On Fri, Feb 28, 2014 at 10:36 AM, dan (ddp) <[email protected]> wrote: > On Fri, Feb 28, 2014 at 10:24 AM, OsO Roñoso <[email protected]> wrote: >> when you suggest try start daemons, i was running /var/ossec/bin/ and i >> execute one by one, exist other form for this? >> and i changed chmod, chown like Josh say >> > > Was that an actual issue, or did you run the commands blindly? > >> root@lenga # tail -f ossec.log >> 2014/02/28 10:47:14 ossec-agentd(1410): INFO: Reading authentication keys >> file. >> 2014/02/28 10:47:14 ossec-agentd: OS_StartCounter: keysize: 1 >> 2014/02/28 10:47:22 ossec-agentd: DEBUG: Starting ... >> 2014/02/28 10:47:32 ossec-agentd(1410): INFO: Reading authentication keys >> file. >> 2014/02/28 10:47:39 ossec-agentd(1410): INFO: Reading authentication keys >> file. >> 2014/02/28 10:47:46 ossec-agentd(1410): INFO: Reading authentication keys >> file. >> 2014/02/28 10:47:58 ossec-agentd(1410): INFO: Reading authentication keys >> file. >> 2014/02/28 10:48:02 ossec-agentd(1410): INFO: Reading authentication keys >> file. > > It seems odd that it's reading the key file so many times so quickly. > Are you sure the key has been installed? Check the owner/permissions > of the keyfile. >
Try running `/var/ossec/bin/ossec-agentd -df` to see if that provides any more clues. >> 2014/02/28 10:48:12 ossec-agentd(1410): INFO: Reading authentication keys >> file. >> 2014/02/28 10:48:21 ossec-agentd(1410): INFO: Reading authentication keys >> file. >> 2014/02/28 11:13:13 ossec-execd: INFO: Started (pid: 2299). >> 2014/02/28 11:14:24 ossec-logcollector(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Destination address >> required'. >> 2014/02/28 11:14:24 ossec-logcollector(1211): ERROR: Unable to access queue: >> '/var/ossec/queue/ossec/queue'. Giving up.. >> >> this is weird, i'm not sure if is fine. >> >> root@lenga # ./agent-auth >> ERROR: Not compiled. Missing OpenSSL support. >> >> and this is ossec.conf >> >> <ossec_config> >> <client> >> <server-ip>172.0.12.168</server-ip> >> </client> >> >> <syscheck> >> <!-- Frequency that syscheck is executed - default to every 22 hours --> >> <frequency>79200</frequency> >> >> <!-- Directories to check (perform all possible verifications) --> >> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> <directories check_all="yes">/bin,/sbin</directories> >> >> <!-- Files/directories to ignore --> >> <ignore>/etc/mtab</ignore> >> <ignore>/etc/mnttab</ignore> >> <ignore>/etc/hosts.deny</ignore> >> <ignore>/etc/mail/statistics</ignore> >> <ignore>/etc/random-seed</ignore> >> <ignore>/etc/adjtime</ignore> >> <ignore>/etc/httpd/logs</ignore> >> <ignore>/etc/utmpx</ignore> >> <ignore>/etc/wtmpx</ignore> >> <ignore>/etc/cups/certs</ignore> >> <ignore>/etc/dumpdates</ignore> >> <ignore>/etc/svc/volatile</ignore> >> >> <!-- Windows files to ignore --> >> <ignore>C:\WINDOWS/System32/LogFiles</ignore> >> <ignore>C:\WINDOWS/Debug</ignore> >> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> >> <ignore>C:\WINDOWS/iis6.log</ignore> >> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> >> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> >> <ignore>C:\WINDOWS/Prefetch</ignore> >> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> >> <ignore>C:\WINDOWS/SoftwareDistribution</ignore> >> <ignore>C:\WINDOWS/Temp</ignore> >> <ignore>C:\WINDOWS/system32/config</ignore> >> <ignore>C:\WINDOWS/system32/spool</ignore> >> <ignore>C:\WINDOWS/system32/CatRoot</ignore> >> </syscheck> >> >> <rootcheck> >> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> >> >> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> >> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> >> >> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> >> >> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> >> >> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> >> </rootcheck> >> <!-- Files to monitor (localfiles) --> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/authlog</location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/syslog</location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/adm/messages</location> >> </localfile> >> </ossec_config> >> >> Thanks for your help >> >> >> El viernes, 28 de febrero de 2014 10:02:20 UTC-3, dan (ddpbsd) escribió: >>> >>> On Thu, Feb 27, 2014 at 4:26 PM, OsO Roñoso <[email protected]> wrote: >>> > ok >>> > >>> > root@lenga # date >>> > Thursday, February 27, 2014 18:05:02 PM CLST >>> > >>> > root@lenga # /var/ossec/bin/ossec-execd >>> > root@lenga # /var/ossec/bin/ossec-agentd >>> > root@lenga # /var/ossec/bin/ossec-logcollector >>> > root@lenga # /var/ossec/bin/ossec-control status >>> > ossec-logcollector: Process 12105 not used by ossec, removing .. >>> > ossec-logcollector not running... >>> > ossec-syscheckd