Hi Matthew, Thanks for the detailed report. It makes much easier for us to understand when you give all that information.
It seems that syscheck can't write to the /var/ossec/queue/ossec/queue file. Can you check if this file exists in there? Also, are you getting any event at all from this agent? If you are, it means that logcollector is able to write to this file. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Mar 30, 2010 at 2:51 AM, Murphy, Matthew <[email protected]> wrote: > I am having major problems getting ossec-hids-2.3 agent installs working on > our HP/UX servers. I’m getting the following errors in > /var/ossec/log/ossec.log when I attempt to bring up the agent. > > When I start the agent processes, this entry for the client goes to active > on the server, but then syscheck gets the sockt busy errors and the client > goes back to disconnected. > > Gcc was used to compile the agent, and active response is disabled. > > I am having a tough time with this any help would be much appreciated. > > > > [r...@mcsgrd02:/root]# /var/ossec/bin/ossec-control start > Starting OSSEC HIDS v2.4 (by Trend Micro Inc.)... > Started ossec-execd... > Started ossec-agentd... > Started ossec-logcollector... > Started ossec-syscheckd... > Completed. > [r...@mcsgrd02:/root]# cd /var/ossec/logs > [r...@mcsgrd02:/var/ossec/logs]# ls > ossec.log > [r...@mcsgrd02:/var/ossec/logs]# tail -f ossec.log > 2010/03/29 22:29:08 ossec-syscheckd: INFO: Monitoring directory: > '/usr/sbin'. > 2010/03/29 22:29:08 ossec-syscheckd: INFO: Monitoring directory: '/bin'. > 2010/03/29 22:29:08 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. > 2010/03/29 22:29:10 ossec-logcollector(1950): INFO: Analyzing file: > '/var/adm/syslog'. > 2010/03/29 22:29:10 ossec-logcollector(1950): INFO: Analyzing file: > '/var/adm/messages'. > 2010/03/29 22:29:10 ossec-logcollector(1950): INFO: Analyzing file: > '/var/adm/syslog/syslog.log'. > 2010/03/29 22:29:10 ossec-logcollector: INFO: Started (pid: 16458). > 2010/03/29 21:29:10 ossec-agentd(1210): ERROR: Queue '/queue/alerts/execq' > not accessible: 'Queue not found'. > 2010/03/29 21:29:25 ossec-agentd: INFO: Unable to connect to the active > response queue (disabled). > 2010/03/29 21:29:25 ossec-agentd(4102): INFO: Connected to the server > (10.133.117.243:1514). > 2010/03/29 22:29:40 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2010/03/29 22:33:58 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2010/03/29 22:35:58 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2010/03/29 22:36:25 ossec-syscheckd: socket busy .. > 2010/03/29 22:36:35 ossec-syscheckd: socket busy .. > 2010/03/29 22:36:35 ossec-syscheckd(1224): ERROR: Error sending message to > queue. > 2010/03/29 22:36:44 ossec-syscheckd: socket busy .. > 2010/03/29 22:36:54 ossec-syscheckd: socket busy .. > 2010/03/29 22:36:54 ossec-syscheckd: socketerr (not available). > 2010/03/29 22:36:54 ossec-syscheckd(1224): ERROR: Error sending message to > queue. > 2010/03/29 22:37:03 ossec-syscheckd: socket busy .. > 2010/03/29 22:37:13 ossec-syscheckd: socket busy .. > 2010/03/29 22:37:13 ossec-syscheckd: socketerr (not available). > 2010/03/29 22:37:13 ossec-syscheckd(1224): ERROR: Error sending message to > queue. > 2010/03/29 22:37:22 ossec-syscheckd: socket busy .. > 2010/03/29 22:37:32 ossec-syscheckd: socket busy .. > 2010/03/29 22:37:34 ossec-syscheckd: socketerr (not available). > 2010/03/29 22:37:34 ossec-syscheckd(1224): ERROR: Error sending message to > queue. > > Below is my Server configuration info: > > [r...@prdupmc003 ~]# /var/ossec/bin/ossec-analysisd -V > > OSSEC HIDS v2.3 - Trend Micro Inc. > > This program is free software; you can redistribute it and/or modify > it under the terms of the GNU General Public License (version 3) as > published by the Free Software Foundation. For more details, go to > http://www.ossec.net/main/license/ > > > [r...@prdupmc003 ~]# cat /etc/ossec-init.conf > DIRECTORY="/var/ossec" > VERSION="v2.3" > DATE="Mon Mar 29 22:16:29 PDT 2010" > TYPE="server" > [r...@prdupmc003 ~]# > > [r...@prdupmc003 ~]# /var/ossec/bin/ossec-analysisd -V > > OSSEC HIDS v2.3 - Trend Micro Inc. > > This program is free software; you can redistribute it and/or modify > it under the terms of the GNU General Public License (version 3) as > published by the Free Software Foundation. For more details, go to > http://www.ossec.net/main/license/ > > [r...@prdupmc003 ~]# cat /etc/ossec-init.conf > DIRECTORY="/var/ossec" > VERSION="v2.3" > DATE="Mon Mar 29 22:16:29 PDT 2010" > TYPE="server" > [r...@prdupmc003 ~]# cat /var/ossec/etc/ossec.conf > <ossec_config> > <global> > <email_notification>yes</email_notification> > <email_to>r...@localhost</email_to> > <smtp_server>127.0.0.1</smtp_server> > <email_from>oss...