Thanks Daniel, Everything is working correctly now.
Blaine Aldridge On 5/26/07, Daniel Cid <[EMAIL PROTECTED]> wrote: > Hi Blaine, > > Thanks for the additional information. This problem was caused by a bug > on the configuration reader for "execd" that was reading, well, err, rootcheck > config :) > > I released an updated version of 1.2 (stable snapshot) with a fix for this: > > http://www.ossec.net/files/snapshots/ossec-hids-070525.tar.gz > > Upgrade your ossec install to this one and the problem should go away > (just choose upgrade option when you run ./install.sh). > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On 5/22/07, Blaine Aldridge <[EMAIL PROTECTED]> wrote: > > ossec-execd was not running and refuses to start when rootcheck is > > disabled. When I try to run /var/ossec/bin/ossec-execd manually it > > just shows > > > > ossec-execd(1350): Active response disabled. Exiting. > > > > in the logs. > > > > Restarting ossec does not fix the problem either. The only way I can > > get the execd process to not kill itself is by enabling rootcheck. > > > > Blaine Aldridge > > > > > > On 5/22/07, Daniel Cid <[EMAIL PROTECTED]> wrote: > > > Hi Blaine, > > > > > > I think your problem is unrelated to rootcheck. The error you mentioned > > > only > > > happens when ossec-analysisd can not connect to ossec-execd... > > > > > > Can you make sure that ossec-execd is running (ps auwx |grep ossec)? If > > > it is not, try to start it manually and see if it generates any errors. > > > If it > > > starts fine, just restart ossec and see if the problem persist... > > > > > > If that doesn't help, let us know and we will look deep into that :) > > > > > > Thanks, > > > > > > -- > > > Daniel B. Cid > > > dcid ( at ) ossec.net > > > > > > On 5/20/07, Blaine Aldridge <[EMAIL PROTECTED]> wrote: > > > > > > > > Hey all, > > > > > > > > I'm running OSSEC on a openvz based VPS and the rootcheck module > > > > reports all sorts of hidden processes and such (as expected inside a > > > > VPS). I've tried to disable the rootcheck module by with > > > > > > > > <rootcheck> > > > > <disabled>yes</disabled> > > > > </rootcheck> > > > > > > > > in the ossec.conf but when I start ossec via init.d I get the following > > > > > > > > ossec-rootcheck: Rootcheck disabled. Exiting. > > > > ossec-syscheckd: Rootcheck module disabled. > > > > > > > > Everything seems to be fine... except with rootcheck disabled active > > > > response no longer works. In the ossec.log file I see > > > > > > > > ossec-analysisd(1210): Queue '/queue/alerts/execq' not accessible: > > > > 'Connection refused'. > > > > ossec-analysisd(1301): Unable to connect to active response queue. > > > > > > > > Any suggestions are appreciated, > > > > Blaine Aldridge > > > > > > > > > >
