Hi, I am trying to use a symlink for local_rules.xml. Here is what I did
cd /var/ossec/rules cp local_rules.xml /opt/ossec/rules mv local_rules.xml local_rules.xml.bak ln -s /opt/ossec/rules/local_rules.xml local_rules.xml But I couln't start OSSEC after this change and when I check the log file, it indicates that it couldn't read the XML file local_rules.xml. 2016/02/16 14:22:49 ossec-analysisd(1226): ERROR: Error reading XML file '/rules/local_rules.xml': XMLERR: File '/rules/local_rules.xml' not found. (line 88). 2016/02/16 14:22:49 ossec-analysisd(1220): ERROR: Error loading the rules: 'local_rules.xml'. 2016/02/16 14:22:52 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/02/16 14:22:52 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/02/16 14:22:58 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/02/16 14:22:58 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. I checked the user/group and permission of those files, and they seem to be identical. So OSSEC won't take symlink for rules XML file? ll /opt/ossec/rules/local_rules.xml -r-xr-x--- 1 root ossec 1551 Oct 12 14:21 /opt/ossec/rules/local_rules.xml* ll local_rules.xml.bak -r-xr-x--- 1 root ossec 1551 Oct 12 14:21 local_rules.xml.bak -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
