[ossec-list] Re: nothing listening on unix socket /queue/alerts/ar

Thu, 19 Feb 2009 06:16:10 -0800 

On Wed, Feb 18, 2009 at 8:03 PM, Aaron Bliss <[email protected]> wrote:

> Arie,
> Do you have selinux enabled?
>

No,

in the meantime i solved the issue (I already posted this to the list but
haven't seen it yet). I will add something to the FAQ on the wiki. Problem
was that I have done a server installation and no clients were configured
yet. As soon as I had added the first client the socket was functional.

Thanks for taking the time.

Arie.




>
> Aaron
>
>
> On Tue, Feb 17, 2009 at 7:38 AM, Arjen van Drie <[email protected]> wrote:
>
>> Hi,
>>
>> I am trying to get ossec running on CentOS release 5.2, kernel
>> 2.6.18-92.1.10.el5xen, a xen guest. I get in my logs
>>
>> 2009/02/17 12:15:23 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar'
>> not accessible: 'Connection refused'.
>> 2009/02/17 12:15:23 ossec-analysisd(1301): ERROR: Unable to connect to
>> active response queue.
>> 2009/02/17 12:17:43 ossec-analysisd: INFO: Connected to
>> '/queue/alerts/execq' (exec queue)
>>
>> ossec-analysisd should create this socket on startup if it does not exist
>> I think I read from the code. When I strace the running ossec-analysisd
>> daemon while I am doing a level 10 alert action (multiple failing ssh
>> logins), it does receive from /queue/alerts/execq, so there is a working
>> socket.
>>
>> [r...@ossec alerts]# pwd
>> /opt/ossec/queue/alerts
>> [r...@ossec alerts]# ls -la
>> total 8
>> drwxrwx--- 2 ossec  ossec 4096 Feb 17 12:28 .
>> dr-xr-x--- 9 root   ossec 4096 Feb 17 11:56 ..
>> srw-rw---- 1 ossecr ossec 0 Feb 17 12:28 ar
>> srw-rw---- 1 root   ossec 0 Feb 17 12:28 execq
>> [r...@ossec alerts]# ps auwwwx | grep ossec-analysisd | grep -v grep
>> ossec    32740  0.1  0.1   7016  1740 ?        S    12:28   0:01
>> /opt/ossec/bin/ossec-analysisd
>> [r...@ossec alerts]# id ossec
>> uid=507(ossec) gid=508(ossec) groups=508(ossec)
>>
>>
>> I found some similar questions through google, but none seemed to bring me
>> closer to a solution. I assume that firewall rules creation a the like are
>> being done through the ar queue?
>>
>> Thanks for any pointing in the right direction.
>>
>> Arie.
>>
>>
>>
>

Reply via email to