Thank you, Santiago! Other than remounting a partition inside the jail, can we configure the folder for rules files? If we can configure the folder, would this also be inside the same jail too? I am thinking of configuring the rules folder to /opt/ossec/rules, but I guess it will be looking for rules under /var/ossec/opt/ossec/rules instead of /opt/ossec/rules.
On Tuesday, February 16, 2016 at 6:24:46 PM UTC-8, Santiago Bassett wrote: > > This is because ossec-analysisd process runs in a chroot environment, so > it can't reach anything out of the jail (/var/ossec). > > In some scenarios, when really necessary, what we do is remount a > partition inside the jail (mount -o bind). I don't recommend this, but it > is a workaround that should work. > > Best > > On Tue, Feb 16, 2016 at 2:45 PM, Rui Zhang <[email protected] > <javascript:>> wrote: > >> Hi, >> >> I am trying to use a symlink for local_rules.xml. Here is what I did >> >> cd /var/ossec/rules >> cp local_rules.xml /opt/ossec/rules >> mv local_rules.xml local_rules.xml.bak >> ln -s /opt/ossec/rules/local_rules.xml local_rules.xml >> >> But I couln't start OSSEC after this change and when I check the log >> file, it indicates that it couldn't read the XML file local_rules.xml. >> 2016/02/16 14:22:49 ossec-analysisd(1226): ERROR: Error reading XML file >> '/rules/local_rules.xml': XMLERR: File '/rules/local_rules.xml' not found. >> (line 88). >> 2016/02/16 14:22:49 ossec-analysisd(1220): ERROR: Error loading the >> rules: 'local_rules.xml'. >> 2016/02/16 14:22:52 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/02/16 14:22:52 ossec-rootcheck(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/02/16 14:22:58 ossec-logcollector(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/02/16 14:22:58 ossec-logcollector(1211): ERROR: Unable to access >> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >> >> I checked the user/group and permission of those files, and they seem to >> be identical. So OSSEC won't take symlink for rules XML file? >> ll /opt/ossec/rules/local_rules.xml >> -r-xr-x--- 1 root ossec 1551 Oct 12 14:21 >> /opt/ossec/rules/local_rules.xml* >> >> ll local_rules.xml.bak >> -r-xr-x--- 1 root ossec 1551 Oct 12 14:21 local_rules.xml.bak >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
