Hi Dan,
I made a change to the ossec.conf file..
root@luke etc # head -5 ossec.conf
<ossec_config>
<client>
<server-ip>138.202.80.161</server-ip>
</client>
root@luke etc #
. where 138.202.80.161 is my master server... currently reviewing OSSEC
manuals and doing more research...
Let me know if you find something..
Thanks.
Kind regards,
David Juarez
On Tue, May 7, 2013 at 1:46 PM, David Juarez <[email protected]> wrote:
> Here is my ossec.log file as well..
>
> Many Thanks!!
>
> Kind regards,
> D.J.
>
>
>
>
>
>
>
> On Tue, May 7, 2013 at 1:40 PM, David Juarez <[email protected]> wrote:
>
>> np....
>> Thanks for your help !!
>> Here is the ossec.conf file
>>
>>
>>
>>
>>
>> On Tue, May 7, 2013 at 1:25 PM, dan (ddp) <[email protected]> wrote:
>>
>>>
>>> On May 7, 2013 4:20 PM, "David Juarez" <[email protected]> wrote:
>>> >
>>> > Dan,
>>> >
>>> > I am not making difficult.. those are errors received... yes, I added
>>> the client.. in fact.. Solaris 10 is the one that is causing this issues..
>>> >
>>>
>>> My apologies. I'll try to simplify this further because I _really_ want
>>> to know the answer this my question.
>>>
>>> Please send your agent's ossec.conf.
>>>
>>> >
>>> > [root@syslog-rhel63-svr bin]# pwd
>>> > /var/ossec/bin
>>> > [root@syslog-rhel63-svr bin]# ./manage_agents
>>> >
>>> >
>>> > ****************************************
>>> > * OSSEC HIDS v2.6 Agent manager. *
>>> > * The following options are available: *
>>> > ****************************************
>>> > (A)dd an agent (A).
>>> > (E)xtract key for an agent (E).
>>> > (L)ist already added agents (L).
>>> > (R)emove an agent (R).
>>> > (Q)uit.
>>> > Choose your action: A,E,L,R or Q: L
>>> >
>>> > Available agents:
>>> > ID: 001, Name: syslog-rhel63-client1, IP: 138.202.80.162
>>> > ID: 002, Name: obiwan.usfca.edu, IP: 138.202.81.50
>>> > ID: 004, Name: luke.usfca.edu, IP: 138.202.80.89
>>> >
>>> > ** Press ENTER to return to the main menu.
>>> >
>>> > Please note Solaris 10 = ID: 004, Name: luke.usfca.edu, IP:
>>> 138.202.80.89
>>> >
>>> > Thanks.
>>> >
>>> > D.J.
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > On Tue, May 7, 2013 at 12:21 PM, dan (ddp) <[email protected]> wrote:
>>> >>
>>> >> You're making this incredibly difficult. This should not be difficult.
>>> >>
>>> >> On Tue, May 7, 2013 at 3:12 PM, David Juarez <[email protected]>
>>> wrote:
>>> >> > Hi Dan,
>>> >> >
>>> >> > I executed ./install.sh from where the install script is found.
>>> >> > I noticed this error message from the logs.. very interesting...
>>> >> >
>>> >>
>>> >> All right, forget about the install.sh script. I regret bringing it
>>> up.
>>> >> _*-*_DOES THE server-ip EXIST IN THE AGENT'S OSSEC.CONF?_*-*_
>>> >>
>>> >> If not, try adding it.
>>> >>
>>> >> >
>>> >> > bash-4.2# cat ossec.log
>>> >> > 2013/05/07 11:54:38 ossec-execd: INFO: Started (pid: 28936).
>>> >> > 2013/05/07 11:54:38 ossec-agentd(1402): ERROR: Authentication key
>>> file
>>> >> > '/var/ossec/etc/client .keys' not found.
>>> >> >
>>> >> > However !!
>>> >> >
>>> >> > /var/ossec/etc
>>> >> > bash-4.2# ls -l client.keys
>>> >> > -r--r----- 1 root ossec 98 May 7 12:00 client.keys
>>> >> > bash-4.2#
>>> >> >
>>> >> >
>>> >> >
>>> >> >
>>> >> >
>>> >> >
>>> >> >
>>> >> >
>>> >> > On Tue, May 7, 2013 at 12:05 PM, dan (ddp) <[email protected]>
>>> wrote:
>>> >> >>
>>> >> >> On Tue, May 7, 2013 at 3:02 PM, David Juarez <[email protected]>
>>> wrote:
>>> >> >> > Hello Dan,
>>> >> >> >
>>> >> >> > I upgraded bash ver 4.2 (Solaris 10) running OSSEC ver 2.7.1
>>> alpha... re
>>> >> >> > installed the OSSEC software... still getting same error
>>> message...
