This is because ossec-analysisd process runs in a chroot environment, so it can't reach anything out of the jail (/var/ossec).
In some scenarios, when really necessary, what we do is remount a partition inside the jail (mount -o bind). I don't recommend this, but it is a workaround that should work. Best On Tue, Feb 16, 2016 at 2:45 PM, Rui Zhang <[email protected]> wrote: > Hi, > > I am trying to use a symlink for local_rules.xml. Here is what I did > > cd /var/ossec/rules > cp local_rules.xml /opt/ossec/rules > mv local_rules.xml local_rules.xml.bak > ln -s /opt/ossec/rules/local_rules.xml local_rules.xml > > But I couln't start OSSEC after this change and when I check the log file, > it indicates that it couldn't read the XML file local_rules.xml. > 2016/02/16 14:22:49 ossec-analysisd(1226): ERROR: Error reading XML file > '/rules/local_rules.xml': XMLERR: File '/rules/local_rules.xml' not found. > (line 88). > 2016/02/16 14:22:49 ossec-analysisd(1220): ERROR: Error loading the rules: > 'local_rules.xml'. > 2016/02/16 14:22:52 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/02/16 14:22:52 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/02/16 14:22:58 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/02/16 14:22:58 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > > I checked the user/group and permission of those files, and they seem to > be identical. So OSSEC won't take symlink for rules XML file? > ll /opt/ossec/rules/local_rules.xml > -r-xr-x--- 1 root ossec 1551 Oct 12 14:21 /opt/ossec/rules/local_rules.xml* > > ll local_rules.xml.bak > -r-xr-x--- 1 root ossec 1551 Oct 12 14:21 local_rules.xml.bak > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
