Re: [ossec-list] Agent Duplicate Folders Message
The server I'm using for testing went down, as soon as I get it back I'm gonna review it. Thank you very much for your help, relly appreciated Regards El viernes, 14 de octubre de 2016, 10:26:53 (UTC-3), dan (ddpbsd) escribió: > > On Fri, Oct 14, 2016 at 8:55 AM, Kernel Panic <netwar...@gmail.com > > wrote: > > Taking a look in /var/ossec/logs/alerts I can see there are lots of > things > > registered, no related to the files I modified, but related to ssh login > > failures, sudo stuff and the like but never get an e-mail with that > report. > > > > Are the files in the syscheck db (/var/ossec/queue/syscheck/something)? > Do you have alert_new_files turned on in the OSSEC server's ossec.conf? > Did you modify the rule that alerts on new files to raise the level to > something greater than 0? > Did you restart the OSSEC processes on the OSSEC server after making > these changes? > > > Thank you very much for your time and support > > Regards > > > > > > > > > > El jueves, 13 de octubre de 2016, 14:47:25 (UTC-3), dan (ddpbsd) > escribió: > >> > >> On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panic <netwar...@gmail.com> > wrote: > >> > Hi > >> > Does this still apply? > >> > I have this option enabled: yes > along > >> > with the realtime=yes. > >> > > >> > From another post on the list: > >> >>In the past new files were not alerted in real time. I'm not sure if > >> >>this has changed. Any of the developers know? > >> > > >> > >> Was there a response to this post? I don't think it's changed, but I'm > >> sure I miss commits here and there. > >> > >> > > >> > Another question , by reading this > >> > > >> > > http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html > > >> > I can see that there are values that can be adjusted, for example > host > >> > information, by default 8, how do I interpret that, there greater the > >> > number > >> > more verbose? I just made some modification under /etc, created some > >> > file > >> > >> That would be the alert level. It does not change verbosity, just the > >> level of the alert. > >> > >> > modified other just to test, but still have no e-mail, I'm only > getting > >> > an > >> > e-mail regarding a service log and nothing else, which is the > parameter > >> > to > >> > tell ossec to send all the issues? > >> > > >> > >> For the new file, you probably need a full syscheck scan for it to be > >> picked up. > >> For the modified file, if it's already in the syscheck db, you should > >> be alerted relatively quickly (if realtime is enabled and currently > >> running). > >> > >> Other than that, OSSEC should send all alerts. > >> > >> > Last question: > >> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan > >> > (forwarding database). > >> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database > >> > (pre-scan). > >> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time > file > >> > monitoring (not started). > >> > > >> > Which service is not started? the doc says the package inotify > should > >> > be > >> > installed and I have it inotify-tools-3.13-2.el6.art.x86_64 > >> > > >> > >> That doesn't indicate that a service hasn't started, just that the > >> realtime feature hasn't started working yet. > >> There's a delay for realtime to start. > >> > >> > Thank you very much!! > >> > Regards > >> > > >> > > >> > > >> > > >> > El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) > >> > escribió: > >> >> > >> >> On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic <netwar...@gmail.com> > >> >> wrote: > >> >> > > >> >> > Hi > >> >> > Let's see, shouldn't I have to configure on each tag to which > >> >> > directory > >> >> > I > >> >> > want to apply it? as in check_all , directories, realtime and > which > >> >> > directories,
Re: [ossec-list] Agent Duplicate Folders Message
Taking a look in /var/ossec/logs/alerts I can see there are lots of things registered, no related to the files I modified, but related to ssh login failures, sudo stuff and the like but never get an e-mail with that report. Thank you very much for your time and support Regards El jueves, 13 de octubre de 2016, 14:47:25 (UTC-3), dan (ddpbsd) escribió: > > On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panic <netwar...@gmail.com > > wrote: > > Hi > > Does this still apply? > > I have this option enabled: yes along > > with the realtime=yes. > > > > From another post on the list: > >>In the past new files were not alerted in real time. I'm not sure if > >>this has changed. Any of the developers know? > > > > Was there a response to this post? I don't think it's changed, but I'm > sure I miss commits here and there. > > > > > Another question , by reading this > > > http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html > > > I can see that there are values that can be adjusted, for example host > > information, by default 8, how do I interpret that, there greater the > number > > more verbose? I just made some modification under /etc, created some > file > > That would be the alert level. It does not change verbosity, just the > level of the alert. > > > modified other just to test, but still have no e-mail, I'm only getting > an > > e-mail regarding a service log and nothing else, which is the parameter > to > > tell ossec to send all the issues? > > > > For the new file, you probably need a full syscheck scan for it to be > picked