Hi all, I've had many problems getting the OSSEC agent to start up correctly on FreeBSD 10.3 (see: https://groups.google.com/forum/#!topic/ossec-list/VDT4cTObDPQ - "Chroot directory change option.) I figured it would best to start a separate discussion.
I've done a completely fresh install of *ossec-hids-client-2.8.2* from pkg.freebsd.org and then simply changed the IP address to the correct server address in ossec.conf and then added the key using manage-agents. Every time I start I get issues with permissions. /usr/local/ossec-hids/bin/ossec-control start Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)... ossec-execd already running... 2016/12/03 21:42:08 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800 Started ossec-agentd... Started ossec-logcollector... 2016/12/03 21:42:11 ossec-syscheckd(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'. 2016/12/03 21:42:11 ossec-rootcheck(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'. 2016/12/03 21:42:19 ossec-syscheckd(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'. 2016/12/03 21:42:19 ossec-rootcheck(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'. 2016/12/03 21:42:32 ossec-syscheckd(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'. 2016/12/03 21:42:32 ossec-rootcheck(1211): ERROR: Unable to access queue: '/usr/local/ossec-hids/queue/ossec/queue'. Giving up.. ossec-syscheckd did not start This page: http://ossec-docs.readthedocs.io/en/latest/faq/unexpected.html talks about checking that "ossec-analysisd" is running, but I can't see that file anywhere in the install location so my guess is it was removed and possibly merged into another binary. Using tree, I checked all the permissions: # tree -ugap /usr/local/ossec-hids/ /usr/local/ossec-hids/ |-- [drwx------ ossec ossec ] .ssh |-- [drwxr-xr-x root ossec ] active-response | `-- [drwxr-xr-x root ossec ] bin | |-- [-rwxr-xr-x root wheel ] disable-account.sh | |-- [-rwxr-xr-x root wheel ] firewall-drop.sh | |-- [-rwxr-xr-x root wheel ] host-deny.sh | |-- [-rwxr-xr-x root wheel ] ip-customblock.sh | |-- [-rwxr-xr-x root wheel ] ipfw.sh | |-- [-rwxr-xr-x root wheel ] ipfw_mac.sh | |-- [-rwxr-xr-x root wheel ] ossec-tweeter.sh | |-- [-rwxr-xr-x root wheel ] pf.sh | |-- [-rwxr-xr-x root wheel ] restart-ossec.sh | `-- [-rwxr-xr-x root wheel ] route-null.sh |-- [drwxr-xr-x root ossec ] agentless | |-- [-rwxr-x--- root ossec ] main.exp | |-- [-rwxr-x--- root ossec ] register_host.sh | |-- [-rwxr-x--- root ossec ] ssh.exp | |-- [-rwxr-x--- root ossec ] ssh_asa-fwsmconfig_diff | |-- [-rwxr-x--- root ossec ] ssh_foundry_diff | |-- [-rwxr-x--- root ossec ] ssh_generic_diff | |-- [-rwxr-x--- root ossec ] ssh_integrity_check_bsd | |-- [-rwxr-x--- root ossec ] ssh_integrity_check_linux | |-- [-rwxr-x--- root ossec ] ssh_nopass.exp | |-- [-rwxr-x--- root ossec ] ssh_pixconfig_diff | |-- [-rwxr-x--- root ossec ] sshlogin.exp | `-- [-rwxr-x--- root ossec ] su.exp |-- [drwxr-xr-x root ossec ] bin | |-- [-rwxr-x--- root wheel ] agent-auth | |-- [-rwxr-x--- root wheel ] manage_agents | |-- [-rwxr-x--- root wheel ] ossec-agentd | |-- [-rwxr-x--- root wheel ] ossec-control | |-- [-rwxr-x--- root wheel ] ossec-execd | |-- [-rwxr-x--- root wheel ] ossec-logcollector | |-- [-rwxr-x--- root wheel ] ossec-lua | |-- [-rwxr-x--- root wheel ] ossec-luac | |-- [-rwxr-x--- root wheel ] ossec-syscheckd | `-- [-rwxr-x--- root wheel ] util.sh |-- [drwxr-xr-x root ossec ] etc | |-- [-r--r----- root ossec ] client.keys | |-- [-r--r----- root ossec ] internal_options.conf | |-- [-rwxr-xr-x root ossec ] ossec.conf | |-- [-rwxr-xr-x root ossec ] ossec.conf.sample | `-- [drwxr-xr-x root ossec ] shared | |-- [-rwxrwx--- root ossec ] cis_debian_linux_rcl.txt | |-- [-rwxrwx--- root ossec ] cis_rhel5_linux_rcl.txt | |-- [-rwxrwx--- root ossec ] cis_rhel_linux_rcl.txt | |-- [-rwxrwx--- root ossec ] rootkit_files.txt | |-- [-rwxrwx--- root ossec ] rootkit_trojans.txt | |-- [-rwxrwx--- root ossec ] system_audit_rcl.txt | |-- [-rwxrwx--- root ossec ] win_applications_rcl.txt | |-- [-rwxrwx--- root ossec ] win_audit_rcl.txt | `-- [-rwxrwx--- root ossec ] win_malware_rcl.txt |-- [drwxr-xr-x root ossec ] logs | `-- [-rw-rw-r-- ossec ossec ] ossec.log |-- [drwxr-xr-x root ossec ] queue | |-- [drwxr-xr-x root ossec ] alerts | | `-- [srw-rw---- root ossec ] execq | |-- [drwxr-x--- ossec ossec ] diff | |-- [drwxrwx--- ossec ossec ] ossec | | `-- [srw-rw---- ossec ossec ] queue | |-- [drwxr-xr-x root ossec ] rids | `-- [drwxr-xr-x root ossec ] syscheck |-- [drwxr-xr-x root ossec ] tmp `-- [drwxr-xr-x root ossec ] var `-- [drwxr-xr-x root ossec ] run |-- [-rw-r----- root ossec ] ossec-execd-5576.pid `-- [-rw-r----- root ossec ] ossec-logcollector-29444.pid This is my server.conf: <!-- OSSEC example config --> <ossec_config> <client> <server-ip>10.0.64.2</server-ip> </client> <syscheck> <!-- Frequency that syscheck is executed -- default every 2 hours --> <frequency>7200</frequency> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/hosts.deny</ignore> <ignore>/etc/mail/statistics</ignore> <ignore>/etc/random-seed</ignore> <ignore>/etc/adjtime</ignore> <ignore>/etc/httpd/logs</ignore> </syscheck> <rootcheck> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> </rootcheck> <localfile> <log_format>syslog</log_format> <location>/var/log/system.log</location> </localfile> </ossec_config> I'm really at the point of giving up as I've spent weeks trying to get this working. Can anyone point me in the right direction? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
