Hi Tim, Were these systems installed as agents or "local" types? Generally you get this "locked" warning, when analysisd (or ossec-agentd on the agent) can not be accessed. Can you see if they are running and maybe try restarting it all?
If that still doesn't work, please share you config, version of ossec and full log dumps (generally a cat /var/ossec/logs/ossec.log | grep -e "ERROR|WARN" should be enough). Thanks, Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Sun, Mar 15, 2009 at 11:35 AM, Tim Boyer <[email protected]> wrote: > > I've been avoiding SELinux like the plague - it's permissive on this one, > too: > > [r...@yamaguchi ~]# getenforce > Permissive > > -- tim -- > >> >> This sounds like maybe an SELinux issue. Check /var/log/messages for >> avc denies related to this. Is it possible SELinux is >> permissive/disabled on the other servers not these ones? >> >> Ben >> >> On Sat, 2009-03-14 at 20:17 -0400, Tim Boyer wrote: >> > I've got a half-dozen RHEL5.3 systems running OSSEC just >> fine. And two >> > RHEL5.3 systems that never will start up at all. >> > >> > There's no OSSEC processes running: >> > >> > [r...@yamaguchi ~]# ps -ef|grep ossec >> > root 19348 32346 0 17:55 pts/0 00:00:00 grep ossec >> > >> > and nothing in the locks directory: >> > >> > [r...@yamaguchi ~]# ls -la /var/ossec/var/run/ >> > total 16 >> > drwxrwx--- 2 root ossec 4096 Mar 14 17:53 . >> > dr-xr-x--- 3 root ossec 4096 Mar 14 17:53 .. >> > >> > but while the other systems start up and check in right >> away, these two seem >> > to hang forever: >> > >> > [r...@yamaguchi ~]# /etc/init.d/ossec start >> > Starting OSSEC: [ OK ] >> > [r...@yamaguchi ~]# >> > >> > watch tail /var/log/ossec.log >> > >> > 009/03/14 17:57:03 ossec-execd: INFO: Started (pid: 19451). >> > 2009/03/14 17:57:07 ossec-syscheckd: INFO: Started (pid: 19463). >> > 2009/03/14 17:57:07 ossec-rootcheck: INFO: Started (pid: 19463). >> > 2009/03/14 17:57:09 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/me >> > ssages'. >> > 2009/03/14 17:57:09 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/au >> > th.log'. >> > 2009/03/14 17:57:09 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/sn >> > ort/alert'. >> > 2009/03/14 17:57:09 ossec-logcollector: INFO: Started (pid: 19459). >> > 2009/03/14 17:57:23 ossec-logcollector: WARN: Process >> locked. Waiting for >> > permis >> > sion... >> > 2009/03/14 18:05:46 ossec-syscheckd: INFO: Starting >> syscheck scan (db). >> > 2009/03/14 18:05:46 ossec-syscheckd: WARN: Process locked. >> Waiting for >> > permissio >> > n... >> > >> > Two hours later, it's still sitting there waiting for permission. >> > >> > Pointers in the right direction greatly appreciated... >> > >> > >> > >> > > >
