On Fri, Jan 31, 2014 at 3:32 AM, frwa onto <[email protected]> wrote: > Dear Dan, > Ok I will not comment the <active-response> in fact it was > good thing enabling with proper httpd log and help me in terms of a php-cgi > attack today and I can see a new log file active-responses.log. Secondly > with regards to the system_audit I manage it and no more errors on it now. > Actually what will the system_audit do in reality? Lastly I got this error
That file is supposed to go through the CIS benchmarks for RHEL 5. > still left there 2014/01/31 16:18:01 ossec-analysisd(1210): ERROR: Queue > '/queue/alerts/ar' not accessible: 'Connection refused'. > 2014/01/31 16:18:01 ossec-analysisd(1301): ERROR: Unable to connect to > active response queue. Are they suppose to be waiting for some agents? Thank > you very much for the support and kind help. > I'm not sure why you are getting that error. I'd make sure ossec-execd is running on the OSSEC server, check permissions of the files in question, and restart the processes. Maybe you don't have AR setup for the server? > Regards, > Frwa. > > On Friday, January 31, 2014 1:28:45 AM UTC+8, dan (ddpbsd) wrote: >> >> On Thu, Jan 30, 2014 at 11:19 AM, frwa onto <[email protected]> wrote: >> > Dear Dan, >> > So what is your best advice should I comment out this >> > <active-response> </active-response> to stop active response ? I added >> >> No, probably not. I'd probably try and track down the original problem >> and fix that. >> >> > this line >> > >> > <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> >> > and I tried to restart my ossec it gives me Ossec analysisd:Testing >> > rules >> > failed. Configuration error. Exiting. Over in the >> > cis_rhel5_linux_rcl.txt I >> >> Are there any additional logs in ossec.log? Did you add it to the >> correct section of the ossec.conf? >> >> > change this two lines 1) Red Hat Enterprise Linux \S+ release 6 and 2) >> > CentOS && r:release 6.5. >> > >> >> I'll assume this is correct for now. >> >> I don't have time to hand hold you through all of this, Hopefully >> someone else does, or you can find someone with the technical skills >> to help. >> >> > Regards, >> > Frwa. >> > >> > >> > On Thursday, January 30, 2014 11:26:15 PM UTC+8, dan (ddpbsd) wrote: >> >> >> >> On Thu, Jan 30, 2014 at 10:20 AM, frwa onto <[email protected]> wrote: >> >> > Dear Dan, >> >> > You said look into ossec.conf what to look to diagnose >> >> > this ? >> >> >> >> I don't understand what this is in reference too. These emails are >> >> getting harder and harder to follow. >> >> >> >> If this is in reference to the apache logs question and response: If >> >> you know where the configuration is, you shouldn't have any problems >> >> changing the configuration to match reality. Find the entries for the >> >> files that do not exist, and modify them so they reference files that >> >> do exist. Then restart OSSEC. >> >> >> >> > I am the one setup during setup it did not ask for active response >> >> >> >> Yes it did ask. But I didn't see it disabled in your ossec.conf, so >> >> it's probably enabled. >> >> >> >> > activation? How to decide based on the ossec.conf that the active >> >> > response >> >> > is on or off ? The ossec-execd is running . Yes this file exist >> >> >> >> I believe AR is enabled, unless expressly disabled. >> >> >> >> > /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt how you want me to test >> >> > it >> >> > ? >> >> > >> >> >> >> Add it to the ossec.conf as a system_audit file. You'll have to modify >> >> the cis_rhel5_linux_rcl.txt file to reference RHEL release 6 instead >> >> of 5, but that shouldn't be difficult. >> >> >> >> > Regards, >> >> > Frwa. >> >> > >> >> > On Wednesday, January 29, 2014 8:44:01 PM