>>> >> >> >
>>> >> >>
>>> >> >> When you run "bash ./install.sh" you get the same error you did
>>> before
>>> >> >> when using the solaris shell?
>>> >> >> Did you try 2.7.1?
>>> >> >>
>>> >> >> > Note: key has been imported successfully to the agent..... from
>>> the
>>> >> >> > master
>>> >> >> > server...
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> > bash-4.2# pwd
>>> >> >> > /var
>>> >> >> > bash-4.2# date
>>> >> >> > Tuesday, May 7, 2013 12:03:07 PM PDT
>>> >> >> > bash-4.2# uname -n
>>> >> >> > luke
>>> >> >> > bash-4.2# /var/ossec/bin/ossec-control start
>>> >> >> > Starting OSSEC HIDS v2.7.1-alpha-1 (by Trend Micro Inc.)...
>>> >> >> > Deleting PID file
>>> '/var/ossec/var/run/ossec-logcollector-28976.pid' not
>>> >> >> > used...
>>> >> >> > Deleting PID file '/var/ossec/var/run/ossec-agentd-28972.pid' not
>>> >> >> > used...
>>> >> >> > ossec-execd already running...
>>> >> >> > Started ossec-agentd...
>>> >> >> > Started ossec-logcollector...
>>> >> >> > 2013/05/07 12:03:23 ossec-syscheckd(1210): ERROR: Queue
>>> >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination
>>> address
>>> >> >> > required'.
>>> >> >> > 2013/05/07 12:03:23 ossec-rootcheck(1210): ERROR: Queue
>>> >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination
>>> address
>>> >> >> > required'.
>>> >> >> > 2013/05/07 12:03:31 ossec-syscheckd(1210): ERROR: Queue
>>> >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination
>>> address
>>> >> >> > required'.
>>> >> >> > 2013/05/07 12:03:31 ossec-rootcheck(1210): ERROR: Queue
>>> >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination
>>> address
>>> >> >> > required'.
>>> >> >> > 2013/05/07 12:03:44 ossec-syscheckd(1210): ERROR: Queue
>>> >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination
>>> address
>>> >> >> > required'.
>>> >> >> > 2013/05/07 12:03:44 ossec-rootcheck(1211): ERROR: Unable to
>>> access
>>> >> >> > queue:
>>> >> >> > '/var/ossec/queue/ossec/queue'. Giving up..
>>> >> >> > ossec-syscheckd did not start
>>> >> >> > bash-4.2#
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> #############################################################################
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> > bash-4.2# cat ossec.log
>>> >> >> > 2013/05/07 11:54:38 ossec-execd: INFO: Started (pid: 28936).
>>> >> >> > 2013/05/07 11:54:38 ossec-agentd(1402): ERROR: Authentication
>>> key file
>>> >> >> > '/var/ossec/et c/client.keys' not found.
>>> >> >> > 2013/05/07 11:54:38 ossec-agentd(1750): ERROR: No remote
>>> connection
>>> >> >> > configured. Exiti ng.
>>> >> >> > 2013/05/07 11:54:38 ossec-agentd(4109): ERROR: Unable to start
>>> without
>>> >> >> > auth
>>> >> >> > keys. Exi ting.
>>> >> >> > 2013/05/07 12:00:32 ossec-agentd(1410): INFO: Reading
>>> authentication
>>> >> >> > keys
>>> >> >> > file.
>>> >> >> > 2013/05/07 12:00:35 ossec-syscheckd(1210): ERROR: Queue
>>> >> >> > '/var/ossec/queue/ossec/queue ' not accessible:
>>> 'Destination
>>> >> >> > address
>>> >> >> > required'.
>>> >> >> > 2013/05/07 12:00:35 ossec-rootcheck(1210): ERROR: Queue
>>> >> >> > '/var/ossec/queue/ossec/queue ' not accessible:
>>> 'Destination
>>> >> >> > address
>>> >> >> > required'.
>>> >> >> > 2013/05/07 12:00:41 ossec-logcollector(1210): ERROR: Queue
>>> >> >> > '/var/ossec/queue/ossec/qu eue' not accessible:
>>> 'Destination
>>> >> >> > address
>>> >> >> > required'.
