Good call. Fixed them both, thanks dan. On Friday, June 21, 2013 2:15:22 PM UTC-4, dan (ddpbsd) wrote: > > On Fri, Jun 21, 2013 at 1:51 PM, David Blanton > <[email protected] <javascript:>> wrote: > > No - I did not move the files. I chose /opt/ossec as my install location > > during the setup. I don't believe error is with the files themselves, > but > > OSSEC is looking at /var/ dir instead of /opt/. > > > > Are they listed as /var/ossec in ossec.conf or /opt/ossec? > > > Good call - I didn't stop it before I rm -rf. Do I have to reinstall to > do > > that? > > > > No, you should probably be able to kill the processes. > > > > > On Friday, June 21, 2013 1:10:24 PM UTC-4, dan (ddpbsd) wrote: > >> > >> On Fri, Jun 21, 2013 at 1:06 PM, David Blanton > >> <[email protected]> wrote: > >> > Here it is from the ossec.log: > >> > > >> > > >> > 2013/06/21 11:01:24 ossec-analysisd: INFO: Connected to > >> > '/queue/alerts/ar' > >> > (active-response queue) > >> > 2013/06/21 11:01:24 ossec-analysisd: INFO: Connected to > >> > '/queue/alerts/execq' (exec queue) > >> > 2013/06/21 11:15:01 ossec-rootcheck: No rootcheck_files file: > >> > '/var/ossec/etc/shared/rootkit_files.txt' > >> > 2013/06/21 11:15:01 ossec-rootcheck: No rootcheck_trojans file: > >> > '/var/ossec/etc/shared/rootkit_trojans.txt' > >> > 2013/06/21 11:15:05 ossec-rootcheck: No unixaudit file: > >> > '/var/ossec/etc/shared/system_audit_rcl.txt' > >> > 2013/06/21 11:15:05 ossec-rootcheck: No unixaudit file: > >> > '/var/ossec/etc/shared/cis_debian_linux_rcl.txt' > >> > 2013/06/21 11:15:05 ossec-rootcheck: No unixaudit file: > >> > '/var/ossec/etc/shared/cis_rhel_linux_rcl.txt' > >> > 2013/06/21 11:15:05 ossec-rootcheck: No unixaudit file: > >> > '/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt' > >> > > >> > >> There's another thread about these issues on the list, you might want > >> to check it out. > >> > >> > I have OSSEC installed in /opt/ossec but it is trying to read it from > >> > /var/ossec. How do I change that? > >> > > >> > >> Did you just move the files to /opt/ossec? Or did you set that when > >> you ran install.sh? > >> > >> > And another one is... > >> > > >> > 2013/06/21 12:17:15 ossec-remoted(1213): WARN: Message from > >> > 172.16.63.206 > >> > not allowed. > >> > 2013/06/21 12:17:21 ossec-remoted(1213): WARN: Message from > >> > 172.16.63.206 > >> > not allowed. > >> > 2013/06/21 12:17:25 ossec-remoted(1213): WARN: Message from > >> > 172.16.63.206 > >> > not allowed. > >> > " > >> > Funny thing is, I deleted # rm -rf /opt/ossec from that client's > machine > >> > (it > >> > was just a test agent). > >> > Now I'm not sure why it's still going/trying to communicate. I > >> > hashtagged > >> > the IP in the client.keys as well. > >> > > >> > >> Did you stop the ossec processes on that system? > >> > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