not running... >>> > ossec-agentd not running... >>> > ossec-execd is running... >>> > root@lenga # tail -f ../logs/ossec.log >>> > 2014/02/27 18:02:23 ossec-rootcheck(1210): ERROR: Queue >>> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address >>> > required'. >>> >>> Is there anything previous to this? At any point did you try what I >>> suggested in my previous email? >>> >>> And as Josh suggested, check your permissions. >>> >>> > 2014/02/27 18:02:36 ossec-syscheckd(1210): ERROR: Queue >>> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address >>> > required'. >>> > 2014/02/27 18:02:36 ossec-rootcheck(1211): ERROR: Unable to access >>> > queue: >>> > '/var/ossec/queue/ossec/queue'. Giving up.. >>> > 2014/02/27 18:03:12 ossec-execd: INFO: Started (pid: 11986). >>> > 2014/02/27 18:03:28 ossec-execd: INFO: Started (pid: 11991). >>> > 2014/02/27 18:03:48 ossec-logcollector(1210): ERROR: Queue >>> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address >>> > required'. >>> > 2014/02/27 18:03:48 ossec-logcollector(1211): ERROR: Unable to access >>> > queue: >>> > '/var/ossec/queue/ossec/queue'. Giving up.. >>> > 2014/02/27 18:05:22 ossec-execd: INFO: Started (pid: 12099). >>> > 2014/02/27 18:05:37 ossec-logcollector(1210): ERROR: Queue >>> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address >>> > required'. >>> > 2014/02/27 18:05:37 ossec-logcollector(1211): ERROR: Unable to access >>> > queue: >>> > '/var/ossec/queue/ossec/queue'. Giving up.. >>> > root@lenga # >>> > >>> > root@lenga # ps -fea | grep ossec | grep -v grep >>> > root 11972 1 0 18:02:13 ? 0:00 >>> > /var/ossec/bin/ossec-execd >>> > root 12099 1 0 18:05:22 ? 0:00 >>> > /var/ossec/bin/ossec-execd >>> > root 11986 1 0 18:03:12 ? 0:00 >>> > /var/ossec/bin/ossec-execd >>> > root 11991 1 0 18:03:29 ? 0:00 >>> > /var/ossec/bin/ossec-execd >>> > >>> > this daemons running with something parameters? >>> > >>> > thanks for your help >>> > >>> > >>> > >>> > El miércoles, 26 de febrero de 2014 15:19:20 UTC-3, dan (ddpbsd) >>> > escribió: >>> >> >>> >> On Wed, Feb 26, 2014 at 1:04 PM, OsO Roñoso <[email protected]> wrote: >>> >> > Hi, >>> >> > >>> >> > i have a problem with install agent on Solaris 10, i read in other >>> >> > forum >>> >> > but witout more success, somebody have any idea? ( the same agent in >>> >> > windows >>> >> > and linux works fine ) >>> >> > >>> >> > root@lenga # /var/ossec/bin/ossec-control start >>> >> > Starting OSSEC HIDS v2.7.1 (by Trend Micro Inc.)... >>> >> > Deleting PID file '/var/ossec/var/run/ossec-logcollector-6253.pid' >>> >> > not >>> >> > used... >>> >> > ossec-execd already running... >>> >> > Started ossec-agentd... >>> >> > Started ossec-logcollector... >>> >> >>> >> Try starting these 2 daemons manually, see if there are any extra or >>> >> interesting logs to ossec.log. >>> >> >>> >> > 2014/02/26 14:36:02 ossec-syscheckd(1210): ERROR: Queue >>> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address >>> >> > required'. >>> >> > 2014/02/26 14:36:02 ossec-rootcheck(1210): ERROR: Queue >>> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address >>> >> > required'. >>> >> > 2014/02/26 14:36:10 ossec-syscheckd(1210): ERROR: Queue >>> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address >>> >> > required'. >>> >> > 2014/02/26 14:36:10 ossec-rootcheck(1210): ERROR: Queue >>> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address >>> >> > required'. >>> >> > 2014/02/26 14:36:23 ossec-syscheckd(1210): ERROR: Queue >>> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address >>> >> > required'. >>> >> > 2014/02/26 14:36:23 ossec-rootcheck(1211): ERROR: Unable to access >>> >> > queue: >>> >> > '/var/ossec/queue/ossec/queue'. Giving up.. >>> >> > ossec-syscheckd did not start >>> >> > >>> >> > >>> >> > root@lenga # ls -las >>> >> > total 4 >>> >> > 2 drwxrwx--- 2 root root 512 Feb 26 14:31 . >>> >> > 2 dr-xr-x--- 7 root root 512 Feb 25 18:26 .. >>> >> > 0 -rw-r--r-- 1 root root 0 Feb 25 18:34 >>> >> > .agent_info >>> >> > <---- >>> >> > i changed own for ossec and root, same problem >>> >> > 0 srw-rw---- 1 ossec ossec 0 Feb 25 18:34 queue >>> >> > >>> >> > If you need more details please let me know >>> >> > >>> >> > best regards >>> >> > >>> >> >>> >> Can you provide the ossec.conf for this agent? >>> >> >>> >> > >>> >> > >>> >> > >>> >> > >>> >> > -- >>> >> > >>> >> > --- >>> >> > You received this message because you are subscribed to the Google >>> >> > Groups >>> >> > "ossec-list" group. >>> >> > To unsubscribe from this group and stop receiving emails from it, >>> >> > send >>> >> > an >>> >> > email to [email protected]. >>> >> > For more options, visit https://groups.google.com/groups/opt_out. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
