Dear Dan,
              So what is your best advice should I comment out this 
<active-response>  </active-response> to stop active response ?  I added 
this line 
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> 
and I tried to restart my ossec it gives me Ossec analysisd:Testing rules 
failed. Configuration error. Exiting. Over in the cis_rhel5_linux_rcl.txt I 
change this two lines 1) Red Hat Enterprise Linux \S+ release 6 and  2) 
CentOS && r:release 6.5. 

Regards,
Frwa.
                   

On Thursday, January 30, 2014 11:26:15 PM UTC+8, dan (ddpbsd) wrote:
>
> On Thu, Jan 30, 2014 at 10:20 AM, frwa onto <[email protected]<javascript:>> 
> wrote: 
> > Dear Dan, 
> >               You said look into ossec.conf what to look to diagnose 
> this ? 
>
> I don't understand what this is in reference too. These emails are 
> getting harder and harder to follow. 
>
> If this is in reference to the apache logs question and response: If 
> you know where the configuration is, you shouldn't have any problems 
> changing the configuration to match reality. Find the entries for the 
> files that do not exist, and modify them so they reference files that 
> do exist. Then restart OSSEC. 
>
> > I am the one setup during setup it did not ask for active response 
>
> Yes it did ask. But I didn't see it disabled in your ossec.conf, so 
> it's probably enabled. 
>
> > activation? How to decide based on the ossec.conf that the active 
> response 
> > is on or off ? The ossec-execd  is running . Yes this file exist 
>
> I believe AR is enabled, unless expressly disabled. 
>
> > /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt how you want me to test it 
> ? 
> > 
>
> Add it to the ossec.conf as a system_audit file. You'll have to modify 
> the cis_rhel5_linux_rcl.txt file to reference RHEL release 6 instead 
> of 5, but that shouldn't be difficult. 
>
> > Regards, 
> > Frwa. 
> > 
> > On Wednesday, January 29, 2014 8:44:01 PM UTC+8, dan (ddpbsd) wrote: 
> >> 
> >> On Tue, Jan 28, 2014 at 10:43 PM, frwa onto <[email protected]> wrote: 
> >> > Dear Dan, 
> >> >               I have attached my ossec.conf file. Yes for the first 
> >> > problem 
> >> > I have known where the settings for the /var/www/log/access_log and 
> >> 
> >> Then I'm not sure why you asked how to change the entries. 
> >> 
> >> > error_log. For your next question I am not sure how you determine the 
> >> > rook 
> >> > check? I am using Centos 6.5 (Final). Also how to determine if the 
> >> > active 
> >> 
> >> You look in the ossec.conf. I'll have to go through the source to find 
> >> out what the error is complaining about. 
> >> 
> >> > response is being use? Should I comment it to off it? 
> >> > 
> >> 
> >> You should ask your administrator if they disabled it, either during 
> >> or post installation. 
> >> It doesn't look like it, based on the ossec.conf. 
> >> Is ossec-execd running? 
> >> 
> >> > Regards, 
> >> > Frwa. 
> >> > 
> >> > On Tuesday, January 28, 2014 8:36:50 PM UTC+8, dan (ddpbsd) wrote: 
> >> >> 
> >> >> On Mon, Jan 27, 2014 at 11:29 PM, frwa onto <[email protected]> 
> wrote: 
> >> >> > Dear All, 
> >> >> >             I saw this in my log file of ossec. For my case its 
> >> >> > /var/www/log 
> >> >> > not logs. How to change this ? 
> >> >> > 
> >> >> 
> >> >> These configurations are in /var/ossec/etc/ossec.conf on the system 
> >> >> generating the errors. 
> >> >> 
> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not 
> >> >> > available, 
> >> >> > ignoring it: '/var/log/authlog'. 
> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not 
> >> >> > available, 
> >> >> > ignoring it: '/var/log/xferlog'. 
> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not 
> >> >> > available, 
> >> >> > ignoring it: '/var/www/logs/access_log'. 
> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not 
> >> >> > available, 
> >> >> > ignoring it: '/var/www/logs/error_log'. 
> >> >> > 
> >> >> > Also saw this. How to configure the system audit file is it a must 
> >> >> > here? 
> >> >> > 
> >> >> > 2014/01/24 23:48:03 ossec-analysisd: INFO: No Hostname in the 
> white 
> >> >> > list 
> >> >> > for 
> >> >> > active reponse. 
> >> >> > 2014/01/24 23:48:03 ossec-analysisd: INFO: Started (pid: 1925). 
> >> >> > 2014/01/24 23:48:03 ossec-rootcheck: System audit file not 
> >> >> > configured. 
> >> >> > 
> >> >> 
> >> >> What is your rootcheck configuration? What OS is the system 
> generating 
> >> >> the error? 
> >> >> 
> >> >> > Another error I saw was this. 
> >> >> > 
> >> >> > 2014/01/20 20:10:46 ossec-analysisd(1210): ERROR: Queue 
> >> >> > '/queue/alerts/ar' 
> >> >> > not accessible: 'Connection refused'. 
> >> >> > 2014/01/20 20:10:46 ossec-analysisd(1301): ERROR: Unable to 
> connect 
> >> >> > to 
> >> >> > active response queue. 
> >> >> > 
> >> >> 
> >> >> Are you using active response? 
> >> >> 
> >> >> > I need help on these few errors which I see and what I should 
> avoid ? 
> >> >> > 
> >> >> > -- 
> >> >> > 
> >> >> > --- 
> >> >> > You received this message because you are subscribed to the Google 
> >> >> > Groups 
> >> >> > "ossec-list" group. 
> >> >> > To unsubscribe from this group and stop receiving emails from it, 
> >> >> > send 
> >> >> > an 
> >> >> > email to [email protected]. 
> >> >> > For more options, visit https://groups.google.com/groups/opt_out. 
> >> > 
> >> > -- 
> >> > 
> >> > --- 
> >> > You received this message because you are subscribed to the Google 
> >> > Groups 
> >> > "ossec-list" group. 
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send 
> >> > an 
> >> > email to [email protected]. 
> >> > For more options, visit https://groups.google.com/groups/opt_out. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to [email protected] <javascript:>. 
> > For more options, visit https://groups.google.com/groups/opt_out. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to