Many Thanks! @Janelle
Here are the permissions (keep in mind this is Alienvault) alienvault4sim:~# ls -ls /var/ossec/ total 52 4 dr-xr-x--- 3 root ossec 4096 Sep 12 2012 active-response 4 drwxr-x--- 2 www-data ossec 4096 Jul 18 17:52 agentless 4 dr-xr-x--- 2 www-data ossec 4096 Jul 18 17:52 bin 4 dr-xr-x--- 3 www-data ossec 4096 Aug 15 13:31 etc 4 -rw-r--r-- 1 root root 501 Aug 7 18:53 k 4 drwxrwx--- 5 www-data ossec 4096 Aug 15 06:25 logs 4 dr-xr-x--- 11 root ossec 4096 Sep 12 2012 queue 12 drwxr-xr-- 8 www-data ossec 12288 Aug 15 13:19 rules 4 drwxr-x--- 5 ossec ossec 4096 Sep 12 2012 stats 4 dr-xr-x--- 2 root ossec 4096 Oct 10 2011 tmp 4 dr-xr-x--- 3 root ossec 4096 Aug 15 13:36 var alienvault4sim:~# Should I change the other "root" to "ossec" as well, or leave them as they are? alienvault4sim:~# chown -R ossec:ossec /var/ossec/queue alienvault4sim:~# ls -ls /var/ossec/ total 52 4 dr-xr-x--- 3 root ossec 4096 Sep 12 2012 active-response 4 drwxr-x--- 2 www-data ossec 4096 Jul 18 17:52 agentless 4 dr-xr-x--- 2 www-data ossec 4096 Jul 18 17:52 bin 4 dr-xr-x--- 3 www-data ossec 4096 Aug 15 13:31 etc 4 -rw-r--r-- 1 root root 501 Aug 7 18:53 k 4 drwxrwx--- 5 www-data ossec 4096 Aug 15 06:25 logs 4 dr-xr-x--- 11 ossec ossec 4096 Sep 12 2012 queue 12 drwxr-xr-- 8 www-data ossec 12288 Aug 15 13:19 rules 4 drwxr-x--- 5 ossec ossec 4096 Sep 12 2012 stats 4 dr-xr-x--- 2 root ossec 4096 Oct 10 2011 tmp 4 dr-xr-x--- 3 root ossec 4096 Aug 15 15:23 var alienvault4sim:~# @Dan Are you getting these errors with all profiles? Yes, however this may be the result of editing the rules and the permissions being changed as per above. I may have correlated the events incorrectly. Try setting up 1 currently failing agent. = did that, same server condition regardless if one, some, or all profiles are in agent.conf. I have confirmed that each server is parsing the correct logs per the agent.conf, that part works great! Remove all profiles other than one used by this agent. = done Remove all entries from that profile, except for 1 thing. Does it still fail? done, yes I copied your D2C-NAT entry into my agent.conf, changed the config-profile to that on 1 agent, and restarted everything. I did not have this issue. I then copied the entire agent.conf you provided into my agent.conf, still defining D2C-NAT on the agent. Still no problems. - Thank you! I am really hoping that the rights are the issue. It appears there is a chown statement in the ossim-reconfig output that I need to inspect. If these permissions are changing with every reconfig in alienVault, it would make a lot of sense. Seems logical to implement a chown statement in the ./ossec-control start/restart process as I am seeing many people comment on these errors. That would ensure that all permissions are appropriate at every attempt to start the application. I will cron this problem away until that time. Thank you both!! Jared On Thu, Aug 15, 2013 at 11:15 AM, dan (ddp) <[email protected]> wrote: > On Wed, Aug 14, 2013 at 4:07 PM, Jared <[email protected]> wrote: > > Okay, so getting lots of errors in ossec.log: > > > > 2013/08/14 19:37:36 ossec-logcollector(1211): ERROR: Unable to access > queue: > > '/var/ossec/queue/ossec/queue'. Giving up.. > > 2013/08/14 19:41:56 ossec-remoted(1210): ERROR: Queue > '/queue/ossec/queue' > > not accessible: 'Connection refused'. > > 2013/08/14 19:41:58 ossec-logcollector(1224): ERROR: Error sending > message > > to queue. > > 2013/08/14 19:41:59 ossec-remoted(1210): ERROR: Queue > '/queue/ossec/queue' > > not accessible: 'Connection refused'. > > 2013/08/14 19:41:59 ossec-remoted(1211): ERROR: Unable to access queue: > > '/queue/ossec/queue'. Giving up.. > > 2013/08/14 19:42:01 ossec-logcollector(1210): ERROR: Queue > > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2013/08/14 19:42:01 ossec-logcollector(1211): ERROR: Unable to access > queue: > > '/var/ossec/queue/ossec/queue'. Giving up.. > > 2013/08/14 19:46:06 ossec-monitord(1224): ERROR: Error sending message to > > queue. > > > > Check for earlier errors, see if there are any clues. > > > With the attached agent.conf applied. When I remove the agent.conf file > and > > restart the ossec server, all the agents reconnect and all is well. I am > > guessing... that I have an error in the logic on this file. I have > confirmed > > that on each