up. > For the modified file, if it's already in the syscheck db, you should > be alerted relatively quickly (if realtime is enabled and currently > running). > > Other than that, OSSEC should send all alerts. > > > Last question: > > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan > > (forwarding database). > > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database > > (pre-scan). > > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file > > monitoring (not started). > > > > Which service is not started? the doc says the package inotify should > be > > installed and I have it inotify-tools-3.13-2.el6.art.x86_64 > > > > That doesn't indicate that a service hasn't started, just that the > realtime feature hasn't started working yet. > There's a delay for realtime to start. > > > Thank you very much!! > > Regards > > > > > > > > > > El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) > escribió: > >> > >> On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic <netwar...@gmail.com> > wrote: > >> > > >> > Hi > >> > Let's see, shouldn't I have to configure on each tag to which > directory > >> > I > >> > want to apply it? as in check_all , directories, realtime and which > >> > directories, or are they global parameters? that's why I included > home > >> > and > >> > root on both of them. > >> > > >> > >> > >> Each option applies to the directories configured in it. > >> > >> > >> > > >> > > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin > > >> > > >> > >> This checks all of the hashes, owner, and permissions. > >> > >> > >> > check_all="yes">/root,/home,/etc > >> > > >> > >> This does realtime checks of all of the above, and should produce an > >> error because the "/root," "/home," and "/etc" directories are > >> duplicated. > >> Duplication of directories can cause issues, so it's best not to do > >> it. The way to solve this is not to duplicate these directories in the > >> second configuration by not including them in the first. > >> For example: > >> > >> check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin > >> realtime="yes">/root,/home,/etc > >> > >> Now, if you want to add "report_changes" to /etc, you'll have to > >> remove it from the above configuration. You'll end up with: > >> > >> check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin > >> /root,/home > >> >> report_changes="yes">/etc > >> > >> > > >> > Thank you very much > >> > Best Regerds > >> > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Agent Duplicate Folders Message
Hi there. I'm still getting one alert e-mail type 2 eventhough I modified/created some files under /etc am I missing something else in the configuration? This is the server coniguration. yes m...@company.com localhost oss...@server.com 100 yes 4096 rules_config.xml pam_rules.xml sshd_rules.xml telnetd_rules.xml syslog_rules.xml arpwatch_rules.xml symantec-av_rules.xml symantec-ws_rules.xml pix_rules.xml named_rules.xml smbd_rules.xml vsftpd_rules.xml pure-ftpd_rules.xml proftpd_rules.xml ms_ftpd_rules.xml ftpd_rules.xml hordeimp_rules.xml roundcube_rules.xml wordpress_rules.xml cimserver_rules.xml vpopmail_rules.xml vmpop3d_rules.xml courier_rules.xml web_rules.xml web_appsec_rules.xml apache_rules.xml nginx_rules.xml php_rules.xml mysql_rules.xml postgresql_rules.xml ids_rules.xml squid_rules.xml firewall_rules.xml cisco-ios_rules.xml netscreenfw_rules.xml sonicwall_rules.xml postfix_rules.xml sendmail_rules.xml imapd_rules.xml mailscanner_rules.xml dovecot_rules.xml ms-exchange_rules.xml racoon_rules.xml vpn_concentrator_rules.xml spamd_rules.xml msauth_rules.xml mcafee_av_rules.xml trend-osce_rules.xml ms-se_rules.xml zeus_rules.xml solaris_bsm_rules.xml vmware_rules.xml ms_dhcp_rules.xml asterisk_rules.xml ossec_rules.xml attack_rules.xml local_rules.xml 3600 yes /boot,/etc,/root,/home,/bin,/sbin,/usr/bin,/usr/sbin /etc/mtab /etc/hosts.deny /etc/mail/statistics /etc/random-seed /etc/adjtime /etc/httpd/logs 3600 /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/rootkit_trojans.txt 127.0.0.1 secure 1 7 host-deny host-deny.sh srcip yes firewall-drop firewall-drop.sh srcip yes disable-account disable-account.sh user yes host-deny local 6 600 firewall-drop local 6 600 syslog /var/log/messages syslog /var/log/authlog syslog /var/log/secure syslog /var/log/xferlog syslog /var/log/maillog apache /var/www/logs/access_log apache /var/www/logs/error_log ZEBRA OSSEC Security Report For The Masses Thank for your patience. El jueves, 13 de octubre de 2016, 14:47:25 (UTC-3), dan (ddpbsd) escribió: > > On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panic <netwar...