: Entering LogCollectorStart(). 2007/01/30 13:33:02 ossec-logcollector(1950): Analyzing file: '/var/log/messages'. 2007/01/30 13:33:02 ossec-logcollector(1950): Analyzing file: '/var/log/syslog'. 2007/01/30 13:33:02 ossec-logcollector(1950): Analyzing file: '/data/PD/logs/www/request.log'. 2007/01/30 13:33:02 ossec-logcollector: Started (pid: 704610). 2007/01/30 13:33:22 ossec-logcollector: DEBUG: Reading syslog message: 'x.x.x.x - Unauth [30/Jan/2007:13:33:03 +0100] "HEAD / HTTP/1.0" 200 0' 2007/01/30 13:33:22 ossec-logcollector: socketerr. 2007/01/30 13:33:22 ossec-logcollector(1224): Error sending message to queue. 2007/01/30 13:33:25 ossec-logcollector(1210): Queue '/var/ossec/queue/ossec/queue' not accessible. 2007/01/30 13:33:25 ossec-logcollector(1211): Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. And I end up with the following status for the Ossec processes. # ./bin/ossec-control status ossec-monitord is running... ossec-logcollector not running... ossec-syscheckd is running... ossec-analysisd not running... ossec-maild not running... ossec-execd is running... [EMAIL PROTECTED]:/var/ossec >From the Ossec site I gather that the queue error is because analysisd is not >running. - Ossec does not seem to be able to read in the rules I think that Ossec is a beautiful product and has exactly the functionality that we need. Running Ossec on AIX however isn't that straightforward and I cannot find that much info about it. I've already changed from a server-client setup to a Local setup in the hope that that would be running smoothly. I very much hope that somebody can give me a clue about what to change in order to make Ossec function well. Very much hope for any info. Jos van Hout The Netherlands -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.410 / Virus Database: 268.17.14/658 - Release Date: 29.1.2007 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.410 / Virus Database: 268.17.14/658 - Release Date: 29.1.2007