@prdupmc003</email_from> > </global> > > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>79200</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin</directories> > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > > <!-- Windows files to ignore --> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > <ignore>C:\WINDOWS/Debug</ignore> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > <ignore>C:\WINDOWS/iis6.log</ignore> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > <ignore>C:\WINDOWS/Prefetch</ignore> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > <ignore>C:\WINDOWS/Temp</ignore> > <ignore>C:\WINDOWS/system32/config</ignore> > <ignore>C:\WINDOWS/system32/spool</ignore> > <ignore>C:\WINDOWS/system32/CatRoot</ignore> > </syscheck> > > <rootcheck> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> > </rootcheck> > > <active-response> > <disabled>yes</disabled> > </active-response> > > > <remote> > <connection>syslog</connection> > </remote> > > <remote> > <connection>secure</connection> > </remote> > > <alerts> > <log_alert_level>1</log_alert_level> > <email_alert_level>7</email_alert_level> > </alerts> > <!-- Files to monitor (localfiles) --> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/messages</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/secure</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/maillog</location> > </localfile> > > <localfile> > <log_format>apache</log_format> > <location>/var/log/httpd/error_log</location> > </localfile> > > <localfile> > <log_format>apache</log_format> > <location>/var/log/httpd/access_log</location> > </localfile> > </ossec_config> > > <ossec_config> <!-- rules global entry --> > <rules> > <include>rules_config.xml</include> > <include>pam_rules.xml</include> > <include>sshd_rules.xml</include> > <include>telnetd_rules.xml</include> > <include>syslog_rules.xml</include> > <include>arpwatch_rules.xml</include> > <include>symantec-av_rules.xml</include> > <include>symantec-ws_rules.xml</include> > <include>pix_rules.xml</include> > <include>named_rules.xml</include> > <include>smbd_rules.xml</include> > <include>vsftpd_rules.xml</include> > <include>pure-ftpd_rules.xml</include> > <include>proftpd_rules.xml</include> > <include>ms_ftpd_rules.xml</include> > <include>ftpd_rules.xml</include> > <include>hordeimp_rules.xml</include> > <include>roundcube_rules.xml</include> > <include>wordpress_rules.xml</include> > <include>vpopmail_rules.xml</include> > <include>vmpop3d_rules.xml</include> > <include>courier_rules.xml</include> > <include>web_rules.xml</include> > <include>apache_rules.xml</include> > <include>nginx_rules.xml</include> > <include>php_rules.xml</include> > <include>mysql_rules.xml</include> > <include>postgresql_rules.xml</include> > <include>ids_rules.xml</include> > <include>squid_rules.xml</include> > <include>firewall_rules.xml</include> > <include>cisco-ios_rules.xml</include> > <include>netscreenfw_rules.xml</include> > <include>sonicwall_rules.xml</include> > <include>postfix_rules.xml</include> > <include>sendmail_rules.xml</include> > <include>imapd_rules.xml</include> > <include>mailscanner_rules.xml</include> > <include>dovecot_rules.xml</include> > <include>ms-exchange_rules.xml</include> > <include>racoon_rules.xml</include> > <include>vpn_concentrator_rules.xml</include> > <include>spamd_rules.xml</include> > <include>msauth_rules.xml</include> > <include>mcafee_av_rules.xml</include> > <include>trend-osce_rules.xml</include> > <!-- <include>policy_rules.xml</include> --> > <include>zeus_rules.xml</include> > <include>solaris_bsm_rules.xml</include> > <include>vmware_rules.xml</include> > <include>ms_dhcp_rules.xml</include> > <include>asterisk_rules.xml</include> > <include>ossec_rules.xml</include> > <include>attack_rules.xml</include> > <include>local_rules.xml</include> > </rules> > </ossec_config> <!-- rules global entry --> > [r...@prdupmc003 ~]# > > [r...@prdupmc003 logs]# tail -100 ossec.log > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proeps19: '1:2943'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proeps20: '0:9157'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proeps21: '0:9039'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proeps22: '0:8876'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proeps23: '0:8599'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proeps24: '0:8943'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proeps25: '1:1487'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proeps26: '0:8914'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proeps27: '0:8920'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proeps28: '0:8995'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proeps29: '0:8924'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proeps30: '0:8852'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proeps31: '0:8872'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proeps32: '0:8814'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proeps33: '0:8869'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proeps34: '0:8901'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proeps35: '0:9818'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proeps36: '0:9899'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp017: '3:2016'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp018: '3:2009'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp019: '2:1375'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp020: '3:2351'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp021: '3:2414'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp022: '3:2042'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp023: '3:2087'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp024: '3:1214'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp025: '3:2080'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp026: '1:9099'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp027: '3:564'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp028: '3:1954'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp029: '3:1813'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp030: '3:1757'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp031: '3:1685'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp032: '3:4817'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp033: '3:2622'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp034: '3:2626'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp035: '3:3144'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp036: '3:2966'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp037: '3:3571'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp038: '3:764'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp039: '3:3651'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp040: '3:2484'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp041: '3:2244'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp042: '3:1833'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp043: '3:821'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp044: '3:2259'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp045: '3:2276'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp046: '3:2321'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp047: '3:2576'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp048: '3:2157'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp049: '3:1386'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp050: '3:976'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp051: '3:4429'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp052: '3:4906'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp053: '3:3569'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp054: '3:887'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp055: '3:630'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesp056: '3:560'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > prtib002: '2:8021'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > prtib003: '2:8266'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > prtib004: '2:7465'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > prtib005: '2:7822'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > prtib006: '2:7864'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > prtib007: '1:6930'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > prtib008: '2:7918'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > prtib009: '2:8265'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > prtib010: '2:8212'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > prtib011: '2:7787'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > prtib012: '2:8085'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > prtib013: '2:7972'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > prtib014: '2:8285'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > prtib015: '1:6788'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > prtib016: '2:7232'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > procen01: '0:16'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > proesa05: '0:8965'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > probdc01: '1:1669'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > probdc02: '0:7655'. > 2010/03/29 22:16:30 ossec-remoted: INFO: No previous counter available for > 'prodbc01'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > prodbc01: '0:0'. > 2010/03/29 22:16:30 ossec-remoted: INFO: No previous counter available for > 'mcsgrd02'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for