Hi itnetsec I checked my folder permission and should be OK, or could you provide how to debug permission error?
And i do some ossec-agent test on AWS AMI RedHat version: If i add ossec-agent on AWS AMI: 'amzn-ami-hvm-2016.09.1.20161221-x86_64-gp2 Linux version *4.4.35-33.55*.amzn1.x86_64' and restart ossec server, the ossec-remote can startup and ossec-agent status is 'Connected' If i add ossec-agent on AWS AMI: 'amzn-ami-hvm-2017.09.1.20180115-x86_64-gp2 Linux version *4.14.42-52.37* .amzn1.x86_64' and restart ossec server, the ossec-remote cannot startup and ossec-agent status is 'Never connected'. And log show ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused Any hit for debug this error? Thanks a lot [root@ip-10-23-207-85 ossec]# pwd /var/ossec [root@ip-10-23-207-85 ossec]# ls -ld queue dr-xr-x---. 11 root ossec 6144 Sep 18 07:58 queue [root@ip-10-23-207-85 ossec]# cd queue/ [root@ip-10-23-207-85 queue]# ls -ld ossec drwxrwx---. 2 ossec ossec 6144 Sep 25 05:02 ossec [root@ip-10-23-207-85 queue]# cd ossec/ [root@ip-10-23-207-85 ossec]# ls -ld queue srw-rw----. 1 ossec ossec 0 Sep 25 05:02 queue itnetsec於 2018年10月4日星期四 UTC+8下午6時12分40秒寫道: > > Permissions? > > On Thu, Oct 4, 2018, 3:30 AM Judy Chen <[email protected] <javascript:>> > wrote: > >> Hi >> >> i check my audit log relative to ossec but cann't find why ossec cann't >> access '/var/ossec/queue/ossec/queue' >> >> type=SERVICE_START msg=audit(1537893567.527:2919): pid=1 uid=0 >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 >> msg='unit=ossec-hids comm="systemd" exe="/usr/lib/systemd/systemd" >> hostname=? addr=? terminal=? res=failed' >> type=AVC msg=audit(1538308638.593:4576): avc: denied { read write } >> for pid=9787 comm="logrotate" name="ossec.log" dev="0:39" >> ino=17925539076010750948 >> scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 >> tcontext=system_u:object_r:nfs_t:s0 tclass=file >> >> Thanks a lot your help >> >> dan (ddpbsd)於 2018年10月3日星期三 UTC+8下午9時51分40秒寫道: >>> >>> >>> >>> On Wed, Oct 3, 2018 at 6:20 AM Judy Chen <[email protected]> wrote: >>> >>>> Hi >>>> >>>> Thanks for your feedback >>>> >>>> i checked my folder permission and should be OK >>>> >>>> [root@ip-10-23-207-85 ossec]# pwd >>>> /var/ossec >>>> [root@ip-10-23-207-85 ossec]# ls -ld queue >>>> dr-xr-x---. 11 root ossec 6144 Sep 18 07:58 queue >>>> >>>> [root@ip-10-23-207-85 ossec]# cd queue/ >>>> [root@ip-10-23-207-85 queue]# ls -ld ossec >>>> drwxrwx---. 2 ossec ossec 6144 Sep 25 05:02 ossec >>>> >>>> [root@ip-10-23-207-85 queue]# cd ossec/ >>>> [root@ip-10-23-207-85 ossec]# ls -ld queue >>>> srw-rw----. 1 ossec ossec 0 Sep 25 05:02 queue >>>> >>>> is it possible relative kernel version? ossec-agent seem cannot send >>>> log to server on Red Hat 4.8.3-9. but 4.4.35-33.55. is work (not sure it >>>> caused by AWS AMI or other problem) >>>> >>> >>> I don’t know of any issues with the kernel versions. Check the audit log >>> to see if something is being stopped. /var/log/audit I think >>> >>> >>> >>> >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
