On Fri, Jun 21, 2013 at 1:51 PM, David Blanton <[email protected]> wrote: > No - I did not move the files. I chose /opt/ossec as my install location > during the setup. I don't believe error is with the files themselves, but > OSSEC is looking at /var/ dir instead of /opt/. >
Are they listed as /var/ossec in ossec.conf or /opt/ossec? > Good call - I didn't stop it before I rm -rf. Do I have to reinstall to do > that? > No, you should probably be able to kill the processes. > > On Friday, June 21, 2013 1:10:24 PM UTC-4, dan (ddpbsd) wrote: >> >> On Fri, Jun 21, 2013 at 1:06 PM, David Blanton >> <[email protected]> wrote: >> > Here it is from the ossec.log: >> > >> > >> > 2013/06/21 11:01:24 ossec-analysisd: INFO: Connected to >> > '/queue/alerts/ar' >> > (active-response queue) >> > 2013/06/21 11:01:24 ossec-analysisd: INFO: Connected to >> > '/queue/alerts/execq' (exec queue) >> > 2013/06/21 11:15:01 ossec-rootcheck: No rootcheck_files file: >> > '/var/ossec/etc/shared/rootkit_files.txt' >> > 2013/06/21 11:15:01 ossec-rootcheck: No rootcheck_trojans file: >> > '/var/ossec/etc/shared/rootkit_trojans.txt' >> > 2013/06/21 11:15:05 ossec-rootcheck: No unixaudit file: >> > '/var/ossec/etc/shared/system_audit_rcl.txt' >> > 2013/06/21 11:15:05 ossec-rootcheck: No unixaudit file: >> > '/var/ossec/etc/shared/cis_debian_linux_rcl.txt' >> > 2013/06/21 11:15:05 ossec-rootcheck: No unixaudit file: >> > '/var/ossec/etc/shared/cis_rhel_linux_rcl.txt' >> > 2013/06/21 11:15:05 ossec-rootcheck: No unixaudit file: >> > '/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt' >> > >> >> There's another thread about these issues on the list, you might want >> to check it out. >> >> > I have OSSEC installed in /opt/ossec but it is trying to read it from >> > /var/ossec. How do I change that? >> > >> >> Did you just move the files to /opt/ossec? Or did you set that when >> you ran install.sh? >> >> > And another one is... >> > >> > 2013/06/21 12:17:15 ossec-remoted(1213): WARN: Message from >> > 172.16.63.206 >> > not allowed. >> > 2013/06/21 12:17:21 ossec-remoted(1213): WARN: Message from >> > 172.16.63.206 >> > not allowed. >> > 2013/06/21 12:17:25 ossec-remoted(1213): WARN: Message from >> > 172.16.63.206 >> > not allowed. >> > " >> > Funny thing is, I deleted # rm -rf /opt/ossec from that client's machine >> > (it >> > was just a test agent). >> > Now I'm not sure why it's still going/trying to communicate. I >> > hashtagged >> > the IP in the client.keys as well. >> > >> >> Did you stop the ossec processes on that system? >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
