Hello mate! im my system, the queue is:
srw-rw---- 1 ossec ossec 0 Feb 24 12:31 queue... double check the file perms.... Cheers! On 2/27/07, Hout, Jos van <[EMAIL PROTECTED]> wrote:
Hello List, Has anyone experienced ploblems that Ossec doesn't startup when set in debug mode 1 or 2 ? Strange behaviour. It's a local installation and when starting up it ends with: Queue /var/ossec/queue/ossec/queue not accessible (5 times) and then ends with Unable to access queue ..... Giving up. Any idea ?? ------------------------------ *From:* Hout, Jos van *Sent:* Thursday, February 01, 2007 8:21 AM *To:* '[email protected]' *Subject:* RE: [ossec-list] FW: [ossec-list] Problems with Ossec on AIX Dear list (and Magnus :-) ) Because there's the new version 1 and the problems we have are with version 0.9.3 we tried deploying version 1 and BINGO! Although we still deploy the Local installation, Ossec seems to be running fine now. Can't find anything relevant in the changelog regarding the problems we've had but we're almost there. Looking good and continuing. Thanks Jos van Hout ------------------------------ *From:* [email protected] [mailto:[EMAIL PROTECTED] *On Behalf Of *Magnus Egilsson *Sent:* Tuesday, January 30, 2007 3:27 PM *To:* [EMAIL PROTECTED] *Subject:* [ossec-list] FW: [ossec-list] Problems with Ossec on AIX Hi Jos Have you checked on user creation during compile, ossecm, ossecr, ossece, etc and ownership? From my experience with 5.3 it doesnt seem to create the users resulting in wrong ownership of files and directories under the ossec root directory. Note, I ran into different problems on a 5.2 machine (ugly compile errors). Maybe this has something to do with the linux environment on aix machines in general since there are so many different versions for different os levels floating around. Hope this helps. Magnus ------------------------------ *From:* [email protected] [mailto:[EMAIL PROTECTED] *On Behalf Of *Hout, Jos van *Sent:* 30. janĂșar 2007 13:48 *To:* [EMAIL PROTECTED] *Subject:* [ossec-list] Problems with Ossec on AIX Dear list, We have compiled Ossec on AIX 5.1 and deployed on another AIX 5.1 system and have choosen Local as the installation type. Compiltaion is without errors. Debugging for Analysisd is set to 2. When Ossec is started all processes start. After a few seconds logcollector and analysisd stop with the following error (see ossec.logbelow) # more ./logs/ossec.log 2007/01/30 13:32:55 ossec-maild: E-Mail notification disabled. Clean Exit. 2007/01/30 13:32:56 ossec-execd: Started (pid: 843924). 2007/01/30 13:32:56 ossec-analysisd:* Total rules enabled: '0'* 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/mtab' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/mnttab' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/hosts.deny' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/mail/statistics' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/random-seed' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/adjtime' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/httpd/logs' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/utmpx' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/wtmpx' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: '/etc/cups/certs' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/System32/LogFiles' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Debug' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/WindowsUpdate.log' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/iis6.log' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/system32/wbem/Logs' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/system32/wbem/Repository' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Prefetch' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/SoftwareDistribution' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Temp' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/system32/config' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/system32/spool' 2007/01/30 13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/system32/CatRoot' 2007/01/30 13:32:56 ossec-logcollector: DEBUG: Waiting main daemons to settle. 2007/01/30 13:32:58 ossec-syscheckd: Started (pid: 573470). 2007/01/30 13:33:02 ossec-logcollector: DEBUG: Entering LogCollectorStart(). 2007/01/30 13:33:02 ossec-logcollector(1950): Analyzing file: '/var/log/messages'. 2007/01/30 13:33:02 ossec-logcollector(1950): Analyzing file: '/var/log/syslog'. 2007/01/30 13:33:02 ossec-logcollector(1950): Analyzing file: '/data/PD/logs/www/request.log'. 2007/01/30 13:33:02 ossec-logcollector: Started (pid: 704610). 2007/01/30 13:33:22 ossec-logcollector: DEBUG: Reading syslog message: ' x.x.x.x - Unauth [30/Jan/2007:13:33:03 +0100] "HEAD / HTTP/1.0" 200 0' 2007/01/30 13:33:22 ossec-logcollector:* **socketerr.* 2007/01/30 13:33:22 ossec-logcollector(1224): Error sending message to queue. 2007/01/30 13:33:25 ossec-logcollector(1210):* **Queue '/var/ossec/queue/ossec/queue' not accessible.* 2007/01/30 13:33:25 ossec-logcollector(1211):* **Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..* And I end up with the following status for the Ossec processes. # ./bin/ossec-control status ossec-monitord is running... ossec-logcollector not running... ossec-syscheckd is running... ossec-analysisd not running... ossec-maild not running... ossec-execd is running... [EMAIL PROTECTED]:/var/ossec From the Ossec site I gather that the queue error is because analysisd is not running. - Ossec does not seem to be able to read in the rules I think that Ossec is a beautiful product and has exactly the functionality that we need. Running Ossec on AIX however isn't that straightforward and I cannot find that much info about it. I've already changed from a server-client setup to a Local setup in the hope that that would be running smoothly. I very much hope that somebody can give me a clue about what to change in order to make Ossec function well. Very much hope for any info. Jos van Hout The Netherlands -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.410 / Virus Database: 268.17.14/658 - Release Date: 29.1.2007 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.410 / Virus Database: 268.17.14/658 - Release Date: 29.1.2007
