Re: [ossec-list] Ossec-analysised exiting

dan (ddp) Wed, 13 Jun 2012 16:14:10 -0700

Why don't you enable some rules and try again?
On Jun 13, 2012 6:04 PM, "hongbin" <[email protected]> wrote:


> Hi Dan.
> Thanks for your reply. I ran those commands and below is the snapshot of
> the logs. I saw there are still several socket errors.
>
> 2012/06/13 21:45:32 ossec-testrule: INFO: Reading local decoder file.
> 2012/06/13 21:45:48 ossec-analysisd: DEBUG: Starting ...
> 2012/06/13 21:45:48 ossec-analysisd: DEBUG: Found user/group ...
> 2012/06/13 21:45:48 ossec-analysisd: DEBUG: Active response initialized ...
> 2012/06/13 21:45:48 ossec-analysisd: DEBUG: Read configuration ...
> 2012/06/13 21:45:48 ReadDecoderXML File = /etc/decoder.xml
> 2012/06/13 21:45:48 ossec-analysisd: Initializing PF decoder..
> 2012/06/13 21:45:48 ossec-analysisd: Initializing SonicWall decoder..
> 2012/06/13 21:45:48 ossec-analysisd: Initializing SymantecWS decoder..
> 2012/06/13 21:45:48 ossec-analysisd: Initializing OSSECAlert decoder.
> 2012/06/13 21:45:48 ReadDecoderXML File = /etc/local_decoder.xml
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Reading local decoder file.
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Total rules enabled: '0'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file:
> '/etc/mail/statistics'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file:
> '/etc/random-seed'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file:
> '/etc/svc/volatile'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/System32/L
> ogFiles'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/Debug'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/WindowsUpd
> ate.log'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/iis6.log'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/system32/w
> bem/Logs'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/system32/w
> bem/Repository'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/Prefetch'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/PCHEALTH/H
> ELPCTR/DataColl'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/SoftwareDi
> stribution'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Temp'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/system32/c
> onfig'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/system32/s
> pool'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/system32/C
> atRoot'
> 2012/06/13 21:45:48 ossec-analysisd: INFO: Chrooted to directory:
> /var/ossec, us
> ing user: ossec
> *2012/06/13 21:46:10 ossec-logcollector: socketerr (not available).*
> *2012/06/13 21:48:20 ossec-logcollector: socketerr (not available).*
> *2012/06/13 21:50:30 ossec-logcollector: socketerr (not available).*
> *2012/06/13 21:52:40 ossec-logcollector: socketerr (not available).*
>
> On Wednesday, June 13, 2012 1:33:36 PM UTC-7, dan (ddpbsd) wrote:
>>
>> /var/ossec/bin/ossec-logtest -t
>> /var/ossec/bin/ossec-analysisd -d
>>
>> On Wed, Jun 13, 2012 at 4:31 PM, hongbin <[email protected]> wrote:
>> > Hi.
>> > I checked the log after installing ossec server. It showed the
>> following
>> > error and the altering. It seems that the agentless monitoring service
>> > didn't work because of that. Does anyone have any idea? Thanks.
>> >
>> > 2012/06/13 20:09:11 ossec-analysisd: INFO: Started (pid: 9034).
>> > 2012/06/13 20:09:11 ossec-remoted: INFO: Started (pid: 9042).
>> > 2012/06/13 20:09:11 ossec-monitord: INFO: Started (pid: 9049).
>> > 2012/06/13 20:09:15 ossec-syscheckd: INFO: Started (pid: 9046).
>> > 2012/06/13 20:09:15 ossec-rootcheck: INFO: Started (pid: 9046).
>> > 2012/06/13 20:09:15 ossec-syscheckd: INFO: Monitoring directory:
>> '/etc'.
>> > 2012/06/13 20:09:15 ossec-syscheckd: INFO: Monitoring directory:
>> '/usr/bin'.
>> > 2012/06/13 20:09:15 ossec-syscheckd: INFO: Monitoring directory:
>> > '/usr/sbin'.
>> > 2012/06/13 20:09:15 ossec-syscheckd: INFO: Monitoring directory:
>> '/bin'.
>> > 2012/06/13 20:09:15 ossec-syscheckd: INFO: Monitoring directory:
>> '/sbin'.
>> > 2012/06/13 20:09:17 ossec-logcollector(1950): INFO: Analyzing file:
>> > '/var/log/au
>> > th.log'.
>> > 2012/06/13 20:09:17 ossec-logcollector(1950): INFO: Analyzing file:
>> > '/var/log/sy
>> > slog'.
>> > 2012/06/13 20:09:17 ossec-logcollector(1950): INFO: Analyzing file:
>> > '/var/log/dp
>> > kg.log'.
>> > 2012/06/13 20:09:17 ossec-logcollector: INFO: Started (pid: 9038).
>> > 2012/06/13 20:09:21 ossec-analysisd: Rules in an inconsistent state.
>> > Exiting.
>> > 2012/06/13 20:10:17 ossec-syscheckd: INFO: Starting syscheck scan
>> > (forwarding da
>> > tabase).
>> > 2012/06/13 20:10:17 ossec-syscheckd: socketerr (not available).
>> > 2012/06/13 20:10:17 ossec-syscheckd(1224): ERROR: Error sending message
>> to
>> > queue
>> > .
>> > 2012/06/13 20:10:20 ossec-syscheckd(1210): ERROR: Queue
>> > '/var/ossec/queue/ossec/
>> > queue' not accessible: 'Connection refused'.
>> > 2012/06/13 20:10:20 ossec-syscheckd(1211): ERROR: Unable to access
>> queue:
>> > '/var/
>> > ossec/queue/ossec/queue'. Giving up..
>> >
>>
>

Re: [ossec-list] Ossec-analysised exiting

Reply via email to