I had configured the ESXi servers to send syslog to another host, for off-host log storage; I ran Ossec against those syslog files on that server.
I guess if you get it installed on the ESXi box you then get the bonus of file integrity monitoring. Various random "unknown event" messages from 15 ESXi hosts eventually became entirely too much for me to deal with. ESX has a habit of using multiple lines in syslog for one message which made parsing even more of an issue. Rick From: [email protected] [mailto:[email protected]] On Behalf Of Thomas Arseneault Sent: Friday, February 17, 2012 7:25 PM To: [email protected] Subject: RE: [ossec-list] Ossec On Vmware ESXi I had this problem with other host, not esxi, but it was always a permission problem. I did an install from a pre built tar file before I created the user. Nuked everything and did the install in the right order (create user/group then install tar) and it worked just fine. Hope that helps. Tom From: [email protected] [mailto:[email protected]] On Behalf Of Hugo Deprez Sent: Friday, February 17, 2012 3:38 AM To: [email protected] Subject: [ossec-list] Ossec On Vmware ESXi Dear community, I was looking on how to monitor my esxi hosts. I am currently using version esxi 5.0. I just install ossec on it I had to modify the install script. But when I try to start Ossec agent I get : Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... 2012/02/17 11:33:23 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Queue not found'. 2012/02/17 11:33:38 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'No such file or directory'. 2012/02/17 11:33:49 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Queue not found'. 2012/02/17 11:34:04 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'No such file or directory'. 2012/02/17 11:34:20 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Queue not found'. 2012/02/17 11:34:35 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. Anyway, I would like to know how do you monitor esxi host with ossec ? Are you sending esxi logs to a remote syslog host and then monitoring it ? Regards, Hugo This message contains TMA Resources confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
