Hi Dan. Thanks for your reply. I ran those commands and below is the snapshot of the logs. I saw there are still several socket errors.
2012/06/13 21:45:32 ossec-testrule: INFO: Reading local decoder file. 2012/06/13 21:45:48 ossec-analysisd: DEBUG: Starting ... 2012/06/13 21:45:48 ossec-analysisd: DEBUG: Found user/group ... 2012/06/13 21:45:48 ossec-analysisd: DEBUG: Active response initialized ... 2012/06/13 21:45:48 ossec-analysisd: DEBUG: Read configuration ... 2012/06/13 21:45:48 ReadDecoderXML File = /etc/decoder.xml 2012/06/13 21:45:48 ossec-analysisd: Initializing PF decoder.. 2012/06/13 21:45:48 ossec-analysisd: Initializing SonicWall decoder.. 2012/06/13 21:45:48 ossec-analysisd: Initializing SymantecWS decoder.. 2012/06/13 21:45:48 ossec-analysisd: Initializing OSSECAlert decoder. 2012/06/13 21:45:48 ReadDecoderXML File = /etc/local_decoder.xml 2012/06/13 21:45:48 ossec-analysisd: INFO: Reading local decoder file. 2012/06/13 21:45:48 ossec-analysisd: INFO: Total rules enabled: '0' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: '/etc/svc/volatile' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/System32/L ogFiles' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Debug' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/WindowsUpd ate.log' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/iis6.log' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/w bem/Logs' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/w bem/Repository' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Prefetch' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/PCHEALTH/H ELPCTR/DataColl' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/SoftwareDi stribution' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Temp' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/c onfig' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/s pool' 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/C atRoot' 2012/06/13 21:45:48 ossec-analysisd: INFO: Chrooted to directory: /var/ossec, us ing user: ossec *2012/06/13 21:46:10 ossec-logcollector: socketerr (not available).* *2012/06/13 21:48:20 ossec-logcollector: socketerr (not available).* *2012/06/13 21:50:30 ossec-logcollector: socketerr (not available).* *2012/06/13 21:52:40 ossec-logcollector: socketerr (not available).* On Wednesday, June 13, 2012 1:33:36 PM UTC-7, dan (ddpbsd) wrote: > > /var/ossec/bin/ossec-logtest -t > /var/ossec/bin/ossec-analysisd -d > > On Wed, Jun 13, 2012 at 4:31 PM, hongbin <[email protected]> wrote: > > Hi. > > I checked the log after installing ossec server. It showed the following > > error and the altering. It seems that the agentless monitoring service > > didn't work because of that. Does anyone have any idea? Thanks. > > > > 2012/06/13 20:09:11 ossec-analysisd: INFO: Started (pid: 9034). > > 2012/06/13 20:09:11 ossec-remoted: INFO: Started (pid: 9042). > > 2012/06/13 20:09:11 ossec-monitord: INFO: Started (pid: 9049). > > 2012/06/13 20:09:15 ossec-syscheckd: INFO: Started (pid: 9046). > > 2012/06/13 20:09:15 ossec-rootcheck: INFO: Started (pid: 9046). > > 2012/06/13 20:09:15 ossec-syscheckd: INFO: Monitoring directory: '/etc'. > > 2012/06/13 20:09:15 ossec-syscheckd: INFO: Monitoring directory: > '/usr/bin'. > > 2012/06/13 20:09:15 ossec-syscheckd: INFO: Monitoring directory: > > '/usr/sbin'. > > 2012/06/13 20:09:15 ossec-syscheckd: INFO: Monitoring directory: '/bin'. > > 2012/06/13 20:09:15 ossec-syscheckd: INFO: Monitoring directory: > '/sbin'. > > 2012/06/13 20:09:17 ossec-logcollector(1950): INFO: Analyzing file: > > '/var/log/au > > th.log'. > > 2012/06/13 20:09:17 ossec-logcollector(1950): INFO: Analyzing file: > > '/var/log/sy > > slog'. > > 2012/06/13 20:09:17 ossec-logcollector(1950): INFO: Analyzing file: > > '/var/log/dp > > kg.log'. > > 2012/06/13 20:09:17 ossec-logcollector: INFO: Started (pid: 9038). > > 2012/06/13 20:09:21 ossec-analysisd: Rules in an inconsistent state. > > Exiting. > > 2012/06/13 20:10:17 ossec-syscheckd: INFO: Starting syscheck scan > > (forwarding da > > tabase). > > 2012/06/13 20:10:17 ossec-syscheckd: socketerr (not available). > > 2012/06/13 20:10:17 ossec-syscheckd(1224): ERROR: Error sending message > to > > queue > > . > > 2012/06/13 20:10:20 ossec-syscheckd(1210): ERROR: Queue > > '/var/ossec/queue/ossec/ > > queue' not accessible: 'Connection refused'. > > 2012/06/13 20:10:20 ossec-syscheckd(1211): ERROR: Unable to access > queue: > > '/var/ > > ossec/queue/ossec/queue'. Giving up.. > > >
