I actually ran into this issue this week. After restarting a cluster a few instances didn't want to start the OSSEC agent. It was eventually determined that the /var/ossec permissions had gotten messed up. The puppet module we were using was creating ossec, ossecr, and ossecm on the agents and at reboot for some reason ossecm had stolen permission of the folder and had set the permissions to 700. chown root:ossec /var/ossec & chmod 550 /var/ossec fixed the issue.
I haven't gotten a chance to dig into the OSSEC source code and figure out why it wasn't logging that it was running into an issue starting. --Josh On Wed, Feb 26, 2014 at 1:04 PM, OsO Roñoso <[email protected]> wrote: > Hi, > > i have a problem with install agent on Solaris 10, i read in other forum > but witout more success, somebody have any idea? ( the same agent in > windows and linux works fine ) > > root@lenga # /var/ossec/bin/ossec-control start > Starting OSSEC HIDS v2.7.1 (by Trend Micro Inc.)... > Deleting PID file '/var/ossec/var/run/ossec-logcollector-6253.pid' not > used... > ossec-execd already running... > Started ossec-agentd... > Started ossec-logcollector... > 2014/02/26 14:36:02 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address > required'. > 2014/02/26 14:36:02 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address > required'. > 2014/02/26 14:36:10 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address > required'. > 2014/02/26 14:36:10 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address > required'. > 2014/02/26 14:36:23 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address > required'. > 2014/02/26 14:36:23 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > ossec-syscheckd did not start > > > root@lenga # ls -las > total 4 > 2 drwxrwx--- 2 root root 512 Feb 26 14:31 . > 2 dr-xr-x--- 7 root root 512 Feb 25 18:26 .. > 0 -rw-r--r-- 1 root root 0 Feb 25 18:34 .agent_info > <---- i changed own for ossec and root, same problem > 0 srw-rw---- 1 ossec ossec 0 Feb 25 18:34 queue > > If you need more details please let me know > > best regards > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
