On Fri, Feb 28, 2014 at 10:24 AM, OsO Roñoso <[email protected]> wrote: > when you suggest try start daemons, i was running /var/ossec/bin/ and i > execute one by one, exist other form for this? > and i changed chmod, chown like Josh say >
Was that an actual issue, or did you run the commands blindly? > root@lenga # tail -f ossec.log > 2014/02/28 10:47:14 ossec-agentd(1410): INFO: Reading authentication keys > file. > 2014/02/28 10:47:14 ossec-agentd: OS_StartCounter: keysize: 1 > 2014/02/28 10:47:22 ossec-agentd: DEBUG: Starting ... > 2014/02/28 10:47:32 ossec-agentd(1410): INFO: Reading authentication keys > file. > 2014/02/28 10:47:39 ossec-agentd(1410): INFO: Reading authentication keys > file. > 2014/02/28 10:47:46 ossec-agentd(1410): INFO: Reading authentication keys > file. > 2014/02/28 10:47:58 ossec-agentd(1410): INFO: Reading authentication keys > file. > 2014/02/28 10:48:02 ossec-agentd(1410): INFO: Reading authentication keys > file. It seems odd that it's reading the key file so many times so quickly. Are you sure the key has been installed? Check the owner/permissions of the keyfile. > 2014/02/28 10:48:12 ossec-agentd(1410): INFO: Reading authentication keys > file. > 2014/02/28 10:48:21 ossec-agentd(1410): INFO: Reading authentication keys > file. > 2014/02/28 11:13:13 ossec-execd: INFO: Started (pid: 2299). > 2014/02/28 11:14:24 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address > required'. > 2014/02/28 11:14:24 ossec-logcollector(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > > this is weird, i'm not sure if is fine. > > root@lenga # ./agent-auth > ERROR: Not compiled. Missing OpenSSL support. > > and this is ossec.conf > > <ossec_config> > <client> > <server-ip>172.0.12.168</server-ip> > </client> > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>79200</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin</directories> > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > > <!-- Windows files to ignore --> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > <ignore>C:\WINDOWS/Debug</ignore> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > <ignore>C:\WINDOWS/iis6.log</ignore> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > <ignore>C:\WINDOWS/Prefetch</ignore> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > <ignore>C:\WINDOWS/Temp</ignore> > <ignore>C:\WINDOWS/system32/config</ignore> > <ignore>C:\WINDOWS/system32/spool</ignore> > <ignore>C:\WINDOWS/system32/CatRoot</ignore> > </syscheck> > > <rootcheck> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> > </rootcheck> > <!-- Files to monitor (localfiles) --> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/authlog</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/syslog</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/adm/messages</location> > </localfile> > </ossec_config> > > Thanks for your help > > > El viernes, 28 de febrero de 2014 10:02:20 UTC-3, dan (ddpbsd) escribió: >> >> On Thu, Feb 27, 2014 at 4:26 PM, OsO Roñoso <[email protected]> wrote: >> > ok >> > >> > root@lenga # date >> > Thursday, February 27, 2014 18:05:02 PM CLST >> > >> > root@lenga # /var/ossec/bin/ossec-execd >> > root@lenga # /var/ossec/bin/ossec-agentd >> > root@lenga # /var/ossec/bin/ossec-logcollector >> > root@lenga # /var/ossec/bin/ossec-control status >> > ossec-logcollector: Process 12105 not used by ossec, removing .. >> > ossec-logcollector not running... >> > ossec-syscheckd not running... >> > ossec-agentd not running... >> > ossec-execd is running... >> > root@lenga # tail -f ../logs/ossec.log >> > 2014/02/27 18:02:23 ossec-rootcheck(1210): ERROR: Queue >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address >> > required'. >> >> Is there anything previous to this? At any point did you try what I >> suggested in my previous email? >> >> And as Josh suggested, check