This sounds like maybe an SELinux issue. Check /var/log/messages for avc denies related to this. Is it possible SELinux is permissive/disabled on the other servers not these ones?
Ben On Sat, 2009-03-14 at 20:17 -0400, Tim Boyer wrote: > I've got a half-dozen RHEL5.3 systems running OSSEC just fine. And two > RHEL5.3 systems that never will start up at all. > > There's no OSSEC processes running: > > [r...@yamaguchi ~]# ps -ef|grep ossec > root 19348 32346 0 17:55 pts/0 00:00:00 grep ossec > > and nothing in the locks directory: > > [r...@yamaguchi ~]# ls -la /var/ossec/var/run/ > total 16 > drwxrwx--- 2 root ossec 4096 Mar 14 17:53 . > dr-xr-x--- 3 root ossec 4096 Mar 14 17:53 .. > > but while the other systems start up and check in right away, these two seem > to hang forever: > > [r...@yamaguchi ~]# /etc/init.d/ossec start > Starting OSSEC: [ OK ] > [r...@yamaguchi ~]# > > watch tail /var/log/ossec.log > > 009/03/14 17:57:03 ossec-execd: INFO: Started (pid: 19451). > 2009/03/14 17:57:07 ossec-syscheckd: INFO: Started (pid: 19463). > 2009/03/14 17:57:07 ossec-rootcheck: INFO: Started (pid: 19463). > 2009/03/14 17:57:09 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/me > ssages'. > 2009/03/14 17:57:09 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/au > th.log'. > 2009/03/14 17:57:09 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/sn > ort/alert'. > 2009/03/14 17:57:09 ossec-logcollector: INFO: Started (pid: 19459). > 2009/03/14 17:57:23 ossec-logcollector: WARN: Process locked. Waiting for > permis > sion... > 2009/03/14 18:05:46 ossec-syscheckd: INFO: Starting syscheck scan (db). > 2009/03/14 18:05:46 ossec-syscheckd: WARN: Process locked. Waiting for > permissio > n... > > Two hours later, it's still sitting there waiting for permission. > > Pointers in the right direction greatly appreciated... > > > >
