I've been avoiding SELinux like the plague - it's permissive on this one, too:
[r...@yamaguchi ~]# getenforce Permissive -- tim -- > > This sounds like maybe an SELinux issue. Check /var/log/messages for > avc denies related to this. Is it possible SELinux is > permissive/disabled on the other servers not these ones? > > Ben > > On Sat, 2009-03-14 at 20:17 -0400, Tim Boyer wrote: > > I've got a half-dozen RHEL5.3 systems running OSSEC just > fine. And two > > RHEL5.3 systems that never will start up at all. > > > > There's no OSSEC processes running: > > > > [r...@yamaguchi ~]# ps -ef|grep ossec > > root 19348 32346 0 17:55 pts/0 00:00:00 grep ossec > > > > and nothing in the locks directory: > > > > [r...@yamaguchi ~]# ls -la /var/ossec/var/run/ > > total 16 > > drwxrwx--- 2 root ossec 4096 Mar 14 17:53 . > > dr-xr-x--- 3 root ossec 4096 Mar 14 17:53 .. > > > > but while the other systems start up and check in right > away, these two seem > > to hang forever: > > > > [r...@yamaguchi ~]# /etc/init.d/ossec start > > Starting OSSEC: [ OK ] > > [r...@yamaguchi ~]# > > > > watch tail /var/log/ossec.log > > > > 009/03/14 17:57:03 ossec-execd: INFO: Started (pid: 19451). > > 2009/03/14 17:57:07 ossec-syscheckd: INFO: Started (pid: 19463). > > 2009/03/14 17:57:07 ossec-rootcheck: INFO: Started (pid: 19463). > > 2009/03/14 17:57:09 ossec-logcollector(1950): INFO: Analyzing file: > > '/var/log/me > > ssages'. > > 2009/03/14 17:57:09 ossec-logcollector(1950): INFO: Analyzing file: > > '/var/log/au > > th.log'. > > 2009/03/14 17:57:09 ossec-logcollector(1950): INFO: Analyzing file: > > '/var/log/sn > > ort/alert'. > > 2009/03/14 17:57:09 ossec-logcollector: INFO: Started (pid: 19459). > > 2009/03/14 17:57:23 ossec-logcollector: WARN: Process > locked. Waiting for > > permis > > sion... > > 2009/03/14 18:05:46 ossec-syscheckd: INFO: Starting > syscheck scan (db). > > 2009/03/14 18:05:46 ossec-syscheckd: WARN: Process locked. > Waiting for > > permissio > > n... > > > > Two hours later, it's still sitting there waiting for permission. > > > > Pointers in the right direction greatly appreciated... > > > > > > > >
