I can not even start the service, I've set a couple of times but with the same result on 2 machines with solaris and this is the form i'm run the commands "./ossec-logcollector ../etc/ossec.conf -d -u ossec -g ossec" when you say keyfile, you do refer "client.keys" file?
El viernes, 28 de febrero de 2014 12:36:24 UTC-3, dan (ddpbsd) escribió: > > On Fri, Feb 28, 2014 at 10:24 AM, OsO Roñoso > <[email protected]<javascript:>> > wrote: > > when you suggest try start daemons, i was running /var/ossec/bin/ and i > > execute one by one, exist other form for this? > > and i changed chmod, chown like Josh say > > > > Was that an actual issue, or did you run the commands blindly? > > > root@lenga # tail -f ossec.log > > 2014/02/28 10:47:14 ossec-agentd(1410): INFO: Reading authentication > keys > > file. > > 2014/02/28 10:47:14 ossec-agentd: OS_StartCounter: keysize: 1 > > 2014/02/28 10:47:22 ossec-agentd: DEBUG: Starting ... > > 2014/02/28 10:47:32 ossec-agentd(1410): INFO: Reading authentication > keys > > file. > > 2014/02/28 10:47:39 ossec-agentd(1410): INFO: Reading authentication > keys > > file. > > 2014/02/28 10:47:46 ossec-agentd(1410): INFO: Reading authentication > keys > > file. > > 2014/02/28 10:47:58 ossec-agentd(1410): INFO: Reading authentication > keys > > file. > > 2014/02/28 10:48:02 ossec-agentd(1410): INFO: Reading authentication > keys > > file. > > It seems odd that it's reading the key file so many times so quickly. > Are you sure the key has been installed? Check the owner/permissions > of the keyfile. > > > 2014/02/28 10:48:12 ossec-agentd(1410): INFO: Reading authentication > keys > > file. > > 2014/02/28 10:48:21 ossec-agentd(1410): INFO: Reading authentication > keys > > file. > > 2014/02/28 11:13:13 ossec-execd: INFO: Started (pid: 2299). > > 2014/02/28 11:14:24 ossec-logcollector(1210): ERROR: Queue > > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address > > required'. > > 2014/02/28 11:14:24 ossec-logcollector(1211): ERROR: Unable to access > queue: > > '/var/ossec/queue/ossec/queue'. Giving up.. > > > > this is weird, i'm not sure if is fine. > > > > root@lenga # ./agent-auth > > ERROR: Not compiled. Missing OpenSSL support. > > > > and this is ossec.conf > > > > <ossec_config> > > <client> > > <server-ip>172.0.12.168</server-ip> > > </client> > > > > <syscheck> > > <!-- Frequency that syscheck is executed - default to every 22 hours > --> > > <frequency>79200</frequency> > > > > <!-- Directories to check (perform all possible verifications) --> > > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > > <directories check_all="yes">/bin,/sbin</directories> > > > > <!-- Files/directories to ignore --> > > <ignore>/etc/mtab</ignore> > > <ignore>/etc/mnttab</ignore> > > <ignore>/etc/hosts.deny</ignore> > > <ignore>/etc/mail/statistics</ignore> > > <ignore>/etc/random-seed</ignore> > > <ignore>/etc/adjtime</ignore> > > <ignore>/etc/httpd/logs</ignore> > > <ignore>/etc/utmpx</ignore> > > <ignore>/etc/wtmpx</ignore> > > <ignore>/etc/cups/certs</ignore> > > <ignore>/etc/dumpdates</ignore> > > <ignore>/etc/svc/volatile</ignore> > > > > <!-- Windows files to ignore --> > > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > > <ignore>C:\WINDOWS/Debug</ignore> > > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > > <ignore>C:\WINDOWS/iis6.log</ignore> > > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > > <ignore>C:\WINDOWS/Prefetch</ignore> > > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > > <ignore>C:\WINDOWS/Temp</ignore> > > <ignore>C:\WINDOWS/system32/config</ignore> > > <ignore>C:\WINDOWS/system32/spool</ignore> > > <ignore>C:\WINDOWS/system32/CatRoot</ignore> > > </syscheck> > > > > <rootcheck> > > > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > > > > > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> > > > > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> > > > > > <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> > > > > > <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> > > > > > <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> > > </rootcheck> > > <!