>>> >> >> > 2013/05/07 12:00:41 ossec-logcollector(1211): ERROR: Unable to
>>> access
>>> >> >> > queue:
>>> >> >> > '/var/os sec/queue/ossec/queue'. Giving up..
>>> >> >> > 2013/05/07 12:00:43 ossec-syscheckd(1210): ERROR: Queue
>>> >> >> > '/var/ossec/queue/ossec/queue ' not accessible:
>>> 'Destination
>>> >> >> > address
>>> >> >> > required'.
>>> >> >> > 2013/05/07 12:00:43 ossec-rootcheck(1210): ERROR: Queue
>>> >> >> > '/var/ossec/queue/ossec/queue ' not accessible:
>>> 'Destination
>>> >> >> > address
>>> >> >> > required'.
>>> >> >> > 2013/05/07 12:00:56 ossec-syscheckd(1210): ERROR: Queue
>>> >> >> > '/var/ossec/queue/ossec/queue ' not accessible:
>>> 'Destination
>>> >> >> > address
>>> >> >> > required'.
>>> >> >> > 2013/05/07 12:00:56 ossec-rootcheck(1211): ERROR: Unable to
>>> access
>>> >> >> > queue:
>>> >> >> > '/var/ossec /queue/ossec/queue'. Giving up..
>>> >> >> > 2013/05/07 12:03:20 ossec-agentd(1410): INFO: Reading
>>> authentication
>>> >> >> > keys
>>> >> >> > file.
>>> >> >> > 2013/05/07 12:03:20 ossec-agentd: INFO: No previous counter
>>> available
>>> >> >> > for
>>> >> >> > 'luke.usfca .edu'.
>>> >> >> > 2013/05/07 12:03:20 ossec-agentd: INFO: Assigning counter for
>>> agent
>>> >> >> > luke.usfca.edu: ' 0:0'.
>>> >> >> > 2013/05/07 12:03:20 ossec-agentd: INFO: No previous sender
>>> counter.
>>> >> >> > 2013/05/07 12:03:20 ossec-agentd: INFO: Assigning sender
>>> counter: 0:0
>>> >> >> > 2013/05/07 12:03:23 ossec-syscheckd(1210): ERROR: Queue
>>> >> >> > '/var/ossec/queue/ossec/queue ' not accessible:
>>> 'Destination
>>> >> >> > address
>>> >> >> > required'.
>>> >> >> > 2013/05/07 12:03:23 ossec-rootcheck(1210): ERROR: Queue
>>> >> >> > '/var/ossec/queue/ossec/queue ' not accessible:
>>> 'Destination
>>> >> >> > address
>>> >> >> > required'.
>>> >> >> > 2013/05/07 12:03:29 ossec-logcollector(1210): ERROR: Queue
>>> >> >> > '/var/ossec/queue/ossec/qu eue' not accessible:
>>> 'Destination
>>> >> >> > address
>>> >> >> > required'.
>>> >> >> > 2013/05/07 12:03:29 ossec-logcollector(1211): ERROR: Unable to
>>> access
>>> >> >> > queue:
>>> >> >> > '/var/os sec/queue/ossec/queue'. Giving up..
>>> >> >> > 2013/05/07 12:03:31 ossec-syscheckd(1210): ERROR: Queue
>>> >> >> > '/var/ossec/queue/ossec/queue ' not accessible:
>>> 'Destination
>>> >> >> > address
>>> >> >> > required'.
>>> >> >> > 2013/05/07 12:03:31 ossec-rootcheck(1210): ERROR: Queue
>>> >> >> > '/var/ossec/queue/ossec/queue ' not accessible:
>>> 'Destination
>>> >> >> > address
>>> >> >> > required'.
>>> >> >> > 2013/05/07 12:03:44 ossec-syscheckd(1210): ERROR: Queue
>>> >> >> > '/var/ossec/queue/ossec/queue ' not accessible:
>>> 'Destination
>>> >> >> > address
>>> >> >> > required'.
>>> >> >> > 2013/05/07 12:03:44 ossec-rootcheck(1211): ERROR: Unable to
>>> access
>>> >> >> > queue:
>>> >> >> > '/var/ossec /queue/ossec/queue'. Giving up..
>>> >> >> > bash-4.2#
>>> >> >> >
>>> >> >> >
>>> >> >>
>>> >> >> Does the server-ip exist in the agent' ossec.conf?