agent > mcsgrd02: '0:0'. > 2010/03/29 22:16:30 ossec-remoted: INFO: Assigning sender counter: 13:953 > 2010/03/29 22:16:33 ossec-syscheckd: INFO: Started (pid: 31846). > 2010/03/29 22:16:33 ossec-rootcheck: INFO: Started (pid: 31846). > 2010/03/29 22:16:33 ossec-syscheckd: INFO: Monitoring directory: '/etc'. > 2010/03/29 22:16:33 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'. > 2010/03/29 22:16:33 ossec-syscheckd: INFO: Monitoring directory: > '/usr/sbin'. > 2010/03/29 22:16:33 ossec-syscheckd: INFO: Monitoring directory: '/bin'. > 2010/03/29 22:16:33 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. > 2010/03/29 22:16:35 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/messages'. > 2010/03/29 22:16:35 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/secure'. > 2010/03/29 22:16:35 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/maillog'. > 2010/03/29 22:16:35 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/httpd/error_log'. > 2010/03/29 22:16:35 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/httpd/access_log'. > 2010/03/29 22:16:35 ossec-logcollector: INFO: Started (pid: 31834). > 2010/03/29 22:17:05 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2010/03/29 22:20:40 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2010/03/29 22:22:40 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2010/03/29 22:32:46 ossec-syscheckd: INFO: Ending syscheck scan (forwarding > database). > 2010/03/29 22:33:06 ossec-rootcheck: INFO: Starting rootcheck scan. > [r...@prdupmc003 logs]# > > r...@prdupmc003 logs]# uname -a > Linux prdupmc003 2.6.18-128.1.10.el5 #1 SMP Wed Apr 29 13:53:08 EDT 2009 > x86_64 x86_64 x86_64 GNU/Linux > [r...@prdupmc003 logs]# > > > > And Client/Agent config: > > [r...@mcsgrd02:/var/ossec/bin]# cat /etc/ossec-init.conf > DIRECTORY="/var/ossec" > VERSION="2.4-SNP-100326" > DATE="Mon Mar 29 17:10:05 PDT 2010" > TYPE="agent" > [r...@mcsgrd02:/var/ossec/bin]# > > r...@mcsgrd02:/var/ossec/bin]# cat /var/ossec/etc/ossec.conf > <ossec_config> > <client> > <server-ip>10.133.117.243</server-ip> > </client> > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>79200</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin</directories> > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > > <!-- Windows files to ignore --> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > <ignore>C:\WINDOWS/Debug</ignore> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > <ignore>C:\WINDOWS/iis6.log</ignore> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > <ignore>C:\WINDOWS/Prefetch</ignore> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > <ignore>C:\WINDOWS/Temp</ignore> > <ignore>C:\WINDOWS/system32/config</ignore> > <ignore>C:\WINDOWS/system32/spool</ignore> > <ignore>C:\WINDOWS/system32/CatRoot</ignore> > </syscheck> > > <rootcheck> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> > </rootcheck> > > <active-response> > <disabled>yes</disabled> > </active-response> > > <!-- Files to monitor (localfiles) --> > > <localfile> > <log_format>syslog</log_format> > <location>/var/adm/syslog</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/adm/messages</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/adm/syslog/syslog.log</location> > </localfile> > </ossec_config> > [r...@mcsgrd02:/var/ossec/bin]# > > # cat ossec.log > 2010/03/29 17:21:00 ossec-syscheckd(1224): ERROR: Error sending message to > queue. > 2010/03/29 17:21:10 ossec-syscheckd: socket busy .. > 2010/03/29 17:21:20 ossec-syscheckd: socket busy .. > 2010/03/29 17:21:20 ossec-syscheckd: socketerr (not available). > 2010/03/29 17:21:20 ossec-syscheckd(1224): ERROR: Error sending message to > queue. > 2010/03/29 17:21:29 ossec-syscheckd: socket busy .. > 2010/03/29 17:21:39 ossec-syscheckd: socket busy .. > 2010/03/29 17:21:39 ossec-syscheckd: socketerr (not available). > 2010/03/29 17:21:39 ossec-syscheckd(1224): ERROR: Error sending message to > queue. > 2010/03/29 17:21:48 ossec-syscheckd: socket busy .. > 2010/03/29 17:21:58 ossec-syscheckd: socket busy .. > 2010/03/29 17:21:58 ossec-syscheckd: socketerr (not available). > 2010/03/29 17:21:58 ossec-syscheckd(1224): ERROR: Error sending message to > queue. > 2010/03/29 17:22:07 ossec-syscheckd: socket busy .. > 2010/03/29 17:22:17 ossec-syscheckd: socket busy .. > 2010/03/29 17:22:17 ossec-syscheckd: socketerr (not available). > 2010/03/29 17:22:17 ossec-syscheckd(1224): ERROR: Error sending message to > queue. > > [r...@mcsgrd02:/var/ossec/logs]# uname -a > HP-UX mcsgrd02 B.11.11 U 9000/800 2221170519 unlimited-user license > > > > > > > > > > > > To unsubscribe from this group, send email to > ossec-list+unsubscribegooglegroups.com or reply to this email with the words > "REMOVE ME" as the subject. >
