Shots in the dark (that may have been covered already...): Have you tried removing the agent via manage_agents, and recreating it (making sure there are no duplicate IP/agent names)? Have you tried reinstalling ossec on the agent?
HP-UX is one of those funny systems. Not a lot of people have extensive experience with it (wow, I haven't touched it in a decade... Feeling old now.), and even fewer have a "play" system to test on. On Thu, Apr 1, 2010 at 3:35 PM, Murphy, Matthew <[email protected]> wrote: > Hi Daniel, > > Yes the /var/ossec/queue/ossec/queue file does exist. Below is a long > listing of that directory showing the socket file. > > > [r...@mcsgrd02:/var/ossec/queue/ossec]# ls -la > total 2 > drwxrwx--- 2 ossec ossec 96 Apr 1 11:51 . > dr-xr-x--- 6 root ossec 96 Apr 1 11:40 .. > -rw-r----- 1 ossec ossec 15 Apr 1 11:51 .agent_info > srw-rw---- 1 ossec ossec 0 Apr 1 11:51 queue > > ----------------------------------------------------------------------------------------------------------- > > I don't believe any events are being logged for this server. Not sure what > constitutes an event. Below are the entries in the log files on my ossec > server. > > [r...@prdupmc003 logs]# grep mcsgrd02 * > ossec.log:2010/03/29 16:07:21 ossec-remoted: INFO: No previous counter > available for 'mcsgrd02'. > ossec.log:2010/03/29 16:07:21 ossec-remoted: INFO: Assigning counter for > agent mcsgrd02: '0:0'. > ossec.log:2010/03/29 16:49:31 ossec-remoted: INFO: No previous counter > available for 'mcsgrd02'. > ossec.log:2010/03/29 16:49:31 ossec-remoted: INFO: Assigning counter for > agent mcsgrd02: '0:0'. > ossec.log:2010/03/29 17:10:51 ossec-remoted: INFO: No previous counter > available for 'mcsgrd02'. > ossec.log:2010/03/29 17:10:51 ossec-remoted: INFO: Assigning counter for > agent mcsgrd02: '0:0'. > ossec.log:2010/03/29 22:16:30 ossec-remoted: INFO: No previous counter > available for 'mcsgrd02'. > ossec.log:2010/03/29 22:16:30 ossec-remoted: INFO: Assigning counter for > agent mcsgrd02: '0:0'. > ossec.log:2010/03/30 20:32:10 ossec-remoted: INFO: No previous counter > available for 'mcsgrd02'. > ossec.log:2010/03/30 20:32:10 ossec-remoted: INFO: Assigning counter for > agent mcsgrd02: '0:0'. > ossec.log:2010/04/01 11:51:09 ossec-remoted: INFO: No previous counter > available for 'mcsgrd02'. > ossec.log:2010/04/01 11:51:09 ossec-remoted: INFO: Assigning counter for > agent mcsgrd02: '0:0'. > > > [r...@prdupmc003 alerts]# grep mcsgrd02 * > alerts.log:2010 Apr 01 11:51:52 (mcsgrd02) 10.1.108.52->ossec > alerts.log:ossec: Agent started: 'mcsgrd02->10.1.108.52'. > > --------------------------------------------------------------------------------------------------------- > > I did notice an error during the compile, at first I didn't think it meant > much, but maybe it does. It seems to be unable to determine the system type > so no startup scripts are added to the boot process. Below is the error I saw. > > > - Unknown system. No init script added. > > - Configuration finished properly. > > - To start OSSEC HIDS: > /var/ossec/bin/ossec-control start > > - To stop OSSEC HIDS: > /var/ossec/bin/ossec-control stop > > - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf > > > Thanks for using the OSSEC HIDS. > If you have any question, suggestion or if you find any bug, > contact us at [email protected] or using our public maillist at > [email protected] > ( http://www.ossec.net/main/support/ ). > > More information can be found at http://www.ossec.net > > --- Press ENTER to finish (maybe more information below). --- > > > > - You first need to add this agent to the server so they > can communicate with each other. When you have done so, > you can run the 'manage_agents' tool to import the > authentication key from the server. > > /var/ossec/bin/manage_agents > > More information at: > http://www.ossec.net/en/manual.html#ma > > > - No action was made to configure the OSSEC HIDS to start > during the boot. Add the following line to your init script: > > /var/ossec/bin/ossec-control start > > > -- To unsubscribe, reply using "remove me" as the subject.
