Hi. I'm trying to get a hybrid server working, and seeing some odd behaviour. I'm running 2.8.1.
When the agent component starts, the logs state: 2014/11/03 17:00:24 ossec-agentd: INFO: Started (pid: 26197). 2014/11/03 17:00:24 ossec-agentd: INFO: Server IP Address: 192.168.1.1 2014/11/03 17:00:24 ossec-agentd: INFO: Trying to connect to server (192.168.1.1:1514). 2014/11/03 17:00:24 ossec-agentd: INFO: Using IPv4 for: 192.168.1.1 . 2014/11/03 17:00:24 ossec-rootcheck: Rootcheck disabled. Exiting. 2014/11/03 17:00:24 ossec-syscheckd: WARN: Rootcheck module disabled. 2014/11/03 17:00:28 ossec-syscheckd: INFO: Started (pid: 26205). 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: '/etc'. 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'. 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'. 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: '/bin'. 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. 2014/11/03 17:00:30 ossec-agentd(1210): ERROR: Queue '/queue/alerts/execq' not accessible: 'Queue not found'. 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: '/logs/ossec/logs/alerts/alerts.log'. 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/userhistory.log'. 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'. 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'. 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/audit'. 2014/11/03 17:00:30 ossec-logcollector: INFO: Started (pid: 26201). 2014/11/03 17:00:45 ossec-agentd: INFO: Unable to connect to the active response queue (disabled). 2014/11/03 17:00:46 ossec-agentd(4102): INFO: Connected to the server (192.168.1.1:1514). 2014/11/03 17:01:30 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2014/11/03 17:01:30 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). I don't know why it's monitoring most of those, as the ossec.conf for the agent only specifies '/logs/ossec/logs/alerts/alerts.log'. A couple of minutes later, it stops parsing the alerts.log, with: 2014/11/03 17:02:40 ossec-logcollector(1904): INFO: File not available, ignoring it: '/logs/ossec/logs/alerts/alerts.log'. Any idea why it's stopping parsing the log file? I do have logstash consuming the logs too, and thought it might be that, but it happens even if I disable logstash. It's happening almost exactly 2 minutes after the process starts. I've tried setting the permissions on the log file to 644, too, but that makes no difference. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