>>> >> >>
>>> >> >>
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> > On Tue, May 7, 2013 at 3:29 AM, dan (ddp) <[email protected]>
>>> wrote:
>>> >> >> >>
>>> >> >> >> Make sure the server-ip made it into the ossec.conf
>>> >> >> >>
>>> >> >> >> On May 6, 2013 8:14 PM, "David Juarez" <[email protected]>
>>> wrote:
>>> >> >> >>>
>>> >> >> >>> Hi Dan,
>>> >> >> >>>
>>> >> >> >>> Many Thanks for your quick response.. I have installed OSSEC
>>> HIDS
>>> >> >> >>> v2.7.1-alpha-1 (by Trend Micro Inc.)..., so far installation
>>> did not
>>> >> >> >>> complained. I was able to register the agent (Sol10) on the
>>> >> >> >>> master/server
>>> >> >> >>> ... imported the certificate key on the agent, but when
>>> attempting to
>>> >> >> >>> start
>>> >> >> >>> OSSEC I received the error messages below..
>>> >> >> >>>
>>> >> >> >>> any suggestions? I am doing a research as well..
>>> >> >> >>> Thanks again !!!
>>> >> >> >>>
>>> >> >> >>> Kind regards,
>>> >> >> >>> D.J.
>>> >> >> >>>
>>> >> >> >>>
>>> >> >> >>> bash-3.00# ./ossec-control start
>>> >> >> >>> Starting OSSEC HIDS v2.7.1-alpha-1 (by Trend Micro Inc.)...
>>> >> >> >>> ossec-execd already running...
>>> >> >> >>> Started ossec-agentd...
>>> >> >> >>> Started ossec-logcollector...
>>> >> >> >>> 2013/05/06 14:24:57 ossec-syscheckd(1210): ERROR: Queue
>>> >> >> >>> '/var/ossec/queue/ossec/queue' not accessible: 'Destination
>>> address
>>> >> >> >>> required'.
>>> >> >> >>> 2013/05/06 14:24:57 ossec-rootcheck(1210): ERROR: Queue
>>> >> >> >>> '/var/ossec/queue/ossec/queue' not accessible: 'Destination
>>> address
>>> >> >> >>> required'.
>>> >> >> >>> 2013/05/06 14:25:05 ossec-syscheckd(1210): ERROR: Queue
>>> >> >> >>> '/var/ossec/queue/ossec/queue' not accessible: 'Destination
>>> address
>>> >> >> >>> required'.
>>> >> >> >>> 2013/05/06 14:25:05 ossec-rootcheck(1210): ERROR: Queue
>>> >> >> >>> '/var/ossec/queue/ossec/queue' not accessible: 'Destination
>>> address
>>> >> >> >>> required'.
>>> >> >> >>> 2013/05/06 14:25:18 ossec-syscheckd(1210): ERROR: Queue
>>> >> >> >>> '/var/ossec/queue/ossec/queue' not accessible: 'Destination
>>> address
>>> >> >> >>> required'.
>>> >> >> >>> 2013/05/06 14:25:18 ossec-rootcheck(1211): ERROR: Unable to
>>> access
>>> >> >> >>> queue:
>>> >> >> >>> '/var/ossec/queue/ossec/queue'. Giving up..
>>> >> >> >>> ossec-syscheckd did not start
>>> >> >> >>>
>>> >> >> >>>
>>> >> >> >>>
>>> >> >> >>> On Mon, May 6, 2013 at 1:43 PM, dan (ddp) <[email protected]>
>>> wrote:
>>> >> >> >>>>
>>> >> >> >>>> Either use bash or try the 2.7.1 alpha. The Solaris shell is
>>> ancient.
>>> >> >> >>>>
>>> >> >> >>>> On May 6, 2013 2:39 PM, "David Juarez" <[email protected]>
>>> wrote:
>>> >> >> >>>>>
>>> >> >> >>>>> Hello All -
>>> >> >> >>>>>
>>> >> >> >>>>>
>>> >> >> >>>>> I am attempting a fresh install of OSSEC HIDS v2.7 in sol
>>> 10. I
>>> >> >> >>>>> received the following error message..
>>> >> >> >>>>>
>>> >> >> >>>>> "./install.sh: syntax error at line 142: `$' unexpected"
>>> >> >> >>>>>
>>> >> >> >>>>> any idea?
>>> >> >> >>>>> I was able to install it successfully on RHEL v6.3..
>>> >> >> >>>>>
>>> >> >> >>>>> Any recommendations are greatly appreciated it.
