Dan, sorry: 1. "step 1.5: are you using linux? If so, are you using selinix? If so, have you checked those logs to make sure it's not blocking access?"
Yes, Im using Linux - CentOS When I see about selinux and logs? (Im new in linux) 2. "Perhaps it's corrupted. Clear it out and restart the OSSEC processes." I cleared logs and restart OSSEC processes. In /var/ossec/logs/ossec.log now I have next: 2012/07/24 10:50:20 ossec-remoted(1213): WARN: Message from 10.14.252.17 not allowed. 2012/07/24 10:50:26 ossec-remoted(1213): WARN: Message from 10.14.252.17 not allowed. 2012/07/24 12:01:48 ossec-rootcheck: INFO: Starting rootcheck scan. 2012/07/24 12:05:59 ossec-rootcheck: INFO: Ending rootcheck scan. 2012/07/24 12:33:06 ossec-remoted(1213): WARN: Message from 10.14.252.17 not allowed. 2012/07/24 12:33:12 ossec-remoted(1213): WARN: Message from 10.14.252.17 not allowed. 2012/07/24 12:33:16 ossec-remoted(1213): WARN: Message from 10.14.252.17 not allowed. 2012/07/24 12:33:21 ossec-remoted(1213): WARN: Message from 10.14.252.17 not allowed. 2012/07/24 12:33:27 ossec-remoted(1213): WARN: Message from 10.14.252.17 not allowed. 2012/07/24 13:55:59 ossec-syscheckd: INFO: Starting syscheck scan. 2012/07/24 14:04:13 ossec-syscheckd: INFO: Ending syscheck scan. 2012/07/24 14:16:27 ossec-remoted(1213): WARN: Message from 10.14.252.17 not allowed. 2012/07/24 14:16:33 ossec-remoted(1213): WARN: Message from 10.14.252.17 not allowed. 2012/07/24 14:16:37 ossec-remoted(1213): WARN: Message from 10.14.252.17 not allowed. 2012/07/24 14:16:42 ossec-remoted(1213): WARN: Message from 10.14.252.17 not allowed. 2012/07/24 14:16:48 ossec-remoted(1213): WARN: Message from 10.14.252.17 not allowed. 2012/07/24 16:00:08 ossec-remoted(1213): WARN: Message from 10.14.252.17 not allowed. 2012/07/24 16:00:14 ossec-remoted(1213): WARN: Message from 10.14.252.17 not allowed. 2012/07/24 16:00:18 ossec-remoted(1213): WARN: Message from 10.14.252.17 not allowed. 2012/07/24 16:00:23 ossec-remoted(1213): WARN: Message from 10.14.252.17 not allowed. 2012/07/24 16:00:29 ossec-remoted(1213): WARN: Message from 10.14.252.17 not allowed. Best regards, Anton Kashirin -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Tuesday, July 24, 2012 4:11 PM To: [email protected] Subject: Re: [ossec-list] Permission denied in /var/www/html/lib/os_lib_syscheck.php On Tue, Jul 24, 2012 at 7:08 AM, Kashirin, Anton <[email protected]> wrote: > Ок. But I still receive next notification every 1-2 minutes: > Ok what? What have you done? Why haven't you answered the questions I asked? You're asking for help, but not accepting it. Many of us have better things to do than try to force you to accept help. > > > OSSEC HIDS Notification. > > 2012 Jul 24 12:17:11 > > > > Received From: SRVAP280->/var/log/httpd/error_log > > Rule: 31412 fired (level 5) -> "PHP internal error (missing file)." > > Portion of the log(s): > > > > [Tue Jul 24 12:17:10 2012] [error] [client 10.14.64.18] PHP Warning: > fopen(/var/ossec/queue/syscheck/(SRV008) 10.12.198.133->syscheck-registry): > failed to open stream: Permission denied in > /var/www/html/lib/os_lib_syscheck.php on line 165, referer: > http://srvap280.rccf.ru/index.php > > > > > > > > --END OF NOTIFICATION > > > > Information for Tshoot: > > > > [root@SRVAP280 syscheck]# uname -a > > Linux SRVAP280.rccf.ru 2.6.32-71.el6.i686 #1 SMP Fri Nov 12 04:17:17 GMT > 2010 i686 i686 i386 GNU/Linux > > > > [root@SRVAP280 ossec]# ll > > total 40 > > dr-xr-x---. 3 root ossec 4096 Jul 9 18:05 active-response > > dr-xr-x---. 2 root ossec 4096 Jul 9 18:05 agentless > > dr-xr-x---. 2 root ossec 4096 Jul 9 18:05 bin > > dr-xr-x---. 3 root ossec 4096 Jul 13 11:25 etc > > drwxr-x---. 5 ossec ossec 4096 Jul 9 18:05 logs > > drwxrwx---. 11 root ossec 4096 Jul 9 18:05 queue > > dr-xr-x---. 3 root ossec 4096 Jul 9 18:05 rules > > drwxr-x---. 5 ossec ossec 4096 Jul 9 18:09 stats > > dr-xr-x---. 2 root ossec 4096 Jul 9 18:05 tmp > > dr-xr-x---. 3 root ossec 4096 Jul 23 15:43 var > > > > [root@SRVAP280 queue]# ll > > total 36 > > drwxr-xr-x. 2 ossecr ossec 4096 Jul 13 12:30 agent-info > > drwxr-xr-x. 2 ossec ossec 4096 Jul 9 18:05 agentless > > drwxrwx---. 2 ossec ossec 4096 Jul 23 15:43 alerts > > drwxr-x---. 2 ossec ossec 4096 Jul 9 18:05 diff > > drwxr-x---. 2 ossec ossec 4096 Jul 9 18:09 fts > > drwxrwx---. 2 ossec ossec 4096 Jul 23 15:43 ossec > > drwxr-xr-x. 2 ossecr ossec 4096 Jul 13 12:30 rids > > drwxr-x---. 2 ossec ossec 4096 Jul 13 12:31 rootcheck > > drwxrwxrwx. 2 ossec ossec 4096 Jul 24 14:04 syscheck > > > > [root@SRVAP280 syscheck]# ll > > total 384 > > -rw-rw-rw-. 1 ossec ossec 0 Jul 23 15:45 (SRV008) > 10.12.198.133->syscheck > > -rw-rw-rw-. 1 ossec ossec 1434 Jul 24 08:53 (SRV008) > 10.12.198.133->syscheck-registry > > -rw-rw-rw-. 1 ossec ossec 0 Jul 23 15:45 (SRVAP295) > 10.15.129.182->syscheck > > -rw-rw-rw-. 1 ossec ossec 131 Jul 24 10:51 (SRVAP295) > 10.15.129.182->syscheck-registry > > -rw-rw-rw-. 1 ossec ossec 449938 Jul 23 15:52 syscheck > > > > [root@SRVAP280 etc]# cat /etc/group > > … > > apache:x:48: > > ossec:x:500:apache > > > > Please help me! > > > > Best regards, > > Anton Kashirin > > > > > > >
