On Thu, Aug 23, 2012 at 12:25 PM, Tony Trummer <[email protected]> wrote: > > I'm trying to configure a new OSSEC installation on Centos 5.8 64bit using a > previous 2.3 installation as a guide. As far as I can tell I've gotten it
What year is that installation guide from? > all configured the same, but all of the list_agents command (-a, -n, -c) > show "No agent available". > > I can see the following in the agent logs, which seem to show it > communicating with the server : > 2012/08/21 12:00:58 ossec-agentd(4102): INFO: Connected to the server > (x.x.x.x:1514). > 2012/08/21 12:00:58 ossec-agentd: INFO: Server responded. Releasing lock. > > Additionally, when I shut down the processes on the server side I can see > the client responding and I have run tcpdump on the server side and verified > communications coming in from the agent on port 1514, so it seems that the > path is okay. > Does the server respond? Does the agent receive the response? > When I look at the server logs (running with debug enabled) I see the > following: > 2012/08/21 12:00:41 ossec-monitord: WARN: Process locked. Waiting for > permission... > 2012/08/21 12:00:51 ossec-syscheckd: Setting SCHED_BATCH returned: 0 > 2012/08/21 12:00:58 ossec-remoted: WARN: Process locked. Waiting for > permission... > 2012/08/21 12:02:31 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2012/08/21 12:02:31 ossec-syscheckd: WARN: Process locked. Waiting for > permission... > 2012/08/21 12:02:46 ossec-logcollector: WARN: Process locked. Waiting for > permission. > I've never seen these errors on a server. > Doesn't matter how many times I stop/start the services they always seem to > stop with this (error message?). My first question is whether the above > ouput "Waiting for permission" is actually a problem, or just normal. It > seems to hang there indefinitely without additional logs, so I suspect it is > an issue. > > I've cleared the queue/rids directory multiple times, deleted the agent > multiple times and I'm not sure what else to do short of digging through the > source. > > > Any assistance would be appreciated. >
