On Wed, Aug 14, 2013 at 4:07 PM, Jared <[email protected]> wrote: > Okay, so getting lots of errors in ossec.log: > > 2013/08/14 19:37:36 ossec-logcollector(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > 2013/08/14 19:41:56 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' > not accessible: 'Connection refused'. > 2013/08/14 19:41:58 ossec-logcollector(1224): ERROR: Error sending message > to queue. > 2013/08/14 19:41:59 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' > not accessible: 'Connection refused'. > 2013/08/14 19:41:59 ossec-remoted(1211): ERROR: Unable to access queue: > '/queue/ossec/queue'. Giving up.. > 2013/08/14 19:42:01 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2013/08/14 19:42:01 ossec-logcollector(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > 2013/08/14 19:46:06 ossec-monitord(1224): ERROR: Error sending message to > queue. >
Check for earlier errors, see if there are any clues. > With the attached agent.conf applied. When I remove the agent.conf file and > restart the ossec server, all the agents reconnect and all is well. I am > guessing... that I have an error in the logic on this file. I have confirmed > that on each agent server, the correct files are being parsed per each > <config-profile></config-profile> statement in the local ossec.conf. Here is > an example: > Do you have multiple <config-profile> entries on each system? > <config-profile>D2C-NAT</config-profile> > > Would really like to understand what I am missing. Again, I really > appreciate all of the help on this an other posts!!! > Are you getting these errors with all profiles? Try setting up 1 currently failing agent. Remove all profiles other than one used by this agent. Remove all entries from that profile, except for 1 thing. Does it still fail? I copied your D2C-NAT entry into my agent.conf, changed the config-profile to that on 1 agent, and restarted everything. I did not have this issue. I then copied the entire agent.conf you provided into my agent.conf, still defining D2C-NAT on the agent. Still no problems. > On Wednesday, July 17, 2013 10:44:26 AM UTC-4, dan (ddpbsd) wrote: >> >> >> On Jul 17, 2013 10:06 AM, "Jared" <[email protected]> wrote: >> > >> > Sorry to open an old thread, but I have a related question. >> > >> > Is there any way to tell a host that it is a web or db server through >> > the push of the agent.conf? Or is it a requirement to update the ossec.conf >> > on every server to tell it what group it is a member of? >> > >> >> No idea, I'll have to try it and find out. >> >> > Thank you, >> > >> > Jared >> > >> > On Monday, June 24, 2013 2:25:53 PM UTC-4, dan (ddpbsd) wrote: >> >> >> >> On Mon, Jun 24, 2013 at 1:15 PM, Jared <[email protected]> wrote: >> >> > Question: >> >> > >> >> > How are "Profiles" associated with clients / agents? >> >> > >> >> > Scenario: >> >> > >> >> > Agent ID = 001 = Web01 = IIS and MySQL = Windows >> >> > >> >> > Agent ID = 002 = Web02 = Apache/Tomcat and MySQL = CentOs >> >> > >> >> > I would like to have a profile for each server type so that I no >> >> > longer see >> >> > the following errors: >> >> > >> >> > 2013/06/24 10:08:52 ossec-agent(1952): INFO: Monitoring variable log >> >> > file: >> >> > 'C:\Tomcat7\logs\localhost_access_log.2013-06-24.txt'. >> >> > 2013/06/24 10:08:52 ossec-agent(1103): ERROR: Unable to open file >> >> > 'C:\Tomcat7\logs\localhost_access_log.2013-06-24.txt'. >> >> > >> >> > >> >> > For Windows servers that do not have Tomcat for example? >> >> > >> >> > Based on the following from the web documentation from >> >> > >> >> > http://www.ossec.net/doc/syntax/head_agent_config.html?highlight=profile#profile: >> >> > >> >> > profile >> >> > This option to agent_config allows you to assign a profile name to >> >> > the the >> >> > block. Any agent may use this block if it is configured to use the >> >> > defined >> >> > profile. >> >> > >> >> > Example: <agent_config profile=”webservers”> >> >> > >> >> > >> >> > How do I tell Agent 002 that it should be associated with "LinuxWebs" >> >> > >> >> > <agent_config profile=”LinuxWebs”> >> >> > >> >> > >> >> > >> >> > How do I tell Agent 002 that it should be subordinate to "WinWebs" >> >> > >> >> > <agent_config profile=”LinuxWebs”> >> >> > >> >> > >> >> > >> >> > In the following config: >> >> > >> >> > <agent_config profile=”LinuxWebs”> >> >> > <localfile> >> >> > <location>/var/log/secure</location> >> >> > <log_format>syslog</log_format> >> >> > </localfile> >> >> > >> >> > >> >> > </agent_config> >> >> > >> >> > Thanks for all of the posts and info? Very helpful list!! >> >> > >> >> > Jared >> >> > >> >> >> >> In the agent's ossec.conf add a <config-profile> entry to the <client> >> >> section. Example: >> >> >> >> <ossec_config> >> >> <client> >> >> <server-ip>192.168.17.9</server-ip> >> >> <config-profile>openbsd-firewall,openbsd-test</config-profile> >> >> </client> >> >> </ossec_config> >> >> >> >> The above agent is a member of the openbsd-firewall and openbsd-test >> >> profiles in agent.conf. >> >> >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
