Hi Blaine, Thanks for the additional information. This problem was caused by a bug on the configuration reader for "execd" that was reading, well, err, rootcheck config :)
I released an updated version of 1.2 (stable snapshot) with a fix for this: http://www.ossec.net/files/snapshots/ossec-hids-070525.tar.gz Upgrade your ossec install to this one and the problem should go away (just choose upgrade option when you run ./install.sh). Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 5/22/07, Blaine Aldridge <[EMAIL PROTECTED]> wrote: > ossec-execd was not running and refuses to start when rootcheck is > disabled. When I try to run /var/ossec/bin/ossec-execd manually it > just shows > > ossec-execd(1350): Active response disabled. Exiting. > > in the logs. > > Restarting ossec does not fix the problem either. The only way I can > get the execd process to not kill itself is by enabling rootcheck. > > Blaine Aldridge > > > On 5/22/07, Daniel Cid <[EMAIL PROTECTED]> wrote: > > Hi Blaine, > > > > I think your problem is unrelated to rootcheck. The error you mentioned only > > happens when ossec-analysisd can not connect to ossec-execd... > > > > Can you make sure that ossec-execd is running (ps auwx |grep ossec)? If > > it is not, try to start it manually and see if it generates any errors. If > > it > > starts fine, just restart ossec and see if the problem persist... > > > > If that doesn't help, let us know and we will look deep into that :) > > > > Thanks, > > > > -- > > Daniel B. Cid > > dcid ( at ) ossec.net > > > > On 5/20/07, Blaine Aldridge <[EMAIL PROTECTED]> wrote: > > > > > > Hey all, > > > > > > I'm running OSSEC on a openvz based VPS and the rootcheck module > > > reports all sorts of hidden processes and such (as expected inside a > > > VPS). I've tried to disable the rootcheck module by with > > > > > > <rootcheck> > > > <disabled>yes</disabled> > > > </rootcheck> > > > > > > in the ossec.conf but when I start ossec via init.d I get the following > > > > > > ossec-rootcheck: Rootcheck disabled. Exiting. > > > ossec-syscheckd: Rootcheck module disabled. > > > > > > Everything seems to be fine... except with rootcheck disabled active > > > response no longer works. In the ossec.log file I see > > > > > > ossec-analysisd(1210): Queue '/queue/alerts/execq' not accessible: > > > 'Connection refused'. > > > ossec-analysisd(1301): Unable to connect to active response queue. > > > > > > Any suggestions are appreciated, > > > Blaine Aldridge > > > > > >
