On Mon, Sep 30, 2013 at 12:18 PM, Ford,Luckie J <[email protected]> wrote: > I may have narrowed it down a bit more. Seems ossec-remoted is unable to > access the file /queue/ossec/queue. Since the actual path to the file is > /opt/ossec/queue/ossec , is that the issue? Or is that just a relative path > from the ossec directory? If in error, where/how do I correct it? >
The daemon chroots to /var/ossec (or what ever strange location you put it). So for /opt/ossec/queue/ossec to exist you'd need /opt/ossec/opt/ossec/queue/ossec. > [root@dcprpoemprddb1 logs]# /opt/ossec/bin/ossec-remoted -df > 2013/09/30 11:08:46 ossec-remoted: DEBUG: Starting ... > 2013/09/30 11:08:46 ossec-remoted: INFO: Started (pid: 12020). > [root@dcprpoemprddb1 logs]# 2013/09/30 11:08:46 ossec-remoted: DEBUG: Forking > remoted: '0'. > 2013/09/30 11:08:46 ossec-remoted: INFO: Started (pid: 12021). > 2013/09/30 11:08:46 ossec-remoted: DEBUG: Running manager_init > 2013/09/30 11:08:49 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' > not accessible: 'Connection refused'. > 2013/09/30 11:08:49 ossec-remoted(1211): ERROR: Unable to access queue: > '/queue/ossec/queue'. Giving up.. > > If this appears to be correct with regard to path, can you tell me what the > permissions should be for this? My current implementation has: > > srw-rw---- 1 ossec ossec 0 Sep 30 10:53 queue > [ddp@arrakis] :; cd /var/ossec/ [ddp@arrakis] :; ls -ld queue dr-xr-x--- 11 root ossec 512 Jan 1 2013 queue [ddp@arrakis] :; ls -ld queue/ossec drwxrwx--- 2 ossec ossec 512 Oct 2 08:38 queue/ossec [ddp@arrakis] :; ls -ld queue/ossec/queue srw-rw---- 1 ossec ossec 0 Oct 2 08:38 queue/ossec/queue Make sure analysisd is running, I think that process creatures this file (but I can't remember for sure, check monitord as well). > > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Ford,Luckie J > Sent: Monday, September 30, 2013 8:53 AM > To: [email protected] > Subject: RE: [ossec-list] Re: Remoted issues > > I am running standalone OSSEC 2.6. I am not limiting file descriptors for my > OSSEC users. My client.keys file has those permissions as well: > > -r--r----- 1 root ossec 65744 May 3 07:31 client.keys > > Any additional thoughts would be appreciated. > > (Thanks for your patience...was on a much needed vacation) > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
