On Tue, Jul 24, 2012 at 4:34 PM, Leonardo Bacha Abrantes <[email protected]> wrote: > Hey, > thanks my friend! > > just more one question. > > I'm trying to start the server and am receiving the error: > > 2012/07/24 17:21:29 agent_control(1210): ERROR: Queue '/queue/alerts/ar' not > accessible: 'Connection refused'. > 2012/07/24 17:21:29 agent_control(1301): ERROR: Unable to connect to active > response queue. > 2012/07/24 17:26:52 ossec-testrule: INFO: Reading local decoder file. > 2012/07/24 17:26:52 ossec-testrule: INFO: Started (pid: 25452). > > > root@myserver:/var/ossec# ls -l queue/alerts/ar > srw-rw---- 1 ossecr ossec 0 Jul 24 16:12 queue/alerts/ar > > what can be wrong ? > >
Anything you did between the time it worked and now. Maybe nothing. Are you using active response? Look at /var/ossec/logs/ossec.log. Troubleshoot. > > > > On Tue, Jul 24, 2012 at 5:18 PM, dan (ddp) <[email protected]> wrote: >> >> On Tue, Jul 24, 2012 at 4:15 PM, Leonardo Bacha Abrantes >> <[email protected]> wrote: >> > Hi people, >> > >> > I was using tcpdump on my server and I received a lot of messages about >> > promiscuous mode. >> > >> > Received From: (MyServer) 192.168.120.125 ->/var/log/messages >> > Rule: 5104 fired (level 8) -> "Interface entered in >> > promiscuous(sniffing) >> > mode." >> > Portion of the log(s): >> > Jul 24 15:04:13 myserver kernel: device eth0 entered promiscuous mode >> > >> > Is possible to configure ossec client to send just one email instead of >> > many >> > ? >> > >> > >> > Many thanks! >> > >> > >> > >> > >> >> The agent (client) shouldn't send any emails. You can configure the >> ossec server to send out 1 email in x seconds if you'd like. Just >> create a rule that ignores the alerts for a while. > >
