Here are my logs after restarting ossec. I do not see any remoted error but still got stall entries
root@ossec-1000:/ossec-server# grep remoted logs/ossec.log 2018/07/13 05:30:37 ossec-remoted: INFO: Started (pid: 4785). 2018/07/13 05:30:37 ossec-remoted: Remote syslog allowed from: '127.0.0.1' 2018/07/13 05:30:37 ossec-remoted: Remote syslog allowed from: '10.0.0.0/8' 2018/07/13 05:30:37 ossec-remoted: Remote syslog allowed from: '192.168.0.0/16' 2018/07/13 05:30:37 ossec-remoted: Remote syslog allowed from: '172.16.0.0/12' root@ossec-1000:/ossec-server# bin/ossec-control restart Deleting PID file '/ossec-server/var/run/ossec-remoted-5389.pid' not used... Deleting PID file '/ossec-server/var/run/ossec-remoted-5615.pid' not used... Deleting PID file '/ossec-server/var/run/ossec-remoted-5625.pid' not used... Killing ossec-monitord .. Killing ossec-logcollector .. Killing ossec-remoted .. bin/ossec-control: 260: kill: No such process bin/ossec-control: 260: kill: No such process Killing ossec-syscheckd .. Killing ossec-analysisd .. ossec-maild not running .. ossec-execd not running .. Killing ossec-csyslogd .. OSSEC HIDS v2.9.3 Stopped Starting OSSEC HIDS v2.9.3 (by Trend Micro Inc.)... Started ossec-csyslogd... 2018/07/13 05:32:34 ossec-maild: INFO: E-Mail notification disabled. Clean Exit. Started ossec-maild... Started ossec-execd... Started ossec-analysisd... 2018/07/13 05:32:34 ossec-logcollector(1905): INFO: No file configured to monitor. Started ossec-logcollector... Started ossec-remoted... 2018/07/13 05:32:34 ossec-syscheckd(1702): INFO: No directory provided for syscheck to monitor. 2018/07/13 05:32:34 ossec-syscheckd: WARN: Syscheck disabled. 2018/07/13 05:32:34 rootcheck: Rootcheck disabled. Exiting. 2018/07/13 05:32:34 ossec-syscheckd: WARN: Rootcheck module disabled. Started ossec-syscheckd... Started ossec-monitord... Completed. root@ossec-1000:/ossec-server# grep remoted logs/ossec.log root@ossec-1000:/ossec-server# grep remoted logs/ossec.log 2018/07/13 05:30:37 ossec-remoted: INFO: Started (pid: 4785). 2018/07/13 05:30:37 ossec-remoted: Remote syslog allowed from: '127.0.0.1' 2018/07/13 05:30:37 ossec-remoted: Remote syslog allowed from: '10.0.0.0/8' 2018/07/13 05:30:37 ossec-remoted: Remote syslog allowed from: '192.168.0.0/16' 2018/07/13 05:30:37 ossec-remoted: Remote syslog allowed from: '172.16.0.0/12' 2018/07/13 05:32:34 ossec-remoted: INFO: Started (pid: 8866). 2018/07/13 05:32:34 ossec-remoted: Remote syslog allowed from: '127.0.0.1' 2018/07/13 05:32:34 ossec-remoted: Remote syslog allowed from: '10.0.0.0/8' 2018/07/13 05:32:34 ossec-remoted: Remote syslog allowed from: '192.168.0.0/16' 2018/07/13 05:32:34 ossec-remoted: Remote syslog allowed from: '172.16.0.0/12' On Wednesday, July 11, 2018 at 8:20:36 PM UTC+5:30, dan (ddpbsd) wrote: > > On Mon, Jul 9, 2018 at 1:30 AM, Chinmay Pandya > <[email protected] <javascript:>> wrote: > > I do no see any info on ossec logs that suggest remoted is crashing. > > > > any way i can confirm this ? > > > > When ossec-remoted starts it logs to the ossec.log. Look for entries like > this: > 2018/07/11 10:49:34 ossec-remoted: INFO: Started (pid: 23255). > > I'm not sure why you'd get stale pid files if the process isn't > restarting. > -- _____________________________________________________________ The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. The firm is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
