I'm not talking about solving someones specific issues. If people knew which file permission were changed - then they had no issue in the first place - they would have just fix it. I'm talking about an idiot proof script that goes over *all* relevant ossec folders/ files and chown'ing them to the relevant ossec user (ossec,ossecr ,?).
Then whenever we see someone talking about 'ossec process does not start' (or similar) the first question would be - 'did you tried the 'fix-most-ossec-issues-script.sh' ? just my $0.02. Cheers On Fri, Sep 13, 2013 at 10:37 AM, dan (ddp) <[email protected]> wrote: > On Fri, Sep 13, 2013 at 1:36 PM, Roy Feintuch <[email protected]> wrote: > > Dan or anyone else - I see from time to time people reporting issues > cause > > by wrong permissions. > > Is there any script somewhere to fix/rebuild all OSSEC related files > > permissions? > > > > Not that I know of. If you let us know which files you keep changing > the permissions on, we can probably create something. > > > > > On Friday, September 13, 2013 8:06:15 AM UTC-7, [email protected]: > >> > >> Thanks Dan. That fixed that issue but now looking at others. Appears > >> someone has changed ownership of files in the ossec directory structure > and > >> there are still issues which are causing problems with the app including > >> errors like: > >> > >> 2013/09/13 09:30:22 ossec-analysisd: Rules in an inconsistent state. > >> Exiting. > >> -and- > >> 2013/09/13 09:30:30 ossec-logcollector(1224): ERROR: Error sending > message > >> to queue. > >> 2013/09/13 09:30:33 ossec-logcollector(1210): ERROR: Queue > >> '/opt/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > >> 2013/09/13 09:30:33 ossec-logcollector(1211): ERROR: Unable to access > >> queue: '/opt/ossec/queue/ossec/queue'. Giving up.. > >> 2013/09/13 09:31:18 ossec-syscheckd: INFO: Starting syscheck scan > >> (forwarding database). > >> 2013/09/13 09:31:18 ossec-syscheckd: socketerr (not available). > >> 2013/09/13 09:31:18 ossec-syscheckd(1224): ERROR: Error sending message > to > >> queue. > >> > >> Why always on a Friday??? ;-) > >> > >> > >> > >> -----Original Message----- > >> From: [email protected] [mailto:[email protected]] On > >> Behalf Of dan (ddp) > >> Sent: Friday, September 13, 2013 9:16 AM > >> To: [email protected] > >> Subject: Re: [ossec-list] "WARN: Process locked. Waiting for permission" > >> At Server When Trying To Start Server > >> > >> On Fri, Sep 13, 2013 at 10:08 AM, MDACC-Luckie <[email protected]> > wrote: > >> > I have dealt with issues with agents not connecting to the server with > >> > a > >> > "WARN: Process locked. Waiting for permission" message in the log but > >> > not at the server. When starting OSSEC on the primary OSSEC server, I > >> > am getting that message in the OSSEC log file. No agents appear to be > >> > able to connect to the server now. Any suggestions or thoughts on > >> > what to look at on the server to fix this? > >> > > >> > >> Make sure all ossec processes are stopped, and try removing the lock > file: > >> /var/ossec/queue/ossec/.wait > >> > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected]. > >> For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/gjFg0WRdorg/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- Roy Feintuch, CTO & Co-founder Dome9 Security (e) » [email protected] (web) » http://dome9.com (m) » +1-415-3423543 (Skype) » froyke -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