agent server, the correct files are being parsed per each > > <config-profile></config-profile> statement in the local ossec.conf. > Here is > > an example: > > > > Do you have multiple <config-profile> entries on each system? > > > <config-profile>D2C-NAT</config-profile> > > > > Would really like to understand what I am missing. Again, I really > > appreciate all of the help on this an other posts!!! > > > > Are you getting these errors with all profiles? Try setting up 1 > currently failing agent. > > Remove all profiles other than one used by this agent. > Remove all entries from that profile, except for 1 thing. Does it still > fail? > > I copied your D2C-NAT entry into my agent.conf, changed the > config-profile to that on 1 agent, and restarted everything. I did not > have this issue. I then copied the entire agent.conf you provided into > my agent.conf, still defining D2C-NAT on the agent. Still no problems. > > > On Wednesday, July 17, 2013 10:44:26 AM UTC-4, dan (ddpbsd) wrote: > >> > >> > >> On Jul 17, 2013 10:06 AM, "Jared" <[email protected]> wrote: > >> > > >> > Sorry to open an old thread, but I have a related question. > >> > > >> > Is there any way to tell a host that it is a web or db server through > >> > the push of the agent.conf? Or is it a requirement to update the > ossec.conf > >> > on every server to tell it what group it is a member of? > >> > > >> > >> No idea, I'll have to try it and find out. > >> > >> > Thank you, > >> > > >> > Jared > >> > > >> > On Monday, June 24, 2013 2:25:53 PM UTC-4, dan (ddpbsd) wrote: > >> >> > >> >> On Mon, Jun 24, 2013 at 1:15 PM, Jared <[email protected]> wrote: > >> >> > Question: > >> >> > > >> >> > How are "Profiles" associated with clients / agents? > >> >> > > >> >> > Scenario: > >> >> > > >> >> > Agent ID = 001 = Web01 = IIS and MySQL = Windows > >> >> > > >> >> > Agent ID = 002 = Web02 = Apache/Tomcat and MySQL = CentOs > >> >> > > >> >> > I would like to have a profile for each server type so that I no > >> >> > longer see > >> >> > the following errors: > >> >> > > >> >> > 2013/06/24 10:08:52 ossec-agent(1952): INFO: Monitoring variable > log > >> >> > file: > >> >> > 'C:\Tomcat7\logs\localhost_access_log.2013-06-24.txt'. > >> >> > 2013/06/24 10:08:52 ossec-agent(1103): ERROR: Unable to open file > >> >> > 'C:\Tomcat7\logs\localhost_access_log.2013-06-24.txt'. > >> >> > > >> >> > > >> >> > For Windows servers that do not have Tomcat for example? > >> >> > > >> >> > Based on the following from the web documentation from > >> >> > > >> >> > > http://www.ossec.net/doc/syntax/head_agent_config.html?highlight=profile#profile > : > >> >> > > >> >> > profile > >> >> > This option to agent_config allows you to assign a profile name to > >> >> > the the > >> >> > block. Any agent may use this block if it is configured to use the > >> >> > defined > >> >> > profile. > >> >> > > >> >> > Example: <agent_config profile=”webservers”> > >> >> > > >> >> > > >> >> > How do I tell Agent 002 that it should be associated with > "LinuxWebs" > >> >> > > >> >> > <agent_config profile=”LinuxWebs”> > >> >> > > >> >> > > >> >> > > >> >> > How do I tell Agent 002 that it should be subordinate to "WinWebs" > >> >> > > >> >> > <agent_config profile=”LinuxWebs”> > >> >> > > >> >> > > >> >> > > >> >> > In the following config: > >> >> > > >> >> > <agent_config profile=”LinuxWebs”> > >> >> > <localfile> > >> >> > <location>/var/log/secure</location> > >> >> > <log_format>syslog</log_format> > >> >> > </localfile> > >> >> > > >> >> > > >> >> > </agent_config> > >> >> > > >> >> > Thanks for all of the posts and info? Very helpful list!! > >> >> > > >> >> > Jared > >> >> > > >> >> > >> >> In the agent's ossec.conf add a <config-profile> entry to the > <client> > >> >> section. Example: > >> >> > >> >> <ossec_config> > >> >> <client> > >> >> <server-ip>192.168.17.9</server-ip> > >> >> <config-profile>openbsd-firewall,openbsd-test</config-profile> > >> >> </client> > >> >> </ossec_config> > >> >> > >> >> The above agent is a member of the openbsd-firewall and openbsd-test > >> >> profiles in agent.conf. > >> >> > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/groups/opt_out. > >> >> > > >> >> > > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- Thank you, Jared R. Greene -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
