Here it is from the ossec.log:
2013/06/21 11:01:24 ossec-analysisd: INFO: Connected to '/queue/alerts/ar' (active-response queue) 2013/06/21 11:01:24 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' (exec queue) 2013/06/21 11:15:01 ossec-rootcheck: No rootcheck_files file: '/var/ossec/etc/shared/rootkit_files.txt' 2013/06/21 11:15:01 ossec-rootcheck: No rootcheck_trojans file: '/var/ossec/etc/shared/rootkit_trojans.txt' 2013/06/21 11:15:05 ossec-rootcheck: No unixaudit file: '/var/ossec/etc/shared/system_audit_rcl.txt' 2013/06/21 11:15:05 ossec-rootcheck: No unixaudit file: '/var/ossec/etc/shared/cis_debian_linux_rcl.txt' 2013/06/21 11:15:05 ossec-rootcheck: No unixaudit file: '/var/ossec/etc/shared/cis_rhel_linux_rcl.txt' 2013/06/21 11:15:05 ossec-rootcheck: No unixaudit file: '/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt' I have OSSEC installed in /opt/ossec but it is trying to read it from /var/ossec. How do I change that? And another one is... 2013/06/21 12:17:15 ossec-remoted(1213): WARN: Message from 172.16.63.206 not allowed. 2013/06/21 12:17:21 ossec-remoted(1213): WARN: Message from 172.16.63.206 not allowed. 2013/06/21 12:17:25 ossec-remoted(1213): WARN: Message from 172.16.63.206 not allowed. " Funny thing is, I deleted # rm -rf /opt/ossec from that client's machine (it was just a test agent). Now I'm not sure why it's still going/trying to communicate. I hashtagged the IP in the client.keys as well. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
