Hi. I've set selinux to Permissive, no difference. It sends some logs out, in the 2 minutes before it stops processing the file.
Thanks. On Tuesday, November 4, 2014 12:56:49 PM UTC, dan (ddpbsd) wrote: > > On Mon, Nov 3, 2014 at 12:39 PM, Chris H <[email protected] > <javascript:>> wrote: > > Hi. I'm trying to get a hybrid server working, and seeing some odd > > behaviour. I'm running 2.8.1. > > > > When the agent component starts, the logs state: > > > > 2014/11/03 17:00:24 ossec-agentd: INFO: Started (pid: 26197). > > 2014/11/03 17:00:24 ossec-agentd: INFO: Server IP Address: 192.168.1.1 > > 2014/11/03 17:00:24 ossec-agentd: INFO: Trying to connect to server > > (192.168.1.1:1514). > > 2014/11/03 17:00:24 ossec-agentd: INFO: Using IPv4 for: 192.168.1.1 . > > 2014/11/03 17:00:24 ossec-rootcheck: Rootcheck disabled. Exiting. > > 2014/11/03 17:00:24 ossec-syscheckd: WARN: Rootcheck module disabled. > > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Started (pid: 26205). > > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: '/etc'. > > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: > '/usr/bin'. > > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: > > '/usr/sbin'. > > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: '/bin'. > > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: > '/sbin'. > > 2014/11/03 17:00:30 ossec-agentd(1210): ERROR: Queue > '/queue/alerts/execq' > > not accessible: 'Queue not found'. > > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: > > '/logs/ossec/logs/alerts/alerts.log'. > > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: > > '/var/log/userhistory.log'. > > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: > > '/var/log/messages'. > > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: > > '/var/log/secure'. > > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: > > '/var/log/audit'. > > 2014/11/03 17:00:30 ossec-logcollector: INFO: Started (pid: 26201). > > 2014/11/03 17:00:45 ossec-agentd: INFO: Unable to connect to the active > > response queue (disabled). > > 2014/11/03 17:00:46 ossec-agentd(4102): INFO: Connected to the server > > (192.168.1.1:1514). > > 2014/11/03 17:01:30 ossec-syscheckd: INFO: Starting syscheck scan > > (forwarding database). > > 2014/11/03 17:01:30 ossec-syscheckd: INFO: Starting syscheck database > > (pre-scan). > > > > I don't know why it's monitoring most of those, as the ossec.conf for > the > > agent only specifies '/logs/ossec/logs/alerts/alerts.log'. A couple of > > minutes later, it stops parsing the alerts.log, with: > > > > 2014/11/03 17:02:40 ossec-logcollector(1904): INFO: File not available, > > ignoring it: '/logs/ossec/logs/alerts/alerts.log'. > > > > Any idea why it's stopping parsing the log file? I do have logstash > > consuming the logs too, and thought it might be that, but it happens > even if > > I disable logstash. It's happening almost exactly 2 minutes after the > > process starts. I've tried setting the permissions on the log file to > 644, > > too, but that makes no difference. > > > > Is SELinux or something blocking access to it? > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