>>> >> >> >>>>>
>>> >> >> >>>>> Thanks.
>>> >> >> >>>>>
>>> >> >> >>>>> Regards,
>>> >> >> >>>>> David Juarez
>>> >> >> >>>>>
>>> >> >> >>>>> --
>>> >> >> >>>>>
>>> >> >> >>>>> ---
>>> >> >> >>>>> You received this message because you are subscribed to the
>>> Google
>>> >> >> >>>>> Groups "ossec-list" group.
>>> >> >> >>>>> To unsubscribe from this group and stop receiving emails
>>> from it,
>>> >> >> >>>>> send
>>> >> >> >>>>> an email to [email protected].
>>> >> >> >>>>> For more options, visit
>>> https://groups.google.com/groups/opt_out.
>>> >> >> >>>>>
>>> >> >> >>>>>
>>> >> >> >>>>
>>> >> >> >>>> --
>>> >> >> >>>>
>>> >> >> >>>> ---
>>> >> >> >>>> You received this message because you are subscribed to the
>>> Google
>>> >> >> >>>> Groups "ossec-list" group.
>>> >> >> >>>> To unsubscribe from this group and stop receiving emails from
>>> it,
>>> >> >> >>>> send
>>> >> >> >>>> an email to [email protected].
>>> >> >> >>>> For more options, visit
>>> https://groups.google.com/groups/opt_out.
>>> >> >> >>>>
>>> >> >> >>>>
>>> >> >> >>>
>>> >> >> >>>
>>> >> >> >>> --
>>> >> >> >>>
>>> >> >> >>> ---
>>> >> >> >>> You received this message because you are subscribed to the
>>> Google
>>> >> >> >>> Groups
>>> >> >> >>> "ossec-list" group.
>>> >> >> >>> To unsubscribe from this group and stop receiving emails from
>>> it, send
>>> >> >> >>> an
>>> >> >> >>> email to [email protected].
>>> >> >> >>> For more options, visit
>>> https://groups.google.com/groups/opt_out.
>>> >> >> >>>
>>> >> >> >>>
>>> >> >> >>
>>> >> >> >> --
>>> >> >> >>
>>> >> >> >> ---
>>> >> >> >> You received this message because you are subscribed to the
>>> Google
>>> >> >> >> Groups
>>> >> >> >> "ossec-list" group.
>>> >> >> >> To unsubscribe from this group and stop receiving emails from
>>> it, send
>>> >> >> >> an
>>> >> >> >> email to [email protected].
>>> >> >> >> For more options, visit
>>> https://groups.google.com/groups/opt_out.
>>> >> >> >>
>>> >> >> >>
>>> >> >> >
>>> >> >> >
>>> >> >> > --
>>> >> >> >
>>> >> >> > ---
>>> >> >> > You received this message because you are subscribed to the
>>> Google
>>> >> >> > Groups
>>> >> >> > "ossec-list" group.
>>> >> >> > To unsubscribe from this group and stop receiving emails from
>>> it, send
>>> >> >> > an
>>> >> >> > email to [email protected].
>>> >> >> > For more options, visit https://groups.google.com/groups/opt_out
>>> .
>>> >> >> >
>>> >> >> >
>>> >> >>
>>> >> >> --
>>> >> >>
>>> >> >> ---
>>> >> >> You received this message because you are subscribed to the Google
>>> Groups
>>> >> >> "ossec-list" group.
>>> >> >> To unsubscribe from this group and stop receiving emails from it,
>>> send an
>>> >> >> email to [email protected].
>>> >> >> For more options, visit https://groups.google.com/groups/opt_out.
>>> >> >>
>>> >> >>
>>> >> >
>>> >> > --
>>> >> >
>>> >> > ---
>>> >> > You received this message because you are subscribed to the Google
>>> Groups
>>> >> > "ossec-list" group.
>>> >> > To unsubscribe from this group and stop receiving emails from it,
>>> send an
>>> >> > email to [email protected].
>>> >> > For more options, visit https://groups.google.com/groups/opt_out.
>>> >> >
>>> >> >
>>> >>
>>> >> --
>>> >>
>>> >> ---
>>> >> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> >> To unsubscribe from this group and stop receiving emails from it,
>>> send an email to [email protected].
>>> >> For more options, visit https://groups.google.com/groups/opt_out.
>>> >>
>>> >>
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> > For more options, visit https://groups.google.com/groups/opt_out.
>>> >
>>> >
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>
>>>
>>>
>>
>>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
