Has anyone got Hybrid working? according to lsof, nothing else seems to be accessing the files at the time that the agent stops processing them.
I've figured out why it's looking at additional files/directories, it's pulled in the shared agent config; I'd forgotten I'd configured that :) On Tuesday, November 4, 2014 3:43:43 PM UTC, Chris H wrote: > > Hi. I've set selinux to Permissive, no difference. It sends some logs > out, in the 2 minutes before it stops processing the file. > > Thanks. > > On Tuesday, November 4, 2014 12:56:49 PM UTC, dan (ddpbsd) wrote: >> >> On Mon, Nov 3, 2014 at 12:39 PM, Chris H <[email protected]> wrote: >> > Hi. I'm trying to get a hybrid server working, and seeing some odd >> > behaviour. I'm running 2.8.1. >> > >> > When the agent component starts, the logs state: >> > >> > 2014/11/03 17:00:24 ossec-agentd: INFO: Started (pid: 26197). >> > 2014/11/03 17:00:24 ossec-agentd: INFO: Server IP Address: 192.168.1.1 >> > 2014/11/03 17:00:24 ossec-agentd: INFO: Trying to connect to server >> > (192.168.1.1:1514). >> > 2014/11/03 17:00:24 ossec-agentd: INFO: Using IPv4 for: 192.168.1.1 . >> > 2014/11/03 17:00:24 ossec-rootcheck: Rootcheck disabled. Exiting. >> > 2014/11/03 17:00:24 ossec-syscheckd: WARN: Rootcheck module disabled. >> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Started (pid: 26205). >> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: >> '/etc'. >> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: >> '/usr/bin'. >> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: >> > '/usr/sbin'. >> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: >> '/bin'. >> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: >> '/sbin'. >> > 2014/11/03 17:00:30 ossec-agentd(1210): ERROR: Queue >> '/queue/alerts/execq' >> > not accessible: 'Queue not found'. >> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: >> > '/logs/ossec/logs/alerts/alerts.log'. >> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/userhistory.log'. >> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/messages'. >> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/secure'. >> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/audit'. >> > 2014/11/03 17:00:30 ossec-logcollector: INFO: Started (pid: 26201). >> > 2014/11/03 17:00:45 ossec-agentd: INFO: Unable to connect to the active >> > response queue (disabled). >> > 2014/11/03 17:00:46 ossec-agentd(4102): INFO: Connected to the server >> > (192.168.1.1:1514). >> > 2014/11/03 17:01:30 ossec-syscheckd: INFO: Starting syscheck scan >> > (forwarding database). >> > 2014/11/03 17:01:30 ossec-syscheckd: INFO: Starting syscheck database >> > (pre-scan). >> > >> > I don't know why it's monitoring most of those, as the ossec.conf for >> the >> > agent only specifies '/logs/ossec/logs/alerts/alerts.log'. A couple of >> > minutes later, it stops parsing the alerts.log, with: >> > >> > 2014/11/03 17:02:40 ossec-logcollector(1904): INFO: File not available, >> > ignoring it: '/logs/ossec/logs/alerts/alerts.log'. >> > >> > Any idea why it's stopping parsing the log file? I do have logstash >> > consuming the logs too, and thought it might be that, but it happens >> even if >> > I disable logstash. It's happening almost exactly 2 minutes after the >> > process starts. I've tried setting the permissions on the log file to >> 644, >> > too, but that makes no difference. >> > >> >> Is SELinux or something blocking access to it? >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
