On Thu, Jan 30, 2014 at 10:20 AM, frwa onto <[email protected]> wrote: > Dear Dan, > You said look into ossec.conf what to look to diagnose this ?
I don't understand what this is in reference too. These emails are getting harder and harder to follow. If this is in reference to the apache logs question and response: If you know where the configuration is, you shouldn't have any problems changing the configuration to match reality. Find the entries for the files that do not exist, and modify them so they reference files that do exist. Then restart OSSEC. > I am the one setup during setup it did not ask for active response Yes it did ask. But I didn't see it disabled in your ossec.conf, so it's probably enabled. > activation? How to decide based on the ossec.conf that the active response > is on or off ? The ossec-execd is running . Yes this file exist I believe AR is enabled, unless expressly disabled. > /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt how you want me to test it ? > Add it to the ossec.conf as a system_audit file. You'll have to modify the cis_rhel5_linux_rcl.txt file to reference RHEL release 6 instead of 5, but that shouldn't be difficult. > Regards, > Frwa. > > On Wednesday, January 29, 2014 8:44:01 PM UTC+8, dan (ddpbsd) wrote: >> >> On Tue, Jan 28, 2014 at 10:43 PM, frwa onto <[email protected]> wrote: >> > Dear Dan, >> > I have attached my ossec.conf file. Yes for the first >> > problem >> > I have known where the settings for the /var/www/log/access_log and >> >> Then I'm not sure why you asked how to change the entries. >> >> > error_log. For your next question I am not sure how you determine the >> > rook >> > check? I am using Centos 6.5 (Final). Also how to determine if the >> > active >> >> You look in the ossec.conf. I'll have to go through the source to find >> out what the error is complaining about. >> >> > response is being use? Should I comment it to off it? >> > >> >> You should ask your administrator if they disabled it, either during >> or post installation. >> It doesn't look like it, based on the ossec.conf. >> Is ossec-execd running? >> >> > Regards, >> > Frwa. >> > >> > On Tuesday, January 28, 2014 8:36:50 PM UTC+8, dan (ddpbsd) wrote: >> >> >> >> On Mon, Jan 27, 2014 at 11:29 PM, frwa onto <[email protected]> wrote: >> >> > Dear All, >> >> > I saw this in my log file of ossec. For my case its >> >> > /var/www/log >> >> > not logs. How to change this ? >> >> > >> >> >> >> These configurations are in /var/ossec/etc/ossec.conf on the system >> >> generating the errors. >> >> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not >> >> > available, >> >> > ignoring it: '/var/log/authlog'. >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not >> >> > available, >> >> > ignoring it: '/var/log/xferlog'. >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not >> >> > available, >> >> > ignoring it: '/var/www/logs/access_log'. >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not >> >> > available, >> >> > ignoring it: '/var/www/logs/error_log'. >> >> > >> >> > Also saw this. How to configure the system audit file is it a must >> >> > here? >> >> > >> >> > 2014/01/24 23:48:03 ossec-analysisd: INFO: No Hostname in the white >> >> > list >> >> > for >> >> > active reponse. >> >> > 2014/01/24 23:48:03 ossec-analysisd: INFO: Started (pid: 1925). >> >> > 2014/01/24 23:48:03 ossec-rootcheck: System audit file not >> >> > configured. >> >> > >> >> >> >> What is your rootcheck configuration? What OS is the system generating >> >> the error? >> >> >> >> > Another error I saw was this. >> >> > >> >> > 2014/01/20 20:10:46 ossec-analysisd(1210): ERROR: Queue >> >> > '/queue/alerts/ar' >> >> > not accessible: 'Connection refused'. >> >> > 2014/01/20 20:10:46 ossec-analysisd(1301): ERROR: Unable to connect >> >> > to >> >> > active response queue. >> >> > >> >> >> >> Are you using active response? >> >> >> >> > I need help on these few errors which I see and what I should avoid ? >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
