On Dec 3, 2016 4:54 PM, "Eponymous -" <[email protected]> wrote:
Hi all, I've had many problems getting the OSSEC agent to start up correctly on FreeBSD 10.3 (see: https://groups.google.com/forum/#!topic/ossec-list/ VDT4cTObDPQ - "Chroot directory change option.) I figured it would best to start a separate discussion. I've done a completely fresh install of *ossec-hids-client-2.8.2* from pkg.freebsd.org and then simply changed the IP address to the correct server address in ossec.conf and then added the key using manage-agents. Every time I start I get issues with permissions. /usr/local/ossec-hids/bin/ossec-control start Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)... ossec-execd already running... 2016/12/03 21:42:08 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800 Started ossec-agentd... Started ossec-logcollector... 2016/12/03 21:42:11 ossec-syscheckd(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'. 2016/12/03 21:42:11 ossec-rootcheck(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'. 2016/12/03 21:42:19 ossec-syscheckd(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'. 2016/12/03 21:42:19 ossec-rootcheck(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'. 2016/12/03 21:42:32 ossec-syscheckd(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'. 2016/12/03 21:42:32 ossec-rootcheck(1211): ERROR: Unable to access queue: '/usr/local/ossec-hids/queue/ossec/queue'. Giving up.. ossec-syscheckd did not start This page: http://ossec-docs.readthedocs.io/en/latest/faq/unexpected.html talks about checking that "ossec-analysisd" is running, but I can't see that file anywhere in the install location so my guess is it was removed and possibly merged into another binary. That advice is for the server install or local install only. Using tree, I checked all the permissions: # tree -ugap /usr/local/ossec-hids/ /usr/local/ossec-hids/ |-- [drwx------ ossec ossec ] .ssh |-- [drwxr-xr-x root ossec ] active-response | `-- [drwxr-xr-x root ossec ] bin | |-- [-rwxr-xr-x root wheel ] disable-account.sh | |-- [-rwxr-xr-x root wheel ] firewall-drop.sh | |-- [-rwxr-xr-x root wheel ] host-deny.sh | |-- [-rwxr-xr-x root wheel ] ip-customblock.sh | |-- [-rwxr-xr-x root wheel ] ipfw.sh | |-- [-rwxr-xr-x root wheel ] ipfw_mac.sh | |-- [-rwxr-xr-x root wheel ] ossec-tweeter.sh | |-- [-rwxr-xr-x root wheel ] pf.sh | |-- [-rwxr-xr-x root wheel ] restart-ossec.sh | `-- [-rwxr-xr-x root wheel ] route-null.sh |-- [drwxr-xr-x root ossec ] agentless | |-- [-rwxr-x--- root ossec ] main.exp | |-- [-rwxr-x--- root ossec ] register_host.sh | |-- [-rwxr-x--- root ossec ] ssh.exp | |-- [-rwxr-x--- root ossec ] ssh_asa-fwsmconfig_diff | |-- [-rwxr-x--- root ossec ] ssh_foundry_diff | |-- [-rwxr-x--- root ossec ] ssh_generic_diff | |-- [-rwxr-x--- root ossec ] ssh_integrity_check_bsd | |-- [-rwxr-x--- root ossec ] ssh_integrity_check_linux | |-- [-rwxr-x--- root ossec ] ssh_nopass.exp | |-- [-rwxr-x--- root ossec ] ssh_pixconfig_diff | |-- [-rwxr-x--- root ossec ] sshlogin.exp | `-- [-rwxr-x--- root ossec ] su.exp |-- [drwxr-xr-x root ossec ] bin | |-- [-rwxr-x--- root wheel ] agent-auth | |-- [-rwxr-x--- root wheel ] manage_agents | |-- [-rwxr-x--- root wheel ] ossec-agentd | |-- [-rwxr-x--- root wheel ] ossec-control | |-- [-rwxr-x--- root wheel ] ossec-execd | |-- [-rwxr-x--- root wheel ] ossec-logcollector | |-- [-rwxr-x--- root wheel ] ossec-lua | |-- [-rwxr-x--- root wheel ] ossec-luac | |-- [-rwxr-x--- root wheel ] ossec-syscheckd | `-- [-rwxr-x--- root wheel ] util.sh |-- [drwxr-xr-x root ossec ] etc | |-- [-r--r----- root ossec ] client.keys | |-- [-r--r----- root ossec ] internal_options.conf | |-- [-rwxr-xr-x root ossec ] ossec.conf | |-- [-rwxr-xr-x root ossec ] ossec.conf.sample | `-- [drwxr-xr-x root ossec ] shared | |-- [-rwxrwx--- root ossec ] cis_debian_linux_rcl.txt | |-- [-rwxrwx--- root ossec ] cis_rhel5_linux_rcl.txt | |-- [-rwxrwx--- root ossec ] cis_rhel_linux_rcl.txt | |-- [-rwxrwx--- root ossec ] rootkit_files.txt | |-- [-rwxrwx--- root ossec ] rootkit_trojans.txt | |-- [-rwxrwx--- root ossec ] system_audit_rcl.txt | |-- [-rwxrwx--- root ossec ] win_applications_rcl.txt | |-- [-rwxrwx--- root ossec ] win_audit_rcl.txt | `-- [-rwxrwx--- root ossec ] win_malware_rcl.txt |-- [drwxr-xr-x root ossec ] logs | `-- [-rw-rw-r-- ossec ossec ] ossec.log |-- [drwxr-xr-x root ossec ] queue | |-- [drwxr-xr-x root ossec ] alerts | | `-- [srw-rw---- root ossec ] execq | |-- [drwxr-x--- ossec ossec ] diff | |-- [drwxrwx--- ossec ossec ] ossec | | `-- [srw-rw---- ossec ossec ] queue | |-- [drwxr-xr-x root ossec ] rids | `-- [drwxr-xr-x root ossec ] syscheck |-- [drwxr-xr-x root ossec ] tmp `-- [drwxr-xr-x root ossec ] var `-- [drwxr-xr-x root ossec ] run |-- [-rw-r----- root ossec ] ossec-execd-5576.pid `-- [-rw-r----- root ossec ] ossec-logcollector-29444.pid This is my server.conf: <!-- OSSEC example config --> <ossec_config> <client> <server-ip>10.0.64.2</server-ip> </client> <syscheck> <!-- Frequency that syscheck is executed -- default every 2 hours --> <frequency>7200</frequency> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/hosts.deny</ignore> <ignore>/etc/mail/statistics</ignore> <ignore>/etc/random-seed</ignore> <ignore>/etc/adjtime</ignore> <ignore>/etc/httpd/logs</ignore> </syscheck> <rootcheck> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans. txt</rootkit_trojans> </rootcheck> <localfile> <log_format>syslog</log_format> <location>/var/log/system.log</location> </localfile> </ossec_config> I'm really at the point of giving up as I've spent weeks trying to get this working. Can anyone point me in the right direction? Does itbwork if you compile from source? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