-- Files to monitor (localfiles) --> > > > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/log/authlog</location> > > </localfile> > > > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/log/syslog</location> > > </localfile> > > > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/adm/messages</location> > > </localfile> > > </ossec_config> > > > > Thanks for your help > > > > > > El viernes, 28 de febrero de 2014 10:02:20 UTC-3, dan (ddpbsd) escribió: > >> > >> On Thu, Feb 27, 2014 at 4:26 PM, OsO Roñoso <[email protected]> > wrote: > >> > ok > >> > > >> > root@lenga # date > >> > Thursday, February 27, 2014 18:05:02 PM CLST > >> > > >> > root@lenga # /var/ossec/bin/ossec-execd > >> > root@lenga # /var/ossec/bin/ossec-agentd > >> > root@lenga # /var/ossec/bin/ossec-logcollector > >> > root@lenga # /var/ossec/bin/ossec-control status > >> > ossec-logcollector: Process 12105 not used by ossec, removing .. > >> > ossec-logcollector not running... > >> > ossec-syscheckd not running... > >> > ossec-agentd not running... > >> > ossec-execd is running... > >> > root@lenga # tail -f ../logs/ossec.log > >> > 2014/02/27 18:02:23 ossec-rootcheck(1210): ERROR: Queue > >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address > >> > required'. > >> > >> Is there anything previous to this? At any point did you try what I > >> suggested in my previous email? > >> > >> And as Josh suggested, check your permissions. > >> > >> > 2014/02/27 18:02:36 ossec-syscheckd(1210): ERROR: Queue > >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address > >> > required'. > >> > 2014/02/27 18:02:36 ossec-rootcheck(1211): ERROR: Unable to access > >> > queue: > >> > '/var/ossec/queue/ossec/queue'. Giving up.. > >> > 2014/02/27 18:03:12 ossec-execd: INFO: Started (pid: 11986). > >> > 2014/02/27 18:03:28 ossec-execd: INFO: Started (pid: 11991). > >> > 2014/02/27 18:03:48 ossec-logcollector(1210): ERROR: Queue > >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address > >> > required'. > >> > 2014/02/27 18:03:48 ossec-logcollector(1211): ERROR: Unable to access > >> > queue: > >> > '/var/ossec/queue/ossec/queue'. Giving up.. > >> > 2014/02/27 18:05:22 ossec-execd: INFO: Started (pid: 12099). > >> > 2014/02/27 18:05:37 ossec-logcollector(1210): ERROR: Queue > >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination address > >> > required'. > >> > 2014/02/27 18:05:37 ossec-logcollector(1211): ERROR: Unable to access > >> > queue: > >> > '/var/ossec/queue/ossec/queue'. Giving up.. > >> > root@lenga # > >> > > >> > root@lenga # ps -fea | grep ossec | grep -v grep > >> > root 11972 1 0 18:02:13 ? 0:00 > >> > /var/ossec/bin/ossec-execd > >> > root 12099 1 0 18:05:22 ? 0:00 > >> > /var/ossec/bin/ossec-execd > >> > root 11986 1 0 18:03:12 ? 0:00 > >> > /var/ossec/bin/ossec-execd > >> > root 11991 1 0 18:03:29 ? 0:00 > >> > /var/ossec/bin/ossec-execd > >> > > >> > this daemons running with something parameters? > >> > > >> > thanks for your help > >> > > >> > > >> > > >> > El miércoles, 26 de febrero de 2014 15:19:20 UTC-3, dan (ddpbsd) > >> > escribió: > >> >> > >> >> On Wed, Feb 26, 2014 at 1:04 PM, OsO Roñoso <[email protected]> > wrote: > >> >> > Hi, > >> >> > > >> >> > i have a problem with install agent on Solaris 10, i read in > other > >> >> > forum > >> >> > but witout more success, somebody have any idea? ( the same agent > in > >> >> > windows > >> >> > and linux works fine ) > >> >> > > >> >> > root@lenga # /var/ossec/bin/ossec-control start > >> >> > Starting OSSEC HIDS v2.7.1 (by Trend Micro Inc.)... > >> >> > Deleting PID file '/var/ossec/var/run/ossec-logcollector-6253.pid' > >> >> > not > >> >> > used... > >> >> > ossec-execd already running... > >> >> > Started ossec-agentd... > >> >> > Started ossec-logcollector... > >> >> > >> >> Try starting these 2 daemons manually, see if there are any extra or > >> >> interesting logs to ossec.log. > >> >> > >> >> > 2014/02/26 14:36:02 ossec-syscheckd(1210): ERROR: Queue > >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination > address > >> >> > required'. > >> >> > 2014/02/26 14:36:02 ossec-rootcheck(1210): ERROR: Queue > >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination > address > >> >> > required'. > >> >> > 2014/02/26 14:36:10 ossec-syscheckd(1210): ERROR: Queue > >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination > address > >> >> > required'. > >> >> > 2014/02/26 14:36:10 ossec-rootcheck(1210): ERROR: Queue > >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination > address > >> >> > required'. > >> >> > 2014/02/26 14:36:23 ossec-syscheckd(1210): ERROR: Queue > >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Destination > address > >> >> > required'. > >> >> > 2014/02/26 14:36:23 ossec-rootcheck(1211): ERROR: Unable to access > >> >> > queue: > >> >> > '/var/ossec/queue/ossec/queue'. Giving up.. > >> >> > ossec-syscheckd did not start > >> >> > > >> >> > > >> >> > root@lenga # ls -las > >> >> > total 4 > >> >> > 2 drwxrwx--- 2 root root 512 Feb 26 14:31 . > >> >> > 2 dr-xr-x--- 7 root root 512 Feb 25 18:26 .. > >> >> > 0 -rw-r--r-- 1 root root 0 Feb 25 18:34 > >> >> > .agent_info > >> >> > <---- > >> >> > i changed own for ossec and root, same problem > >> >> > 0 srw-rw---- 1 ossec ossec 0 Feb 25 18:34 queue > >> >> > > >> >> > If you need more details please let me know > >> >> > > >> >> > best regards > >> >> > > >> >> > >> >> Can you provide the ossec.conf for this agent? > >> >> > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
