Most likely you just need to register the first agent, so /var/ossec/etc/client.keys gets created. You can use /var/ossec/bin/manage_agents to register it (use "add an agent" option).
I hope it helps On Sun, Mar 6, 2016 at 9:41 AM, Tennisha tennisha <[email protected]> wrote: > I have tried to install ossec on three different vms and am not able to get > it to pick up modifications, additions, deletions of files. I am have tried > running it on security onion 14.04 machine and a non security onion machine. > I followed the instructions here > > https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-ossec-security-notifications-on-ubuntu-14-04 > > and on two of the machines I am getting this process XXX not used by ossec > removing, ossec remoted not running error. Please advise > > > martin@martin-VirtualBox:~$ sudo /var/ossec/bin/ossec-control status > [sudo] password for martin: > ossec-monitord is running... > ossec-logcollector is running... > ossec-remoted: Process 1439 not used by ossec, removing .. > ossec-remoted not running... > ossec-syscheckd is running... > ossec-analysisd is running... > ossec-maild not running... > ossec-execd is running... > martin@martin-VirtualBox:~$ gdb /var/ossec/bin/ossec-remoted > GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1 > Copyright (C) 2014 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. Type "show copying" > and "show warranty" for details. > This GDB was configured as "x86_64-linux-gnu". > Type "show configuration" for configuration details. > For bug reporting instructions, please see: > <http://www.gnu.org/software/gdb/bugs/>. > Find the GDB manual and other documentation resources online at: > <http://www.gnu.org/software/gdb/documentation/>. > For help, type "help". > Type "apropos word" to search for commands related to "word"... > /var/ossec/bin/ossec-remoted: Permission denied. > (gdb) > (gdb) set follow-fork-mode child > (gdb) run -df > Starting program: -df > No executable file specified. > Use the "file" or "exec-file" command. > (gdb) t > No thread selected > (gdb) bt > No stack. > (gdb) > [1]+ Stopped gdb /var/ossec/bin/ossec-remoted > martin@martin-VirtualBox:~$ sudo gdb /var/ossec/bin/ossec-remoted > GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1 > Copyright (C) 2014 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. Type "show copying" > and "show warranty" for details. > This GDB was configured as "x86_64-linux-gnu". > Type "show configuration" for configuration details. > For bug reporting instructions, please see: > <http://www.gnu.org/software/gdb/bugs/>. > Find the GDB manual and other documentation resources online at: > <http://www.gnu.org/software/gdb/documentation/>. > For help, type "help". > Type "apropos word" to search for commands related to "word"... > Reading symbols from /var/ossec/bin/ossec-remoted...(no debugging symbols > found)...done. > (gdb) set follow-fork-mode child > (gdb) run -df > Starting program: /var/ossec/bin/ossec-remoted -df > [Thread debugging using libthread_db enabled] > Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". > 2016/03/06 12:31:23 ossec-remoted: DEBUG: Starting ... > 2016/03/06 12:31:23 ossec-remoted: INFO: Started (pid: 4504). > [New process 4508] > [Thread debugging using libthread_db enabled] > Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". > 2016/03/06 12:31:23 ossec-remoted: DEBUG: Forking remoted: '0'. > 2016/03/06 12:31:23 ossec-remoted: INFO: Started (pid: 4508). > 2016/03/06 12:31:23 ossec-remoted: DEBUG: Running manager_init > [New Thread 0x7ffff6fba700 (LWP 4509)] > [New Thread 0x7ffff67b9700 (LWP 4510)] > 2016/03/06 12:31:24 ossec-remoted: INFO: (unix_domain) Maximum send buffer > set to: '16777216'. > 2016/03/06 12:31:24 ossec-remoted(4111): INFO: Maximum number of agents > allowed: '1024'. > 2016/03/06 12:31:24 ossec-remoted(1410): INFO: Reading authentication keys > file. > 2016/03/06 12:31:24 ossec-remoted(1402): ERROR: Authentication key file > '/etc/client.keys' not found. > 2016/03/06 12:31:24 ossec-remoted(1750): ERROR: No remote connection > configured. Exiting. > [Thread 0x7ffff6fba700 (LWP 4509) exited] > [Thread 0x7ffff7fe1740 (LWP 4508) exited] > [Inferior 2 (process 4508) exited with code 01] > (gdb) > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
