Hi

Did not modify that file, I I realized some of them were in xml format just 
wanted to check
This is what I've get running the services manually with  -df

2016/10/12 07:31:20 ossec-syscheckd: DEBUG: Starting ...
2016/10/12 07:31:20 ossec-rootcheck: DEBUG: Starting ...
2016/10/12 07:31:20 ossec-rootcheck: Starting queue ...
2016/10/12 07:31:23 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:31:23 ossec-rootcheck(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:31:31 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:31:31 ossec-rootcheck(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:31:44 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:31:44 ossec-rootcheck(1211): ERROR: Unable to access queue: 
'/var/ossec/queue/ossec/queue'. Giving up..

2016/10/12 07:34:23 ossec-monitord: DEBUG: Starting ...
2016/10/12 07:34:23 ossec-monitord: INFO: Chrooted to directory: 
/var/ossec, using user: ossec
2016/10/12 07:34:23 ossec-monitord: INFO: Started (pid: 12499).
2016/10/12 07:34:36 ossec-monitord(1210): ERROR: Queue '/queue/ossec/queue' 
not accessible: 'Connection refused'.
2016/10/12 07:34:36 ossec-monitord(1211): ERROR: Unable to access queue: 
'/queue/ossec/queue'. Giving up..


2016/10/12 07:46:50 ossec-analysisd: DEBUG: FTSInit completed.
2016/10/12 07:46:56 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' 
not accessible: 'Connection refused'.
2016/10/12 07:46:56 ossec-analysisd(1301): ERROR: Unable to connect to 
active response queue.
2016/10/12 07:46:59 ossec-analysisd(1210): ERROR: Queue 
'/queue/alerts/execq' not accessible: 'Connection refused'.
2016/10/12 07:46:59 ossec-analysisd(1301): ERROR: Unable to connect to 
active response queue.
2016/10/12 07:46:59 ossec-analysisd: DEBUG: Active response Init completed.
2016/10/12 07:46:59 alerts: Error opening logfile: 
'/logs/alerts/2016/Oct/ossec-alerts-12.log'

var/ossec/queue/alerts# ls -la
srwxrwxrwx.  1 apache ossec    0 Oct 12 07:52 ar
srw-rw----.  1 apache ossec    0 Oct 11 15:55 execq

ls -la logs/archives/2016/Oct/ossec-archive-12.log
-rw-r-----. 2 apache ossec 0 Oct 12 07:43 
logs/archives/2016/Oct/ossec-archive-12.log


ossec-remoted: Error accessing file '/etc/shared/system_audit_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file 
'/etc/shared/win_audit_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file 
'/etc/shared/rootkit_trojans.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file 
'/etc/shared/rootkit_files.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file 
'/etc/shared/cis_rhel5_linux_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file 
'/etc/shared/win_malware_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file 
'/etc/shared/cis_debian_linux_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file 
'/etc/shared/cis_rhel_linux_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file 
'/etc/shared/win_applications_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file 
'/etc/shared/system_audit_ssh.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file 
'/etc/shared/cis_rhel6_linux_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file 
'/etc/shared/cis_rhel7_linux_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: DEBUG: Running manager_init
2016/10/12 07:58:32 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' 
not accessible: 'Connection refused'.
2016/10/12 07:58:32 ossec-remoted(1211): ERROR: Unable to access queue: 
'/queue/ossec/queue'. Giving up..

/var/ossec/etc/shared# ls -la
total 204
drwxrwxr-x. 2 ossec  ossec  4096 Oct 11 09:23 .
drwxrwxr-x. 6 apache ossec  4096 Oct 11 15:47 ..
-rw-rw----. 1 ossec  ossec  2949 Apr  8  2016 agent.conf
-rw-rw----. 1 ossec  ossec   153 Oct 12 07:53 ar.conf
-rw-rw----. 1 ossec  root  11136 Apr  8  2016 cis_debian_linux_rcl.txt
-rw-rw----. 1 ossec  root  31813 Apr  8  2016 cis_rhel5_linux_rcl.txt
-rw-rw----. 1 ossec  root  30004 Apr  8  2016 cis_rhel6_linux_rcl.txt
-rw-rw----. 1 ossec  root  32808 Apr  8  2016 cis_rhel7_linux_rcl.txt
-rw-rw----. 1 ossec  root  15845 Apr  8  2016 cis_rhel_linux_rcl.txt
-rw-rw----. 1 ossec  ossec  3132 Oct 12 07:58 merged.mg
-rw-rw----. 1 ossec  root  15942 Apr  8  2016 rootkit_files.txt
-rw-rw----. 1 ossec  root   5301 Apr  8  2016 rootkit_trojans.txt
-rw-rw----. 1 ossec  root   4958 Apr  8  2016 system_audit_rcl.txt
-rw-rw----. 1 ossec  root   1774 Apr  8  2016 system_audit_ssh.txt
-rw-rw----. 1 ossec  root   4829 Apr  8  2016 win_applications_rcl.txt
-rw-rw----. 1 ossec  root   3944 Apr  8  2016 win_audit_rcl.txt
-rw-rw----. 1 ossec  root   5005 Apr  8  2016 win_malware_rcl.txt


Thanks in advance.


El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió:
>
> Hi guys,
> Yes, I've been reading the error on the list, lots of cases and I got it 
> too but I run out of idea.
>
> The log:
>
> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access 
> queue: '/var/ossec/queue/ossec/queue'. Giving up..
> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: 
> '/var/ossec/queue/ossec/queue'. Giving up..
>
> The queue
> srw-rw----. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
>
> Also read the local_rules may have issues, tested with -t and no errors 
> displayed also with xmllint
>
> xmllint local_rules.xml
> <?xml version="1.0"?>
> --SNIP-
> </group>
> <!-- SYSLOG,LOCAL -->
> <!-- EOF -->
>
> There is a file also under /var/ossec/etc/decoder.xml that seems not good 
> , is that correct?
> xmllint decoder.xml
> decoder.xml:52: parser error : Extra content at the end of the document
> <decoder name="pam">
> ^
>
> And found this:
>
> xmllint  ossec.conf
> ossec.conf:74: parser error : Comment not terminated
> <!-- Frequency that syscheck is executed
>     <!-- Frequency that syscheck is executed -- default every 20 hours -->
>
> Line 74, what's missing here?
>
>  <syscheck>
>     <!-- Frequency that syscheck is executed -- default every 20 hours -->
>     <frequency>72000</frequency>
>
>
>
>
>
> ossec-hids-2.8.3-53.el6.art.x86_64
> ossec-hids-server-2.8.3-53.el6.art.x86_64
> ossec-wui-0.8-4.el6.art.noarch
>
> Thanks for your time and support
> Regards
>
>
>
>
>
>
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to