I am running OSSEC on a Security Onion build Ubuntu 14.04.5 LTS. The issue started after I added in more disk since I ran out of space in /
On Monday, 10 April 2017 23:52:07 UTC+5:30, Joshua Gimer wrote: > > Do you have SELinux running in an enforcing mode? What is the output of > sestatus? > > Josh > > On Wed, Oct 12, 2016 at 8:58 AM, Kernel Panic <netwar...@gmail.com > <javascript:>> wrote: > >> Really do not know, just installed it from repo and tried to start the >> service. >> >> Thanks >> Regards >> >> El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió: >> >>> Hi guys, >>> Yes, I've been reading the error on the list, lots of cases and I got it >>> too but I run out of idea. >>> >>> The log: >>> >>> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access >>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access >>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>> >>> The queue >>> srw-rw----. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue >>> >>> Also read the local_rules may have issues, tested with -t and no errors >>> displayed also with xmllint >>> >>> xmllint local_rules.xml >>> <?xml version="1.0"?> >>> --SNIP- >>> </group> >>> <!-- SYSLOG,LOCAL --> >>> <!-- EOF --> >>> >>> There is a file also under /var/ossec/etc/decoder.xml that seems not >>> good , is that correct? >>> xmllint decoder.xml >>> decoder.xml:52: parser error : Extra content at the end of the document >>> <decoder name="pam"> >>> ^ >>> >>> And found this: >>> >>> xmllint ossec.conf >>> ossec.conf:74: parser error : Comment not terminated >>> <!-- Frequency that syscheck is executed >>> <!-- Frequency that syscheck is executed -- default every 20 hours >>> --> >>> >>> Line 74, what's missing here? >>> >>> <syscheck> >>> <!-- Frequency that syscheck is executed -- default every 20 hours >>> --> >>> <frequency>72000</frequency> >>> >>> >>> >>> >>> >>> ossec-hids-2.8.3-53.el6.art.x86_64 >>> ossec-hids-server-2.8.3-53.el6.art.x86_64 >>> ossec-wui-0.8-4.el6.art.noarch >>> >>> Thanks for your time and support >>> Regards >>> >>> >>> >>> >>> >>> >>> >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Thanks, > Joshua Gimer > > --------------------------- > > http://www.linkedin.com/in/jgimer > http://twitter.com/jgimer > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.