How were you able to recreate the user and group? I am having a new installation on my personal machine to test run things and I am having the same issue you did, except I haven't been able to have my agent run at all! Can't imagine how the user/group were deleted. Any insight would be a great help!
On Thursday, 8 December 2011 10:26:02 UTC-5, PS wrote: > > No problem. I was able to start the agent after recreating the user and > group. Thanks! > > Victor Pineiro > > > On Dec 8, 2011, at 10:07 AM, "dan (ddp)" <[email protected] <javascript:>> > wrote: > > > On Thu, Dec 8, 2011 at 10:04 AM, PS <[email protected] <javascript:>> > wrote: > >> So it looks like the user ossec and group ossec where deleted. I can > see in > >> syslog where it says that userdel was used to delete user 'ossec' > >> > >> I am not sure what did it. It had to be some script. Is there a way for > me > >> to find out what did it? > >> > >> I am the only person who manages this server. > >> > >> The syslog entry looks like this: > >> Dec 4 23:48:53 system userdel[2558]: delete user 'ossec' > >> > >> I'm not sure how to tie that event to a process or script that may have > done > >> it. > >> > > > > You can look through the logs to see what was going on, and I guess > > check through the scripts on your system for something that would > > delete users. > > > >> Thanks! > >> > >> Victor Pineiro > >> Sent from my iPad > >> > >> On Dec 8, 2011, at 6:28 AM, "dan (ddp)" <[email protected] <javascript:>> > wrote: > >> > >> What happened to your ossec group? > >> > >> On Dec 8, 2011 6:02 AM, "PS" <[email protected] <javascript:>> wrote: > >>> > >>> Hello list, > >>> > >>> I am seeing error 1203 when attempting to run any of the scripts from > the > >>> "/var/ossec/bin" folder. > >>> > >>> I have looked around for a fix and have not been able to find one. I > have > >>> seen that a couple of other people have had the same issue. When I > first > >>> installed it, I was able to start the agent and it was sending events > to the > >>> server. I just happened to look at the server and noticed that the > agent was > >>> disconnected. Nothing has changed since installation. Any clues? > >>> > >>> [root@system bin]# ./ossec-control start > >>> Starting OSSEC HIDS v2.6 (by Trend Micro Inc.)... > >>> 2011/12/08 07:51:49 ossec-execd(1203): ERROR: Invalid user '' or group > >>> 'ossec' given. > >>> > >>> [root@system bin]# ./manage_agents -l > >>> 2011/12/08 07:51:51 manage_agents(1203): ERROR: Invalid user '' or > group > >>> 'ossec' given. > >>> > >>> -r-xr-x--- 1 root 500 222857 Dec 4 08:32 agent-auth > >>> -r-xr-x--- 1 root 500 297452 Dec 4 08:32 manage_agents > >>> -r-xr-x--- 1 root 500 550237 Dec 4 08:32 ossec-agentd > >>> -r-xr-x--- 1 root 500 4647 Jul 11 21:36 ossec-control > >>> -r-xr-x--- 1 root 500 103724 Dec 4 08:32 ossec-execd > >>> -r-xr-x--- 1 root 500 380464 Dec 4 08:32 ossec-logcollector > >>> -r-xr-x--- 1 root 500 506300 Dec 4 08:32 ossec-syscheckd > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
