Hi, I am trying to get ossec running on CentOS release 5.2, kernel 2.6.18-92.1.10.el5xen, a xen guest. I get in my logs
2009/02/17 12:15:23 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' not accessible: 'Connection refused'. 2009/02/17 12:15:23 ossec-analysisd(1301): ERROR: Unable to connect to active response queue. 2009/02/17 12:17:43 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' (exec queue) ossec-analysisd should create this socket on startup if it does not exist I think I read from the code. When I strace the running ossec-analysisd daemon while I am doing a level 10 alert action (multiple failing ssh logins), it does receive from /queue/alerts/execq, so there is a working socket. [r...@ossec alerts]# pwd /opt/ossec/queue/alerts [r...@ossec alerts]# ls -la total 8 drwxrwx--- 2 ossec ossec 4096 Feb 17 12:28 . dr-xr-x--- 9 root ossec 4096 Feb 17 11:56 .. srw-rw---- 1 ossecr ossec 0 Feb 17 12:28 ar srw-rw---- 1 root ossec 0 Feb 17 12:28 execq [r...@ossec alerts]# ps auwwwx | grep ossec-analysisd | grep -v grep ossec 32740 0.1 0.1 7016 1740 ? S 12:28 0:01 /opt/ossec/bin/ossec-analysisd [r...@ossec alerts]# id ossec uid=507(ossec) gid=508(ossec) groups=508(ossec) I found some similar questions through google, but none seemed to bring me closer to a solution. I assume that firewall rules creation a the like are being done through the ar queue? Thanks for any pointing in the right direction. Arie.
