Hi, this one is solved. Whether it is a bug or not, dunno.
It was solved by adding a first client to the server. I lost quite a few hours trying to find this one out; maybe something to add to the documentation ? Best Regards, Arie. ---------- Forwarded message ---------- From: Arjen van Drie <[email protected]> Date: Wed, Feb 18, 2009 at 10:44 AM Subject: nothing listening on unix socket /queue/alerts/ar To: ossec-list <[email protected]> Sorry if this turns out to be a repost to the list; I did not see it appear. Hi, I am trying to get ossec running on CentOS release 5.2, kernel 2.6.18-92.1.10.el5xen, a xen guest. I get in my logs 2009/02/17 12:15:23 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ ar' not accessible: 'Connection refused'. 2009/02/17 12:15:23 ossec-analysisd(1301): ERROR: Unable to connect to active response queue. 2009/02/17 12:17:43 ossec-analysisd: INFO: Connected to '/queue/alerts/ execq' (exec queue) ossec-analysisd should create this socket on startup if it does not exist I think I read from the code. When I strace the running ossec- analysisd daemon while I am doing a level 10 alert action (multiple failing ssh logins), it does receive from /queue/alerts/execq, so there is a working socket. [r...@ossec alerts]# pwd /opt/ossec/queue/alerts [r...@ossec alerts]# ls -la total 8 drwxrwx--- 2 ossec ossec 4096 Feb 17 12:28 . dr-xr-x--- 9 root ossec 4096 Feb 17 11:56 .. srw-rw---- 1 ossecr ossec 0 Feb 17 12:28 ar srw-rw---- 1 root ossec 0 Feb 17 12:28 execq [r...@ossec alerts]# ps auwwwx | grep ossec-analysisd | grep -v grep ossec 32740 0.1 0.1 7016 1740 ? S 12:28 0:01 /opt/ ossec/bin/ossec-analysisd [r...@ossec alerts]# id ossec uid=507(ossec) gid=508(ossec) groups=508(ossec) I found some similar questions through google, but none seemed to bring me closer to a solution. I assume that firewall rules creation a the like are being done through the ar queue? Thanks for any pointing in the right direction. Arie.
