Re: [ossec-list] ERROR: Unable to open file '/queue/rootcheck/rootcheck'.

Mon, 26 Jan 2015 05:22:09 -0800

Well, lots of changes had to be made to ossec.conf because on FreeBSD, OSSEC is installed in /usr/local/ossec-hids, not /var/ossec. Also, the rule for new files had to be modified. Other than those, did not make any other changes. Installation was via binary package using the package manager.
All the processes are running (monitord, logcollector, syscheckd, analysisd, maild, execd) and the file permissions, /usr/local/ossec-hids/queue/rootcheck is owned by root/ossec, but /usr/local/ossec-hids/queue/rootcheck/rootcheck does not exist. I can see that file in a Linux installation, but not in the FreeBSD installation. Ok to create it myself? 

Anotehr thing, on FreeBSD 10.1, OSSEC is not alerting on file deletions.



--
fini




On 2015-01-26 06:42, dan (ddp) wrote:

On Sat, Jan 24, 2015 at 7:24 PM,  <[email protected]> wrote:

I'm testing OSSEC on a FreeBSD 10.1 server and getting some errors 
that I'm

not sure what they indicate. And googling hasn't helped.

Like this:


<!--
ossec-analysisd(1103): ERROR: Unable to open file
'/queue/rootcheck/rootcheck'.
ossec-analysisd: Error handling rootcheck database.
ossec-rootcheck: INFO: Ending rootcheck scan.
ossec-rootcheck: DEBUG: Leaving run_rk_check

-->


And this:

<!--

ossec-monitord: INFO: (unix_domain) Maximum send buffer set to: 
'6400'.

ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
ossec-analysisd(1103): ERROR: Unable to open file
'/queue/rootcheck/rootcheck'.
ossec-analysisd: Error handling rootcheck database
-->

This is a local installation. Any hints?




Did you make any changes?
What are the owner/group and permissions of
/var/ossec/queue/rootcheck/rootcheck?
If you run `/var/ossec/bin/ossec-control status` is everything that
should be running running?


TIA



--
fini

--

--- You received this message because you are subscribed to the Google
Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send 
an

email to [email protected].
For more options, visit https://groups.google.com/d/optout.


--


--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.






















					Reply via email to