when you suggest try start daemons, i was running /var/ossec/bin/ and i
execute one by one, exist other form for this?
and i changed chmod, chown like Josh say
root@lenga # tail -f ossec.log
2014/02/28 10:47:14 ossec-agentd(1410): INFO: Reading authentication keys
file.
2014/02/28 10:47:14 ossec-agentd: OS_StartCounter: keysize: 1
2014/02/28 10:47:22 ossec-agentd: DEBUG: Starting ...
2014/02/28 10:47:32 ossec-agentd(1410): INFO: Reading authentication keys
file.
2014/02/28 10:47:39 ossec-agentd(1410): INFO: Reading authentication keys
file.
2014/02/28 10:47:46 ossec-agentd(1410): INFO: Reading authentication keys
file.
2014/02/28 10:47:58 ossec-agentd(1410): INFO: Reading authentication keys
file.
2014/02/28 10:48:02 ossec-agentd(1410): INFO: Reading authentication keys
file.
2014/02/28 10:48:12 ossec-agentd(1410): INFO: Reading authentication keys
file.
2014/02/28 10:48:21 ossec-agentd(1410): INFO: Reading authentication keys
file.
2014/02/28 11:13:13 ossec-execd: INFO: Started (pid: 2299).
2014/02/28 11:14:24 ossec-logcollector(1210): ERROR: Queue
'/var/ossec/queue/ossec/queue' not accessible: 'Destination address
required'.
2014/02/28 11:14:24 ossec-logcollector(1211): ERROR: Unable to access
queue: '/var/ossec/queue/ossec/queue'. Giving up..
this is weird, i'm not sure if is fine.
root@lenga # ./agent-auth
ERROR: Not compiled. Missing OpenSSL support.
and this is ossec.conf
<ossec_config>
<client>
<server-ip>172.0.12.168</server-ip>
</client>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
</rootcheck>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/authlog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/adm/messages</location>
</localfile>
</ossec_config>
Thanks for your help
El viernes, 28 de febrero de 2014 10:02:20 UTC-3, dan (ddpbsd) escribió:
>
> On Thu, Feb 27, 2014 at 4:26 PM, OsO Roñoso <[email protected]<javascript:>>
> wrote:
> > ok
> >
> > root@lenga # date
> > Thursday, February 27, 2014 18:05:02 PM CLST
> >
> > root@lenga # /var/ossec/bin/ossec-execd
> > root@lenga # /var/ossec/bin/ossec-agentd
> > root@lenga # /var/ossec/bin/ossec-logcollector
> > root@lenga # /var/ossec/bin/ossec-control status
> > ossec-logcollector: Process 12105 not used by ossec, removing ..
> > ossec-logcollector not running...
> > ossec-syscheckd not running...
> > ossec-agentd not running...
> > ossec-execd is running...
> > root@lenga # tail -f ../logs/ossec.log
> > 2014/02/27 18:02:23 ossec-rootcheck(1210): ERROR: Queue
> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address
> > required'.
>
> Is there anything previous to this? At any point did you try what I
> suggested in my previous email?
>
> And as Josh suggested, check your permissions.
>
> > 2014/02/27 18:02:36 ossec-syscheckd(1210): ERROR: Queue
> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address
> > required'.
> > 2014/02/27 18:02:36 ossec-rootcheck(1211): ERROR: Unable to access
> queue:
> > '/var/ossec/queue/ossec/queue'. Giving up..
> > 2014/02/27 18:03:12 ossec-execd: INFO: Started (pid: 11986).
> > 2014/02/27 18:03:28 ossec-execd: INFO: Started (pid: 11991).
> > 2014/02/27 18:03:48 ossec-logcollector(1210): ERROR: Queue
> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address
> > required'.
> > 2014/02/27 18:03:48 ossec-logcollector(1211): ERROR: Unable to access
> queue:
> > '/var/ossec/queue/ossec/queue'. Giving up..
> > 2014/02/27 18:05:22 ossec-execd: INFO: Started (pid: 12099).
> > 2014/02/27 18:05:37 ossec-logcollector(1210): ERROR: Queue
> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address
> > required'.
> > 2014/02/27 18:05:37 ossec-logcollector(1211): ERROR: Unable to access
> queue:
> > '/var/ossec/queue/ossec/queue'. Giving up..
> > root@lenga #
> >
> > root@lenga # ps -fea | grep ossec | grep -v grep
> > root 11972 1 0 18:02:13 ? 0:00
> > /var/ossec/bin/ossec-execd
> > root 12099 1 0 18:05:22 ? 0:00
> > /var/ossec/bin/ossec-execd
> > root 11986 1 0 18:03:12 ? 0:00
> > /var/ossec/bin/ossec-execd
> > root 11991 1 0 18:03:29 ? 0:00
> > /var/ossec/bin/ossec-execd
> >
> > this daemons running with something parameters?
> >
> > thanks for your help
> >
> >
> >
> > El miércoles, 26 de febrero de 2014 15:19:20 UTC-3, dan (ddpbsd)
> escribió:
> >>
> >> On Wed, Feb 26, 2014 at 1:04 PM, OsO Roñoso <[email protected]>
> wrote:
> >> > Hi,
> >> >
> >> > i have a problem with install agent on Solaris 10, i read in other
> >> > forum
> >> > but witout more success, somebody have any idea? ( the same agent in
> >> > windows
> >> > and linux works fine )
> >> >
> >> > root@lenga # /var/ossec/bin/ossec-control start
> >> > Starting OSSEC HIDS v2.7.1 (by Trend Micro Inc.)...
> >> > Deleting PID file '/var/ossec/var/run/ossec-logcollector-6253.pid'
> not
> >> > used...
> >> > ossec-execd already running...
> >> > Started ossec-agentd...
> >> > Started ossec-logcollector...
> >>
> >> Try starting these 2 daemons manually, see if there are any extra or
> >> interesting logs to ossec.log.
> >>
> >> > 2014/02/26 14:36:02 ossec-syscheckd(1210): ERROR: Queue
> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address
> >> > required'.
> >> > 2014/02/26 14:36:02 ossec-rootcheck(1210): ERROR: Queue
> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address
> >> > required'.
> >> > 2014/02/26 14:36:10 ossec-syscheckd(1210): ERROR: Queue
> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address
> >> > required'.
> >> > 2014/02/26 14:36:10 ossec-rootcheck(1210): ERROR: Queue
> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address
> >> > required'.
> >> > 2014/02/26 14:36:23 ossec-syscheckd(1210): ERROR: Queue
> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address
> >> > required'.
> >> > 2014/02/26 14:36:23 ossec-rootcheck(1211): ERROR: Unable to access
> >> > queue:
> >> > '/var/ossec/queue/ossec/queue'. Giving up..
> >> > ossec-syscheckd did not start
> >> >
> >> >
> >> > root@lenga # ls -las
> >> > total 4
> >> > 2 drwxrwx--- 2 root root 512 Feb 26 14:31 .
> >> > 2 dr-xr-x--- 7 root root 512 Feb 25 18:26 ..
> >> > 0 -rw-r--r-- 1 root root 0 Feb 25 18:34
> .agent_info
> >> > <----
> >> > i changed own for ossec and root, same problem
> >> > 0 srw-rw---- 1 ossec ossec 0 Feb 25 18:34 queue
> >> >
> >> > If you need more details please let me know
> >> >
> >> > best regards
> >> >
> >>
> >> Can you provide the ossec.conf for this agent?
> >>
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
