ossec-execd was not running and refuses to start when rootcheck is disabled. When I try to run /var/ossec/bin/ossec-execd manually it just shows
ossec-execd(1350): Active response disabled. Exiting. in the logs. Restarting ossec does not fix the problem either. The only way I can get the execd process to not kill itself is by enabling rootcheck. Blaine Aldridge On 5/22/07, Daniel Cid <[EMAIL PROTECTED]> wrote: > Hi Blaine, > > I think your problem is unrelated to rootcheck. The error you mentioned only > happens when ossec-analysisd can not connect to ossec-execd... > > Can you make sure that ossec-execd is running (ps auwx |grep ossec)? If > it is not, try to start it manually and see if it generates any errors. If it > starts fine, just restart ossec and see if the problem persist... > > If that doesn't help, let us know and we will look deep into that :) > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On 5/20/07, Blaine Aldridge <[EMAIL PROTECTED]> wrote: > > > > Hey all, > > > > I'm running OSSEC on a openvz based VPS and the rootcheck module > > reports all sorts of hidden processes and such (as expected inside a > > VPS). I've tried to disable the rootcheck module by with > > > > <rootcheck> > > <disabled>yes</disabled> > > </rootcheck> > > > > in the ossec.conf but when I start ossec via init.d I get the following > > > > ossec-rootcheck: Rootcheck disabled. Exiting. > > ossec-syscheckd: Rootcheck module disabled. > > > > Everything seems to be fine... except with rootcheck disabled active > > response no longer works. In the ossec.log file I see > > > > ossec-analysisd(1210): Queue '/queue/alerts/execq' not accessible: > > 'Connection refused'. > > ossec-analysisd(1301): Unable to connect to active response queue. > > > > Any suggestions are appreciated, > > Blaine Aldridge > > >
