Dear Dan,
Ok I will not comment the <active-response> in fact it was
good thing enabling with proper httpd log and help me in terms of a php-cgi
attack today and I can see a new log file active-responses.log. Secondly
with regards to the system_audit I manage it and no more errors on it now.
Actually what will the system_audit do in reality? Lastly I got this error
still left there 2014/01/31 16:18:01 ossec-analysisd(1210): ERROR: Queue
'/queue/alerts/ar' not accessible: 'Connection refused'.
2014/01/31 16:18:01 ossec-analysisd(1301): ERROR: Unable to connect to
active response queue. Are they suppose to be waiting for some agents?
Thank you very much for the support and kind help.
Regards,
Frwa.
On Friday, January 31, 2014 1:28:45 AM UTC+8, dan (ddpbsd) wrote:
>
> On Thu, Jan 30, 2014 at 11:19 AM, frwa onto <[email protected]<javascript:>>
> wrote:
> > Dear Dan,
> > So what is your best advice should I comment out this
> > <active-response> </active-response> to stop active response ? I added
>
> No, probably not. I'd probably try and track down the original problem
> and fix that.
>
> > this line
> >
> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
> > and I tried to restart my ossec it gives me Ossec analysisd:Testing
> rules
> > failed. Configuration error. Exiting. Over in the
> cis_rhel5_linux_rcl.txt I
>
> Are there any additional logs in ossec.log? Did you add it to the
> correct section of the ossec.conf?
>
> > change this two lines 1) Red Hat Enterprise Linux \S+ release 6 and 2)
> > CentOS && r:release 6.5.
> >
>
> I'll assume this is correct for now.
>
> I don't have time to hand hold you through all of this, Hopefully
> someone else does, or you can find someone with the technical skills
> to help.
>
> > Regards,
> > Frwa.
> >
> >
> > On Thursday, January 30, 2014 11:26:15 PM UTC+8, dan (ddpbsd) wrote:
> >>
> >> On Thu, Jan 30, 2014 at 10:20 AM, frwa onto <[email protected]> wrote:
> >> > Dear Dan,
> >> > You said look into ossec.conf what to look to diagnose
> >> > this ?
> >>
> >> I don't understand what this is in reference too. These emails are
> >> getting harder and harder to follow.
> >>
> >> If this is in reference to the apache logs question and response: If
> >> you know where the configuration is, you shouldn't have any problems
> >> changing the configuration to match reality. Find the entries for the
> >> files that do not exist, and modify them so they reference files that
> >> do exist. Then restart OSSEC.
> >>
> >> > I am the one setup during setup it did not ask for active response
> >>
> >> Yes it did ask. But I didn't see it disabled in your ossec.conf, so
> >> it's probably enabled.
> >>
> >> > activation? How to decide based on the ossec.conf that the active
> >> > response
> >> > is on or off ? The ossec-execd is running . Yes this file exist
> >>
> >> I believe AR is enabled, unless expressly disabled.
> >>
> >> > /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt how you want me to test
> it
> >> > ?
> >> >
> >>
> >> Add it to the ossec.conf as a system_audit file. You'll have to modify
> >> the cis_rhel5_linux_rcl.txt file to reference RHEL release 6 instead
> >> of 5, but that shouldn't be difficult.
> >>
> >> > Regards,
> >> > Frwa.
> >> >
> >> > On Wednesday, January 29, 2014 8:44:01 PM UTC+8, dan (ddpbsd) wrote:
> >> >>
> >> >> On Tue, Jan 28, 2014 at 10:43 PM, frwa onto <[email protected]>
> wrote:
> >> >> > Dear Dan,
> >> >> > I have attached my ossec.conf file. Yes for the
> first
> >> >> > problem
> >> >> > I have known where the settings for the /var/www/log/access_log
> and
> >> >>
> >> >> Then I'm not sure why you asked how to change the entries.
