Dear Mailing List Just to test the continuity of ossec hids(in case the existing server goes down) I copied the entire ossec directory from existing server to the new one (hardware config is not exactlly same but running same OS fedora core 6).
The permission of the files were set to as that of the original one (copied entire contents including syscheck/rootcheck queues rids directory etc) When i tried to run the service (after turning off the existing server & assigning same IP to new one) it is not starting up. The error snapshot of ossec logs are attached herewith. (suggesting queue not accessible & unable to create PID file error) Does it work this way. Have some one tried it before. Can anyone suggest were I am going wrong or better way to do the same Regards Gagan Ossec Log 2008/06/11 11:32:15 ossec-maild: INFO: E-Mail notification disabled. Clean Exit. 2008/06/11 11:32:15 ossec-execd: INFO: Started (pid: 6853). 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'symantec-ws_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'pure- ftpd_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'courier_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'apache_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'postgresql_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml' 2008/06/11 11:32:15 ossec-remoted: INFO: Started (pid: 6865). 2008/06/11 11:32:15 ossec-remoted(1501): ERROR: No IP or network allowed in the access list for syslog. No reason for running it. Exiting. 2008/06/11 11:32:15 ossec-remoted(1212): ERROR: Unable to create PID file. 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'cisco- ios_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'sonicwall_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'sendmail_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'mailscanner_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'ms- exchange_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'racoon_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'vpn_concentrator_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'spamd_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'msauth_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'attack_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'zeus_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'solaris_bsm_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Reading rules file: 'local_rules.xml' 2008/06/11 11:32:15 ossec-analysisd: INFO: Total rules enabled: '715' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: '/etc/ mnttab' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: '/etc/ hosts.deny' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: '/etc/mail/ statistics' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: '/etc/random- seed' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: '/etc/ adjtime' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/ logs' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: '/etc/cups/ certs' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: '/etc/ dumpdates' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: '/etc/svc/ volatile' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ System32/LogFiles' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ Debug' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ WindowsUpdate.log' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ iis6.log' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ system32/wbem/Logs' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ system32/wbem/Repository' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ Prefetch' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ PCHEALTH/HELPCTR/DataColl' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ SoftwareDistribution' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ Temp' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ system32/config' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ system32/spool' 2008/06/11 11:32:15 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ system32/CatRoot' 2008/06/11 11:32:15 ossec-analysisd(1212): ERROR: Unable to create PID file. 2008/06/11 11:32:15 ossec-rootcheck: System audit file not configured. 2008/06/11 11:32:18 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/ queue/ossec/queue' not accessible: 'Connection refused'. 2008/06/11 11:32:18 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/ queue/ossec/queue' not accessible: 'Connection refused'. 2008/06/11 11:32:24 ossec-logcollector(1210): ERROR: Queue '/var/ossec/ queue/ossec/queue' not accessible: 'Connection refused'. 2008/06/11 11:32:24 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2008/06/11 11:32:26 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/ queue/ossec/queue' not accessible: 'Connection refused'. 2008/06/11 11:32:26 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/ queue/ossec/queue' not accessible: 'Connection refused'. 2008/06/11 11:32:39 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/ queue/ossec/queue' not accessible: 'Connection refused'. 2008/06/11 11:32:39 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