UTC+8, dan (ddpbsd) wrote: >> >> >> >> >> >> On Tue, Jan 28, 2014 at 10:43 PM, frwa onto <[email protected]> >> >> >> wrote: >> >> >> > Dear Dan, >> >> >> > I have attached my ossec.conf file. Yes for the >> >> >> > first >> >> >> > problem >> >> >> > I have known where the settings for the /var/www/log/access_log >> >> >> > and >> >> >> >> >> >> Then I'm not sure why you asked how to change the entries. >> >> >> >> >> >> > error_log. For your next question I am not sure how you determine >> >> >> > the >> >> >> > rook >> >> >> > check? I am using Centos 6.5 (Final). Also how to determine if the >> >> >> > active >> >> >> >> >> >> You look in the ossec.conf. I'll have to go through the source to >> >> >> find >> >> >> out what the error is complaining about. >> >> >> >> >> >> > response is being use? Should I comment it to off it? >> >> >> > >> >> >> >> >> >> You should ask your administrator if they disabled it, either during >> >> >> or post installation. >> >> >> It doesn't look like it, based on the ossec.conf. >> >> >> Is ossec-execd running? >> >> >> >> >> >> > Regards, >> >> >> > Frwa. >> >> >> > >> >> >> > On Tuesday, January 28, 2014 8:36:50 PM UTC+8, dan (ddpbsd) wrote: >> >> >> >> >> >> >> >> On Mon, Jan 27, 2014 at 11:29 PM, frwa onto <[email protected]> >> >> >> >> wrote: >> >> >> >> > Dear All, >> >> >> >> > I saw this in my log file of ossec. For my case its >> >> >> >> > /var/www/log >> >> >> >> > not logs. How to change this ? >> >> >> >> > >> >> >> >> >> >> >> >> These configurations are in /var/ossec/etc/ossec.conf on the >> >> >> >> system >> >> >> >> generating the errors. >> >> >> >> >> >> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not >> >> >> >> > available, >> >> >> >> > ignoring it: '/var/log/authlog'. >> >> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not >> >> >> >> > available, >> >> >> >> > ignoring it: '/var/log/xferlog'. >> >> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not >> >> >> >> > available, >> >> >> >> > ignoring it: '/var/www/logs/access_log'. >> >> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not >> >> >> >> > available, >> >> >> >> > ignoring it: '/var/www/logs/error_log'. >> >> >> >> > >> >> >> >> > Also saw this. How to configure the system audit file is it a >> >> >> >> > must >> >> >> >> > here? >> >> >> >> > >> >> >> >> > 2014/01/24 23:48:03 ossec-analysisd: INFO: No Hostname in the >> >> >> >> > white >> >> >> >> > list >> >> >> >> > for >> >> >> >> > active reponse. >> >> >> >> > 2014/01/24 23:48:03 ossec-analysisd: INFO: Started (pid: 1925). >> >> >> >> > 2014/01/24 23:48:03 ossec-rootcheck: System audit file not >> >> >> >> > configured. >> >> >> >> > >> >> >> >> >> >> >> >> What is your rootcheck configuration? What OS is the system >> >> >> >> generating >> >> >> >> the error? >> >> >> >> >> >> >> >> > Another error I saw was this. >> >> >> >> > >> >> >> >> > 2014/01/20 20:10:46 ossec-analysisd(1210): ERROR: Queue >> >> >> >> > '/queue/alerts/ar' >> >> >> >> > not accessible: 'Connection refused'. >> >> >> >> > 2014/01/20 20:10:46 ossec-analysisd(1301): ERROR: Unable to >> >> >> >> > connect >> >> >> >> > to >> >> >> >> > active response queue. >> >> >> >> > >> >> >> >> >> >> >> >> Are you using active response? >> >> >> >> >> >> >> >> > I need help on these few errors which I see and what I should >> >> >> >> > avoid ? >> >> >> >> > >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> > Google >> >> >> >> > Groups >> >> >> >> > "ossec-list" group. >> >> >> >> > To unsubscribe from this group and stop receiving emails from >> >> >> >> > it, >> >> >> >> > send >> >> >> >> > an >> >> >> >> > email to [email protected]. >> >> >> >> > For more options, visit >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
