Hi list,
I think ossec could benefits to check it's decoder and rules
constistancy before stopping the daemon and failling to start when doing
"/etc/init.d/ossec-hids restart" (using ossec-analysisd?)
Doing so will avoid loosing logs while trying to understand what is
wrong with the configuration. You might tell me I should myself use
ossec-logtest before restarting but developers should think users are
stupid ;)
I also realized that the console (std{err,out}) message(s) when failing
to start because of a broken decoder doesn't help, at all:
2012/02/23 11:57:44 ossec-syscheckd(1210): NOTICE: Queue is
'/var/ossec/queue/ossec/queue'.
[...]
2012/02/23 11:58:05 ossec-syscheckd(1210): NOTICE: Queue is
'/var/ossec/queue/ossec/queue'.
2012/02/23 11:58:05 ossec-rootcheck(1211): ERROR: Unable to access
queue: '/var/ossec/queue/ossec/queue'. Giving up..
The correct messages appear in /var/ossec/logs/ossec.log but not on
std{err,out}, ossec-analysisd should probably logs to the console too.
2012/02/23 11:57:41 ossec-analysisd: Invalid decoder name: 'unison'.
2012/02/23 11:57:41 ossec-analysisd(1220): ERROR: Error loading the
rules: 'local_rules.xml'.
--
Cheers,
Florian Crouzat
