Hi all, I use Ossec 2.6 on my server and unix clients. Recently, I tried to tune rule 533, and set the level of alert from 7 to 6. In my setup, 6 doesn't generate email alerts. After few hours of this implementation, I noticed following errors in ossec.log: 2013/03/11 22:41:35 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2013/03/11 22:41:36 ossec-logcollector(1224): ERROR: Error sending message to queue. 2013/03/11 22:41:38 ossec-syscheckd(1210): ERROR: Queue '/apps/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2013/03/11 22:41:38 ossec-syscheckd(1211): ERROR: Unable to access queue: '/apps/ossec/queue/ossec/queue'. Giving up.. 2013/03/11 22:41:39 ossec-logcollector(1210): ERROR: Queue '/apps/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2013/03/11 22:41:39 ossec-logcollector(1211): ERROR: Unable to access queue: '/apps/ossec/queue/ossec/queue'. Giving up..
I did some research and found this error message has nothing to do with the queue. It is related to a syntax error in local_rules.xml. I checked it, couldn't figure the issue, validated it with ossec-logtest, everything was fine. Reviewing my SCM for any change in the rules, I noticed issues started around the time I added rule 533 to my local_rules.xml file. I rolled back to the previous version, minus rule 533. I monitored ossec.log for 24 hours, no issue. When I added rule 533 back, it broke again. Is there a way to fix this bug? I really need to collect netstat info but don't want to get an email alert every time there is a change. Thanks in advance, -Stephane -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
