On Mon, Jan 26, 2015 at 8:17 AM, <[email protected]> wrote: > Well, lots of changes had to be made to ossec.conf because on FreeBSD, OSSEC > is installed in /usr/local/ossec-hids, not /var/ossec. Also, the rule for > new files had to be modified. Other than those, did not make any other > changes. Installation was via binary package using the package manager. >
I don't know anything about FreeBSD's package. What version of OSSEC does it use? > All the processes are running (monitord, logcollector, syscheckd, analysisd, > maild, execd) and the file permissions, > /usr/local/ossec-hids/queue/rootcheck is owned by root/ossec, but On my system it's ossec:ossec, and 750. > /usr/local/ossec-hids/queue/rootcheck/rootcheck does not exist. I can see > that file in a Linux installation, but not in the FreeBSD installation. Ok > to create it myself? > Try it. Also ossec:ossec, and 640. > Anotehr thing, on FreeBSD 10.1, OSSEC is not alerting on file deletions. > > > > -- > fini > > > > > > On 2015-01-26 06:42, dan (ddp) wrote: >> >> On Sat, Jan 24, 2015 at 7:24 PM, <[email protected]> wrote: >>> >>> I'm testing OSSEC on a FreeBSD 10.1 server and getting some errors that >>> I'm >>> not sure what they indicate. And googling hasn't helped. >>> >>> Like this: >>> >>> >>> <!-- >>> ossec-analysisd(1103): ERROR: Unable to open file >>> '/queue/rootcheck/rootcheck'. >>> ossec-analysisd: Error handling rootcheck database. >>> ossec-rootcheck: INFO: Ending rootcheck scan. >>> ossec-rootcheck: DEBUG: Leaving run_rk_check >>> >>> --> >>> >>> >>> And this: >>> >>> <!-- >>> ossec-monitord: INFO: (unix_domain) Maximum send buffer set to: '6400'. >>> ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). >>> ossec-syscheckd: INFO: Starting syscheck database (pre-scan). >>> ossec-analysisd(1103): ERROR: Unable to open file >>> '/queue/rootcheck/rootcheck'. >>> ossec-analysisd: Error handling rootcheck database >>> --> >>> >>> This is a local installation. Any hints? >>> >> >> >> Did you make any changes? >> What are the owner/group and permissions of >> /var/ossec/queue/rootcheck/rootcheck? >> If you run `/var/ossec/bin/ossec-control status` is everything that >> should be running running? >> >>> TIA >>> >>> >>> >>> -- >>> fini >>> >>> -- >>> >>> --- You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
