Arie, Do you have selinux enabled? Aaron
On Tue, Feb 17, 2009 at 7:38 AM, Arjen van Drie <[email protected]> wrote: > Hi, > > I am trying to get ossec running on CentOS release 5.2, kernel > 2.6.18-92.1.10.el5xen, a xen guest. I get in my logs > > 2009/02/17 12:15:23 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' > not accessible: 'Connection refused'. > 2009/02/17 12:15:23 ossec-analysisd(1301): ERROR: Unable to connect to > active response queue. > 2009/02/17 12:17:43 ossec-analysisd: INFO: Connected to > '/queue/alerts/execq' (exec queue) > > ossec-analysisd should create this socket on startup if it does not exist I > think I read from the code. When I strace the running ossec-analysisd daemon > while I am doing a level 10 alert action (multiple failing ssh logins), it > does receive from /queue/alerts/execq, so there is a working socket. > > [r...@ossec alerts]# pwd > /opt/ossec/queue/alerts > [r...@ossec alerts]# ls -la > total 8 > drwxrwx--- 2 ossec ossec 4096 Feb 17 12:28 . > dr-xr-x--- 9 root ossec 4096 Feb 17 11:56 .. > srw-rw---- 1 ossecr ossec 0 Feb 17 12:28 ar > srw-rw---- 1 root ossec 0 Feb 17 12:28 execq > [r...@ossec alerts]# ps auwwwx | grep ossec-analysisd | grep -v grep > ossec 32740 0.1 0.1 7016 1740 ? S 12:28 0:01 > /opt/ossec/bin/ossec-analysisd > [r...@ossec alerts]# id ossec > uid=507(ossec) gid=508(ossec) groups=508(ossec) > > > I found some similar questions through google, but none seemed to bring me > closer to a solution. I assume that firewall rules creation a the like are > being done through the ar queue? > > Thanks for any pointing in the right direction. > > Arie. > > >