> >> >>
> >> >> > error_log. For your next question I am not sure how you determine
> the
> >> >> > rook
> >> >> > check? I am using Centos 6.5 (Final). Also how to determine if the
> >> >> > active
> >> >>
> >> >> You look in the ossec.conf. I'll have to go through the source to
> find
> >> >> out what the error is complaining about.
> >> >>
> >> >> > response is being use? Should I comment it to off it?
> >> >> >
> >> >>
> >> >> You should ask your administrator if they disabled it, either during
> >> >> or post installation.
> >> >> It doesn't look like it, based on the ossec.conf.
> >> >> Is ossec-execd running?
> >> >>
> >> >> > Regards,
> >> >> > Frwa.
> >> >> >
> >> >> > On Tuesday, January 28, 2014 8:36:50 PM UTC+8, dan (ddpbsd) wrote:
> >> >> >>
> >> >> >> On Mon, Jan 27, 2014 at 11:29 PM, frwa onto <[email protected]>
> >> >> >> wrote:
> >> >> >> > Dear All,
> >> >> >> > I saw this in my log file of ossec. For my case its
> >> >> >> > /var/www/log
> >> >> >> > not logs. How to change this ?
> >> >> >> >
> >> >> >>
> >> >> >> These configurations are in /var/ossec/etc/ossec.conf on the
> system
> >> >> >> generating the errors.
> >> >> >>
> >> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not
> >> >> >> > available,
> >> >> >> > ignoring it: '/var/log/authlog'.
> >> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not
> >> >> >> > available,
> >> >> >> > ignoring it: '/var/log/xferlog'.
> >> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not
> >> >> >> > available,
> >> >> >> > ignoring it: '/var/www/logs/access_log'.
> >> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not
> >> >> >> > available,
> >> >> >> > ignoring it: '/var/www/logs/error_log'.
> >> >> >> >
> >> >> >> > Also saw this. How to configure the system audit file is it a
> must
> >> >> >> > here?
> >> >> >> >
> >> >> >> > 2014/01/24 23:48:03 ossec-analysisd: INFO: No Hostname in the
> >> >> >> > white
> >> >> >> > list
> >> >> >> > for
> >> >> >> > active reponse.
> >> >> >> > 2014/01/24 23:48:03 ossec-analysisd: INFO: Started (pid: 1925).
> >> >> >> > 2014/01/24 23:48:03 ossec-rootcheck: System audit file not
> >> >> >> > configured.
> >> >> >> >
> >> >> >>
> >> >> >> What is your rootcheck configuration? What OS is the system
> >> >> >> generating
> >> >> >> the error?
> >> >> >>
> >> >> >> > Another error I saw was this.
> >> >> >> >
> >> >> >> > 2014/01/20 20:10:46 ossec-analysisd(1210): ERROR: Queue
> >> >> >> > '/queue/alerts/ar'
> >> >> >> > not accessible: 'Connection refused'.
> >> >> >> > 2014/01/20 20:10:46 ossec-analysisd(1301): ERROR: Unable to
> >> >> >> > connect
> >> >> >> > to
> >> >> >> > active response queue.
> >> >> >> >
> >> >> >>
> >> >> >> Are you using active response?
> >> >> >>
> >> >> >> > I need help on these few errors which I see and what I should
> >> >> >> > avoid ?
> >> >> >> >
> >> >> >> > --
> >> >> >> >
> >> >> >> > ---
> >> >> >> > You received this message because you are subscribed to the
> Google
> >> >> >> > Groups
> >> >> >> > "ossec-list" group.
> >> >> >> > To unsubscribe from this group and stop receiving emails from
> it,
> >> >> >> > send
> >> >> >> > an
> >> >> >> > email to [email protected].
> >> >> >> > For more options, visit
> https://groups.google.com/groups/opt_out.
> >> >> >
> >> >> > --
> >> >> >
> >> >> > ---
> >> >> > You received this message because you are subscribed to the Google
> >> >> > Groups
> >> >> > "ossec-list" group.
> >> >> > To unsubscribe from this group and stop receiving emails from it,
> >> >> > send
> >> >> > an
> >> >> > email to [email protected].
> >> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