your permissions. >> >> > 2014/02/27 18:02:36 ossec-syscheckd(1210): ERROR: Queue >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address >> > required'. >> > 2014/02/27 18:02:36 ossec-rootcheck(1211): ERROR: Unable to access >> > queue: >> > '/var/ossec/queue/ossec/queue'. Giving up.. >> > 2014/02/27 18:03:12 ossec-execd: INFO: Started (pid: 11986). >> > 2014/02/27 18:03:28 ossec-execd: INFO: Started (pid: 11991). >> > 2014/02/27 18:03:48 ossec-logcollector(1210): ERROR: Queue >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address >> > required'. >> > 2014/02/27 18:03:48 ossec-logcollector(1211): ERROR: Unable to access >> > queue: >> > '/var/ossec/queue/ossec/queue'. Giving up.. >> > 2014/02/27 18:05:22 ossec-execd: INFO: Started (pid: 12099). >> > 2014/02/27 18:05:37 ossec-logcollector(1210): ERROR: Queue >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address >> > required'. >> > 2014/02/27 18:05:37 ossec-logcollector(1211): ERROR: Unable to access >> > queue: >> > '/var/ossec/queue/ossec/queue'. Giving up.. >> > root@lenga # >> > >> > root@lenga # ps -fea | grep ossec | grep -v grep >> > root 11972 1 0 18:02:13 ? 0:00 >> > /var/ossec/bin/ossec-execd >> > root 12099 1 0 18:05:22 ? 0:00 >> > /var/ossec/bin/ossec-execd >> > root 11986 1 0 18:03:12 ? 0:00 >> > /var/ossec/bin/ossec-execd >> > root 11991 1 0 18:03:29 ? 0:00 >> > /var/ossec/bin/ossec-execd >> > >> > this daemons running with something parameters? >> > >> > thanks for your help >> > >> > >> > >> > El miércoles, 26 de febrero de 2014 15:19:20 UTC-3, dan (ddpbsd) >> > escribió: >> >> >> >> On Wed, Feb 26, 2014 at 1:04 PM, OsO Roñoso <[email protected]> wrote: >> >> > Hi, >> >> > >> >> > i have a problem with install agent on Solaris 10, i read in other >> >> > forum >> >> > but witout more success, somebody have any idea? ( the same agent in >> >> > windows >> >> > and linux works fine ) >> >> > >> >> > root@lenga # /var/ossec/bin/ossec-control start >> >> > Starting OSSEC HIDS v2.7.1 (by Trend Micro Inc.)... >> >> > Deleting PID file '/var/ossec/var/run/ossec-logcollector-6253.pid' >> >> > not >> >> > used... >> >> > ossec-execd already running... >> >> > Started ossec-agentd... >> >> > Started ossec-logcollector... >> >> >> >> Try starting these 2 daemons manually, see if there are any extra or >> >> interesting logs to ossec.log. >> >> >> >> > 2014/02/26 14:36:02 ossec-syscheckd(1210): ERROR: Queue >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address >> >> > required'. >> >> > 2014/02/26 14:36:02 ossec-rootcheck(1210): ERROR: Queue >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address >> >> > required'. >> >> > 2014/02/26 14:36:10 ossec-syscheckd(1210): ERROR: Queue >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address >> >> > required'. >> >> > 2014/02/26 14:36:10 ossec-rootcheck(1210): ERROR: Queue >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address >> >> > required'. >> >> > 2014/02/26 14:36:23 ossec-syscheckd(1210): ERROR: Queue >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address >> >> > required'. >> >> > 2014/02/26 14:36:23 ossec-rootcheck(1211): ERROR: Unable to access >> >> > queue: >> >> > '/var/ossec/queue/ossec/queue'. Giving up.. >> >> > ossec-syscheckd did not start >> >> > >> >> > >> >> > root@lenga # ls -las >> >> > total 4 >> >> > 2 drwxrwx--- 2 root root 512 Feb 26 14:31 . >> >> > 2 dr-xr-x--- 7 root root 512 Feb 25 18:26 .. >> >> > 0 -rw-r--r-- 1 root root 0 Feb 25 18:34 >> >> > .agent_info >> >> > <---- >> >> > i changed own for ossec and root, same problem >> >> > 0 srw-rw---- 1 ossec ossec 0 Feb 25 18:34 queue >> >> > >> >> > If you need more details please let me know >> >> > >> >> > best regards >> >> > >> >> >> >> Can you provide the ossec.conf for this agent? >> >> >> >> > >> >> > >> >> > >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
