Re: [ossec-list] re-create queue folders..

Wed, 19 Oct 2011 18:50:07 -0700 

# ls -l /var/ossec/queue
total 36
drwxr-xr-x   2 ossecr  ossec   512 Oct 18 18:56 agent-info
drwxr-xr-x   2 ossec   ossec   512 Feb 14  2011 agentless
drwxrwx---   2 ossec   ossec   512 Oct 17 10:22 alerts
drwxr-x---  10 ossec   ossec   512 Oct 11 09:53 diff
drwxr-x---   2 ossec   ossec   512 Feb 14  2011 fts
drwxrwx---   2 ossec   ossec   512 Oct 17 10:22 ossec
drwxr-xr-x   2 ossecr  ossec   512 Oct 18 18:55 rids
drwxr-x---   2 ossec   ossec   512 Oct 18 18:57 rootcheck
drwxr-x---   2 ossec   ossec  1024 Oct 19 17:07 syscheck


I'm not sure why a large syscheck would have necessitated destroying
the entire directory. An in place upgrade (rerun install.sh and let it
upgrade the system) might also work.

Speaking of install.sh (if this is a server):

# AnalysisD needs to write to alerts: log, mail and cmds
chown -R ${USER}:${GROUP} ${DIR}/queue/alerts
chmod -R 770 ${DIR}/queue/alerts

# To the ossec queue (default for analysisd to read)
chown -R ${USER}:${GROUP} ${DIR}/queue/ossec
chmod -R 770 ${DIR}/queue/ossec

# To the ossec fts queue
chown -R ${USER}:${GROUP} ${DIR}/queue/fts
chmod -R 750 ${DIR}/queue/fts
chmod 750 ${DIR}/queue/fts/* > /dev/null 2>&1

# To the ossec syscheck/rootcheck queue
chown -R ${USER}:${GROUP} ${DIR}/queue/syscheck
chmod -R 750 ${DIR}/queue/syscheck
chmod 740 ${DIR}/queue/syscheck/* > /dev/null 2>&1

chown -R ${USER}:${GROUP} ${DIR}/queue/rootcheck
chmod -R 750 ${DIR}/queue/rootcheck
chmod 740 ${DIR}/queue/rootcheck/* > /dev/null 2>&1

chown -R ${USER}:${GROUP} ${DIR}/queue/diff
chmod -R 750 ${DIR}/queue/diff
chmod 740 ${DIR}/queue/diff/* > /dev/null 2>&1

chown -R ${USER_REM}:${GROUP} ${DIR}/queue/agent-info
chmod -R 755 ${DIR}/queue/agent-info
chmod 744 ${DIR}/queue/agent-info/* > /dev/null 2>&1
chown -R ${USER_REM}:${GROUP} ${DIR}/queue/rids
chmod -R 755 ${DIR}/queue/rids
chmod 744 ${DIR}/queue/rids/* > /dev/null 2>&1

chown -R ${USER}:${GROUP} ${DIR}/queue/agentless
chmod -R 755 ${DIR}/queue/agentless
chmod 744 ${DIR}/queue/agentless/* > /dev/null 2>&1







On Wed, Oct 19, 2011 at 9:32 PM, Kat <[email protected]> wrote:
> Ok, had a minor issue -- turned on syscheck for a huge folder - it
> filled up the disk.  I had to rm -rf /var/ossec/queue
>
> Now I can't restart with the new config since the structure is
> missing.
> Anyone know what the correct structure of the /var/ossec/queue folder
> and subsequent subfolders, ownership, permission etc should be??
>
> thanks
>

Reply via email to