On Mon, Aug 4, 2014 at 8:05 PM, Tim Boyer <[email protected]> wrote: > > > On Monday, August 4, 2014 11:18:26 AM UTC-4, dan (ddpbsd) wrote: >> >> On Mon, Aug 4, 2014 at 10:56 AM, Tim Boyer <[email protected]> wrote: >> > >> > On Monday, August 4, 2014 9:30:26 AM UTC-4, dan (ddpbsd) wrote: >> >> >> >> Is there anything useful in ossec.log related to this? Can you >> >> reproduce this on a recent version of OSSEC? >> >> >> >> >> > >> > Nothing helpful. Only difference between this startup and a normal >> > startup >> > is >> > >> > 2014/08/04 10:51:48 ossec-syscheckd(1210): ERROR: Queue >> > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> > 2014/08/04 10:51:48 ossec-rootcheck(1210): ERROR: Queue >> > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> > >> >> Nothing before this? These are a symptom of a failure somewhere. >> >> I just tried adding 30ish rules with srcip and didn't have any issues. >> I'm running post 2.8, and I don't have your exact setup, so this may >> prove nothing. >> >> > Looks like it's time to move to 2.8. Let me see what it will take. >> > Thanks... >> > >> > > Dang. Spoke too soon. It worked only because ossec.conf got overwritten > during the upgrade, and didn't include local_nessus_rules.xml in the rule > list. Put it in, and same problem. > > Next step: save everything; completely remove ossec; install 2.8 fresh. > Same problem. > > I suspect a timing problem. log says: > > 2014/08/04 19:53:01 ossec-analysisd: INFO: Reading rules file: > 'attack_rules.xml' > 2014/08/04 19:53:01 ossec-analysisd: INFO: Reading rules file: > 'local_rules.xml' > 2014/08/04 19:53:01 ossec-remoted: INFO: Started (pid: 15507). > 2014/08/04 19:53:01 ossec-remoted: INFO: Started (pid: 15508). > 2014/08/04 19:53:01 ossec-rootcheck: System audit file not configured. > 2014/08/04 19:53:01 ossec-analysisd: INFO: Reading rules file: > 'local_nessus_rules.xml' > > and I think that analysisd is still reading while other things are starting. > But no idea how to prove or fix. >
I don't really know what that means. Can you provide your ossec.conf and local_nessus_rules.xml? > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
