You can also turn ON debugging. it may tell you exactly what you did wrong. ossec/etc/internal_options.conf Change these to 2. # Windows debug (used by the windows agent) windows.debug=0
# Syscheck (local, server and unix agent) syscheck.debug=0 # Remoted (server debug) remoted.debug=0 # Analysisd (server or local) analysisd.debug=0 # Log collector (server, local or unix agent) logcollector.debug=0 # Unix agentd agent.debug=0 Restart ossec and look at the log file. Frank On Tuesday, November 27, 2012 1:42:46 AM UTC-6, Shaun wrote: > > Hi All , > > I'm trying my hand at writing ossec rules > > i created a custom rule to capture failed login attempts on linux machine > in /var/ossec/rules/local_rules.xml > > <group name="syslog,sshd,"> > <rule id="100123" level="10" frequency="3"> > <match>^authentication failure</match> > <group>authentication_failed</group> > <description>Failed login attempts </description> > </rule> > </group> > > and when i restart ossec service i get the following error , > > *ossec-syscheckd(1210):Error:Queue '/var/ossec/queue/ossec/queue' not > accessible : 'connection refused'* > > can someone help me identify what went wrong > > not jus this when i tried modifying the alert frequency of an event , i > get the same error > > for example ssh_successful l > > i copied the following from syslog_rules.xml file to local_rules.xml > > <rule id="5402" level="3"> > <if_sid>5400</if_sid> > <match> ; USER=root ; COMMAND=</match> > <description>Successful sudo to ROOT executed</description> > </rule> > > on local_rules.xml file i modified it as > > <rule id="5402" level="3" frequency="15" overwrite="yes"> > <if_sid>5400</if_sid> > <match> ; USER=root ; COMMAND=</match> > <description>Successful sudo to ROOT executed</description> > </rule> > > i get the same error (*ossec-syscheckd(1210):Error:Queue > '/var/ossec/queue/ossec/queue' not accessible : 'connection refused*') on > restarting OSSEC > > pl assist > > regards > Shaun > > > >
