OSSEC on FreeBSD 10.1 is 2.8.1_1, so it's the very latest.
--
fini
On 2015-01-26 07:28, dan (ddp) wrote:
On Mon, Jan 26, 2015 at 8:17 AM, <[email protected]> wrote:
Well, lots of changes had to be made to ossec.conf because on FreeBSD,
OSSEC
is installed in /usr/local/ossec-hids, not /var/ossec. Also, the rule
for
new files had to be modified. Other than those, did not make any other
changes. Installation was via binary package using the package
manager.
I don't know anything about FreeBSD's package. What version of OSSEC
does it use?
All the processes are running (monitord, logcollector, syscheckd,
analysisd,
maild, execd) and the file permissions,
/usr/local/ossec-hids/queue/rootcheck is owned by root/ossec, but
On my system it's ossec:ossec, and 750.
/usr/local/ossec-hids/queue/rootcheck/rootcheck does not exist. I can
see
that file in a Linux installation, but not in the FreeBSD
installation. Ok
to create it myself?
Try it. Also ossec:ossec, and 640.
Anotehr thing, on FreeBSD 10.1, OSSEC is not alerting on file
deletions.
--
fini
On 2015-01-26 06:42, dan (ddp) wrote:
On Sat, Jan 24, 2015 at 7:24 PM, <[email protected]> wrote:
I'm testing OSSEC on a FreeBSD 10.1 server and getting some errors
that
I'm
not sure what they indicate. And googling hasn't helped.
Like this:
<!--
ossec-analysisd(1103): ERROR: Unable to open file
'/queue/rootcheck/rootcheck'.
ossec-analysisd: Error handling rootcheck database.
ossec-rootcheck: INFO: Ending rootcheck scan.
ossec-rootcheck: DEBUG: Leaving run_rk_check
-->
And this:
<!--
ossec-monitord: INFO: (unix_domain) Maximum send buffer set to:
'6400'.
ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
ossec-analysisd(1103): ERROR: Unable to open file
'/queue/rootcheck/rootcheck'.
ossec-analysisd: Error handling rootcheck database
-->
This is a local installation. Any hints?
Did you make any changes?
What are the owner/group and permissions of
/var/ossec/queue/rootcheck/rootcheck?
If you run `/var/ossec/bin/ossec-control status` is everything that
should be running running?
TIA
--
fini
--
--- You received this message because you are subscribed to the
Google
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it,
send an
email to [email protected].
For more options, visit https://groups.google.com/d/optout.
--
--- You received this message because you are subscribed to the Google
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to [email protected].
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
