The first error is caused because some rootcheck rules use $web_dirs variable, as defined in system_audit_rcl.txt file.
system_audit_rcl.txt: $web_dirs=/var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/ apache2,/usr/local/www; Theresa, if you don't use those files you can tune that variable. On the other hand, I don't think that should actually be considered an "Error", but more a "Warning", as non of the capabilities that OSSEC provides are broken because of it. I would say the second error is caused because you have realtime monitoring enabled for directories that do not exist. I hope that helps, Santiago. On Wed, Dec 23, 2015 at 5:33 AM, dan (ddp) <[email protected]> wrote: > On Wed, Dec 23, 2015 at 8:21 AM, theresa mic-snare > <[email protected]> wrote: > > Hi Dan, > > > > thanks for the pull request. > > When upgrading to 2.9 I would need to uninstall my current ossec > > installation or is there a upgrade scenario? > > would this mean I would lose my current data (e.g alerts, logs, etc...) > > because if so, I will wait till february to install OSSEC 2.9, after my > > thesis project was accepted and finalized. > > > > I understand waiting (and I wouldn't blame you at all), but there is > an upgrade option. > > > you were right, the two errors were unrelated. > > I ran out of inodes previously, I coudn't even run a tail of the > ossec.log > > anymore. I had it set to 8192 and then increased it to 16384. > > The syscheck errors disappeared then... > > > > Am Mittwoch, 23. Dezember 2015 13:46:25 UTC+1 schrieb dan (ddpbsd): > >> > >> On Wed, Dec 23, 2015 at 7:15 AM, theresa mic-snare > >> <[email protected]> wrote: > >> > hi everyone, > >> > > >> > I'm receiving multiple errors during rootcheck... I think we discussed > >> > this > >> > a couple of months ago...and from what I remember it would be fixed in > >> > the > >> > next release? > >> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache') produced error: > >> > No > >> > such file or directory > >> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache2') produced > error: > >> > No > >> > such file or directory > >> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/www') produced error: No > >> > such > >> > file or directory > >> > 2015/12/23 12:01:25 ERROR: statfs('/var/htdocs') produced error: No > such > >> > file or directory > >> > 2015/12/23 12:01:25 ERROR: statfs('/home/httpd') produced error: No > such > >> > file or directory > >> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache') produced error: > >> > No > >> > such file or directory > >> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache2') produced > error: > >> > No > >> > such file or directory > >> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/www') produced error: No > >> > such > >> > file or directory > >> > > >> > I'm still using the old stable version 2.8 (no idea which minor > version, > >> > because in ossec-init.conf it only says 2.8) > >> > Has this been fixed in 2.9 ? > >> > > >> > >> Download the beta and see: > >> > https://bintray.com/ossec/ossec-hids/ossec-hids/2.9.0_beta_20151211/view > >> But no, I don't think it was. The PR I submitted for this was never > >> accepted, and it looks like I deleted the branch several months after > >> submitting it. So here's a new pull request: > >> https://github.com/ossec/ossec-hids/pull/720 > >> > >> > and where do these statfs errors come from anyway? I don't think I > have > >> > this > >> > in the ossec.conf so it must come from a .c file > >> > > >> > and I've also got this error recently: > >> > 2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to > >> > real > >> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/eu'. > -1 > >> > 28 > >> > 2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to > >> > real > >> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/ru'. > -1 > >> > 28 > >> > 2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to > >> > real > >> > time monitoring: > >> > '/var/www/html/dokuwiki/lib/plugins/config/lang/ca-valencia'. -1 28 > >> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to > >> > real > >> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/mr'. > -1 > >> > 28 > >> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to > >> > real > >> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/de'. > -1 > >> > 28 > >> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to > >> > real > >> > time monitoring: > '/var/www/html/dokuwiki/lib/plugins/config/lang/id-ni'. > >> > -1 > >> > 28 > >> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to > >> > real > >> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/ja'. > -1 > >> > 28 > >> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to > >> > real > >> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/fr'. > -1 > >> > 28 > >> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to > >> > real > >> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/sl'. > -1 > >> > 28 > >> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to > >> > real > >> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/zh'. > -1 > >> > 28 > >> > > >> > no idea why this cannot be added to real time monitoring. > >> > any ideas? > >> > > >> > >> I don't think these issues are related. Have you run out of space? Run > >> out of inodes? Have some special permission or SELinux policy blocking > >> the operation? > >> > >> > sorry, if this has been asked before! > >> > > >> > best, > >> > theresa > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
