Dear Dan,
So what is your best advice should I comment out this
<active-response> </active-response> to stop active response ? I added
this line
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
and I tried to restart my ossec it gives me Ossec analysisd:Testing rules
failed. Configuration error. Exiting. Over in the cis_rhel5_linux_rcl.txt I
change this two lines 1) Red Hat Enterprise Linux \S+ release 6 and 2)
CentOS && r:release 6.5.
Regards,
Frwa.
On Thursday, January 30, 2014 11:26:15 PM UTC+8, dan (ddpbsd) wrote:
>
> On Thu, Jan 30, 2014 at 10:20 AM, frwa onto <[email protected]<javascript:>>
> wrote:
> > Dear Dan,
> > You said look into ossec.conf what to look to diagnose
> this ?
>
> I don't understand what this is in reference too. These emails are
> getting harder and harder to follow.
>
> If this is in reference to the apache logs question and response: If
> you know where the configuration is, you shouldn't have any problems
> changing the configuration to match reality. Find the entries for the
> files that do not exist, and modify them so they reference files that
> do exist. Then restart OSSEC.
>
> > I am the one setup during setup it did not ask for active response
>
> Yes it did ask. But I didn't see it disabled in your ossec.conf, so
> it's probably enabled.
>
> > activation? How to decide based on the ossec.conf that the active
> response
> > is on or off ? The ossec-execd is running . Yes this file exist
>
> I believe AR is enabled, unless expressly disabled.
>
> > /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt how you want me to test it
> ?
> >
>
> Add it to the ossec.conf as a system_audit file. You'll have to modify
> the cis_rhel5_linux_rcl.txt file to reference RHEL release 6 instead
> of 5, but that shouldn't be difficult.
>
> > Regards,
> > Frwa.
> >
> > On Wednesday, January 29, 2014 8:44:01 PM UTC+8, dan (ddpbsd) wrote:
> >>
> >> On Tue, Jan 28, 2014 at 10:43 PM, frwa onto <[email protected]> wrote:
> >> > Dear Dan,
> >> > I have attached my ossec.conf file. Yes for the first
> >> > problem
> >> > I have known where the settings for the /var/www/log/access_log and
> >>
> >> Then I'm not sure why you asked how to change the entries.
> >>
> >> > error_log. For your next question I am not sure how you determine the
> >> > rook
> >> > check? I am using Centos 6.5 (Final). Also how to determine if the
> >> > active
> >>
> >> You look in the ossec.conf. I'll have to go through the source to find
> >> out what the error is complaining about.
> >>
> >> > response is being use? Should I comment it to off it?
> >> >
> >>
> >> You should ask your administrator if they disabled it, either during
> >> or post installation.
> >> It doesn't look like it, based on the ossec.conf.
> >> Is ossec-execd running?
> >>
> >> > Regards,
> >> > Frwa.
> >> >
> >> > On Tuesday, January 28, 2014 8:36:50 PM UTC+8, dan (ddpbsd) wrote:
> >> >>
> >> >> On Mon, Jan 27, 2014 at 11:29 PM, frwa onto <[email protected]>
> wrote:
> >> >> > Dear All,
> >> >> > I saw this in my log file of ossec. For my case its
> >> >> > /var/www/log
> >> >> > not logs. How to change this ?
> >> >> >
> >> >>
> >> >> These configurations are in /var/ossec/etc/ossec.conf on the system
> >> >> generating the errors.
> >> >>
> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not
> >> >> > available,
> >> >> > ignoring it: '/var/log/authlog'.
> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not
> >> >> > available,
> >> >> > ignoring it: '/var/log/xferlog'.
> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not
> >> >> > available,
> >> >> > ignoring it: '/var/www/logs/access_log'.
> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not
> >> >> > available,
> >> >> > ignoring it: '/var/www/logs/error_log'.
> >> >> >
> >> >> > Also saw this. How to configure the system audit file is it a must
> >> >> > here?
> >> >> >
> >> >> > 2014/01/24 23:48:03 ossec-analysisd: INFO: No Hostname in the
> white
> >> >> > list
> >> >> > for
> >> >> > active reponse.
> >> >> > 2014/01/24 23:48:03 ossec-analysisd: INFO: Started (pid: 1925).
> >> >> > 2014/01/24 23:48:03 ossec-rootcheck: System audit file not
> >> >> > configured.
> >> >> >
> >> >>
> >> >> What is your rootcheck configuration? What OS is the system
> generating
> >> >> the error?
> >> >>
> >> >> > Another error I saw was this.
> >> >> >
> >> >> > 2014/01/20 20:10:46 ossec-analysisd(1210): ERROR: Queue
> >> >> > '/queue/alerts/ar'
> >> >> > not accessible: 'Connection refused'.
> >> >> > 2014/01/20 20:10:46 ossec-analysisd(1301): ERROR: Unable to
> connect
> >> >> > to
> >> >> > active response queue.
> >> >> >
> >> >>
> >> >> Are you using active response?
> >> >>
> >> >> > I need help on these few errors which I see and what I should
> avoid ?
> >> >> >
> >> >> > --
> >> >> >
> >> >> > ---
> >> >> > You received this message because you are subscribed to the Google
> >> >> > Groups
> >> >> > "ossec-list" group.
> >> >> > To unsubscribe from this group and stop receiving emails from it,
> >> >> > send
> >> >> > an
> >> >> > email to [email protected].
> >> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
