On Wed, Oct 12, 2016 at 10:30 AM, Kernel Panic <netwarrior...@gmail.com> wrote: > Hi guys > The remote service was not starting, now it up and running, and have to say > that this was pure pain!! >
It would be interesting to find out what happened to your setup to give you such troubles. > /var/ossec/bin/ossec-remoted -df > 2016/10/12 09:08:05 ossec-remoted: DEBUG: Starting ... > 2016/10/12 09:08:05 ossec-remoted: INFO: Started (pid: 21609). > 2016/10/12 09:08:05 ossec-remoted: DEBUG: Forking remoted: '0'. > z77s-tpuppetm01:/var/ossec/etc# 2016/10/12 09:08:05 ossec-remoted: INFO: > Started (pid: 21610). > 2016/10/12 09:08:05 ossec-remoted: DEBUG: Running manager_init > 2016/10/12 09:08:05 ossec-remoted: INFO: (unix_domain) Maximum send buffer > set to: '4194304'. > 2016/10/12 09:08:05 ossec-remoted(4111): INFO: Maximum number of agents > allowed: '16384'. > 2016/10/12 09:08:05 ossec-remoted(1410): INFO: Reading authentication keys > file. > 2016/10/12 09:08:05 ossec-remoted: DEBUG: OS_StartCounter. > 2016/10/12 09:08:05 ossec-remoted: OS_StartCounter: keysize: 1 > 2016/10/12 09:08:05 ossec-remoted: Unable to open agent file. errno: 13 > 2016/10/12 09:08:05 ossec-remoted(1103): ERROR: Unable to open file > '/queue/rids/001'. > > > netstat -antuwp | grep ossec > udp 0 0 0.0.0.0:1514 0.0.0.0:* > 21908/ossec-remoted > > Thank you very much! > Regards > > > El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió: >> >> Hi guys, >> Yes, I've been reading the error on the list, lots of cases and I got it >> too but I run out of idea. >> >> The log: >> >> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access >> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: >> '/var/ossec/queue/ossec/queue'. Giving up.. >> >> The queue >> srw-rw----. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue >> >> Also read the local_rules may have issues, tested with -t and no errors >> displayed also with xmllint >> >> xmllint local_rules.xml >> <?xml version="1.0"?> >> --SNIP- >> </group> >> <!-- SYSLOG,LOCAL --> >> <!-- EOF --> >> >> There is a file also under /var/ossec/etc/decoder.xml that seems not good >> , is that correct? >> xmllint decoder.xml >> decoder.xml:52: parser error : Extra content at the end of the document >> <decoder name="pam"> >> ^ >> >> And found this: >> >> xmllint ossec.conf >> ossec.conf:74: parser error : Comment not terminated >> <!-- Frequency that syscheck is executed >> <!-- Frequency that syscheck is executed -- default every 20 hours --> >> >> Line 74, what's missing here? >> >> <syscheck> >> <!-- Frequency that syscheck is executed -- default every 20 hours --> >> <frequency>72000</frequency> >> >> >> >> >> >> ossec-hids-2.8.3-53.el6.art.x86_64 >> ossec-hids-server-2.8.3-53.el6.art.x86_64 >> ossec-wui-0.8-4.el6.art.noarch >> >> Thanks for your time and support >> Regards >> >> >> >> >> >> >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.