On Thu, Jan 30, 2014 at 11:19 AM, frwa onto <[email protected]> wrote: > Dear Dan, > So what is your best advice should I comment out this > <active-response> </active-response> to stop active response ? I added
No, probably not. I'd probably try and track down the original problem and fix that. > this line > <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> > and I tried to restart my ossec it gives me Ossec analysisd:Testing rules > failed. Configuration error. Exiting. Over in the cis_rhel5_linux_rcl.txt I Are there any additional logs in ossec.log? Did you add it to the correct section of the ossec.conf? > change this two lines 1) Red Hat Enterprise Linux \S+ release 6 and 2) > CentOS && r:release 6.5. > I'll assume this is correct for now. I don't have time to hand hold you through all of this, Hopefully someone else does, or you can find someone with the technical skills to help. > Regards, > Frwa. > > > On Thursday, January 30, 2014 11:26:15 PM UTC+8, dan (ddpbsd) wrote: >> >> On Thu, Jan 30, 2014 at 10:20 AM, frwa onto <[email protected]> wrote: >> > Dear Dan, >> > You said look into ossec.conf what to look to diagnose >> > this ? >> >> I don't understand what this is in reference too. These emails are >> getting harder and harder to follow. >> >> If this is in reference to the apache logs question and response: If >> you know where the configuration is, you shouldn't have any problems >> changing the configuration to match reality. Find the entries for the >> files that do not exist, and modify them so they reference files that >> do exist. Then restart OSSEC. >> >> > I am the one setup during setup it did not ask for active response >> >> Yes it did ask. But I didn't see it disabled in your ossec.conf, so >> it's probably enabled. >> >> > activation? How to decide based on the ossec.conf that the active >> > response >> > is on or off ? The ossec-execd is running . Yes this file exist >> >> I believe AR is enabled, unless expressly disabled. >> >> > /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt how you want me to test it >> > ? >> > >> >> Add it to the ossec.conf as a system_audit file. You'll have to modify >> the cis_rhel5_linux_rcl.txt file to reference RHEL release 6 instead >> of 5, but that shouldn't be difficult. >> >> > Regards, >> > Frwa. >> > >> > On Wednesday, January 29, 2014 8:44:01 PM UTC+8, dan (ddpbsd) wrote: >> >> >> >> On Tue, Jan 28, 2014 at 10:43 PM, frwa onto <[email protected]> wrote: >> >> > Dear Dan, >> >> > I have attached my ossec.conf file. Yes for the first >> >> > problem >> >> > I have known where the settings for the /var/www/log/access_log and >> >> >> >> Then I'm not sure why you asked how to change the entries. >> >> >> >> > error_log. For your next question I am not sure how you determine the >> >> > rook >> >> > check? I am using Centos 6.5 (Final). Also how to determine if the >> >> > active >> >> >> >> You look in the ossec.conf. I'll have to go through the source to find >> >> out what the error is complaining about. >> >> >> >> > response is being use? Should I comment it to off it? >> >> > >> >> >> >> You should ask your administrator if they disabled it, either during >> >> or post installation. >> >> It doesn't look like it, based on the ossec.conf. >> >> Is ossec-execd running? >> >> >> >> > Regards, >> >> > Frwa. >> >> > >> >> > On Tuesday, January 28, 2014 8:36:50 PM UTC+8, dan (ddpbsd) wrote: >> >> >> >> >> >> On Mon, Jan 27, 2014 at 11:29 PM, frwa onto <[email protected]> >> >> >> wrote: >> >> >> > Dear All, >> >> >> > I saw this in my log file of ossec. For my case its >> >> >> > /var/www/log >> >> >> > not logs. How to change this ? >> >> >> > >> >> >> >> >> >> These configurations are in /var/ossec/etc/ossec.conf on the system >> >> >> generating the errors. >> >> >> >> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not >> >> >> > available, >> >> >> > ignoring it: '/var/log/authlog'. >> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not >> >> >> > available, >> >> >> > ignoring it: '/var/log/xferlog'. >> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not >> >> >> > available, >> >> >> > ignoring it: '/var/www/logs/access_log'. >> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not >> >> >> > available, >> >> >> > ignoring it: '/var/www/logs/error_log'. >> >> >> > >> >> >> > Also saw this. How to configure the system audit file is it a must >> >> >> > here? >> >> >> > >> >> >> > 2014/01/24 23:48:03 ossec-analysisd: INFO: No Hostname in the >> >> >> > white >> >> >> > list >> >> >> > for >> >> >> > active reponse. >> >> >> > 2014/01/24 23:48:03 ossec-analysisd: INFO: Started (pid: 1925). >> >> >> > 2014/01/24 23:48:03 ossec-rootcheck: System audit file not >> >> >> > configured. >> >> >> > >> >> >> >> >> >> What is your rootcheck configuration? What OS is the system >> >> >> generating >> >> >> the error? >> >> >> >> >> >> > Another error I saw was this. >> >> >> > >> >> >> > 2014/01/20 20:10:46 ossec-analysisd(1210): ERROR: Queue >> >> >> > '/queue/alerts/ar' >> >> >> > not accessible: 'Connection refused'. >> >> >> > 2014/01/20 20:10:46 ossec-analysisd(1301): ERROR: Unable to >> >> >> > connect >> >> >> > to >> >> >> > active response queue. >> >> >> > >> >> >> >> >> >> Are you using active response? >> >> >> >> >> >> > I need help on these few errors which I see and what I should >> >> >> > avoid ? >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
