On Wed, Jan 29, 2014 at 7:44 AM, dan (ddp) <[email protected]> wrote: > On Tue, Jan 28, 2014 at 10:43 PM, frwa onto <[email protected]> wrote: >> Dear Dan, >> I have attached my ossec.conf file. Yes for the first problem >> I have known where the settings for the /var/www/log/access_log and > > Then I'm not sure why you asked how to change the entries. > >> error_log. For your next question I am not sure how you determine the rook >> check? I am using Centos 6.5 (Final). Also how to determine if the active > > You look in the ossec.conf. I'll have to go through the source to find > out what the error is complaining about. >
Ok, you don't have <system_audit> defined in your ossec.conf. /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt might work, but it might not. If you test it out, let us know. >> response is being use? Should I comment it to off it? >> > > You should ask your administrator if they disabled it, either during > or post installation. > It doesn't look like it, based on the ossec.conf. > Is ossec-execd running? > >> Regards, >> Frwa. >> >> On Tuesday, January 28, 2014 8:36:50 PM UTC+8, dan (ddpbsd) wrote: >>> >>> On Mon, Jan 27, 2014 at 11:29 PM, frwa onto <[email protected]> wrote: >>> > Dear All, >>> > I saw this in my log file of ossec. For my case its >>> > /var/www/log >>> > not logs. How to change this ? >>> > >>> >>> These configurations are in /var/ossec/etc/ossec.conf on the system >>> generating the errors. >>> >>> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not available, >>> > ignoring it: '/var/log/authlog'. >>> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not available, >>> > ignoring it: '/var/log/xferlog'. >>> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not available, >>> > ignoring it: '/var/www/logs/access_log'. >>> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not available, >>> > ignoring it: '/var/www/logs/error_log'. >>> > >>> > Also saw this. How to configure the system audit file is it a must here? >>> > >>> > 2014/01/24 23:48:03 ossec-analysisd: INFO: No Hostname in the white list >>> > for >>> > active reponse. >>> > 2014/01/24 23:48:03 ossec-analysisd: INFO: Started (pid: 1925). >>> > 2014/01/24 23:48:03 ossec-rootcheck: System audit file not configured. >>> > >>> >>> What is your rootcheck configuration? What OS is the system generating >>> the error? >>> >>> > Another error I saw was this. >>> > >>> > 2014/01/20 20:10:46 ossec-analysisd(1210): ERROR: Queue >>> > '/queue/alerts/ar' >>> > not accessible: 'Connection refused'. >>> > 2014/01/20 20:10:46 ossec-analysisd(1301): ERROR: Unable to connect to >>> > active response queue. >>> > >>> >>> Are you using active response? >>> >>> > I need help on these few errors which I see and what I should avoid ? >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