@gmail.com > > wrote: > > Hi > > Does this still apply? > > I have this option enabled: yes along > > with the realtime=yes. > > > > From another post on the list: > >>In the past new files were not alerted in real time. I'm not sure if > >>this has changed. Any of the developers know? > > > > Was there a response to this post? I don't think it's changed, but I'm > sure I miss commits here and there. > > > > > Another question , by reading this > > > http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html > > > I can see that there are values that can be adjusted, for example host > > information, by default 8, how do I interpret that, there greater the > number > > more verbose? I just made some modification under /etc, created some > file > > That would be the alert level. It does not change verbosity, just the > level of the alert. > > > modified other just to test, but still have no e-mail, I'm only getting > an > > e-mail regarding a service log and nothing else, which is the parameter > to > > tell ossec to send all the issues? > > > > For the new file, you probably need a full syscheck scan for it to be > picked up. > For the modified file, if it's already in the syscheck db, you should > be alerted relatively quickly (if realtime is enabled and currently > running). > > Other than that, OSSEC should send all alerts. > > > Last question: > > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan > > (forwarding database). > > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database > > (pre-scan). > > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file > > monitoring (not started). > > > > Which service is not started? the doc says the package inotify should > be > > installed and I have it inotify-tools-3.13-2.el6.art.x86_64 > > > > That doesn't indicate that a service hasn't started, just that
Re: [ossec-list] Agent Duplicate Folders Message
Thank you! El jueves, 13 de octubre de 2016, 14:47:25 (UTC-3), dan (ddpbsd) escribió: > > On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panic <netwar...@gmail.com > > wrote: > > Hi > > Does this still apply? > > I have this option enabled: yes along > > with the realtime=yes. > > > > From another post on the list: > >>In the past new files were not alerted in real time. I'm not sure if > >>this has changed. Any of the developers know? > > > > Was there a response to this post? I don't think it's changed, but I'm > sure I miss commits here and there. > > > > > Another question , by reading this > > > http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html > > > I can see that there are values that can be adjusted, for example host > > information, by default 8, how do I interpret that, there greater the > number > > more verbose? I just made some modification under /etc, created some > file > > That would be the alert level. It does not change verbosity, just the > level of the alert. > > > modified other just to test, but still have no e-mail, I'm only getting > an > > e-mail regarding a service log and nothing else, which is the parameter > to > > tell ossec to send all the issues? > > > > For the new file, you probably need a full syscheck scan for it to be > picked up. > For the modified file, if it's already in the syscheck db, you should > be alerted relatively quickly (if realtime is enabled and currently > running). > > Other than that, OSSEC should send all alerts. > > > Last question: > > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan > > (forwarding database). > > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database > > (pre-scan). > > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file > > monitoring (not started). > > > > Which service is not started? the doc says the package inotify should > be > > installed and I have it inotify-tools-3.13-2.el6.art.x86_64 > > > > That doesn't indicate that a service hasn't started, just that the > realtime feature hasn't started working yet. > There's a delay for realtime to start. > > > Thank you very much!! > > Regards > > > > > > > > > > El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) > escribió: > >> > >> On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic <netwar...@gmail.com> > wrote: > >> > > >> > Hi > >> > Let's see, shouldn't I have to configure on each tag to which > directory > >> > I > >> > want to apply it? as in check_all , directories, realtime and which > >> > directories, or are they global parameters? that's why I included > home > >> > and > >> > root on both of them. > >> > > >> > >> > >> Each option applies to the directories configured in it. > >> > >> > >> > > >> > > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin > > >> > > >> > >> This checks all of the hashes, owner, and permissions. > >> > >> > >> > check_all="yes">/root,/home,/etc > >> > > >> > >> This does realtime checks of all of the above, and should produce an > >> error because the "/root," "/home," and "/etc" directories are > >> duplicated. > >> Duplication of directories can cause issues, so it's best not to do > >> it. The way to solve this is not to duplicate these directories in the > >> second configuration by not including them in the first. > >> For example: > >> > >> check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin > >> realtime="yes">/root,/home,/etc > >> > >> Now, if you want to add "report_changes" to /etc, you'll have to > >> remove it from the above configuration. You'll end up with: > >> > >> check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin > >> /root,/home > >> >> report_changes="yes">/etc > >> > >> > > >> > Thank you very much > >> > Best Regerds > >> > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Agent Duplicate Folders Message
Hi Does this still apply? I have this option enabled: yes along with the realtime=yes. >From another post on the list: >In the past new files were not alerted in real time. I'm not sure if >this has changed. Any of the developers know? Another question , by reading this http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html I can see that there are values that can be adjusted, for example host information, by default 8, how do I interpret that, there greater the number more verbose? I just made some modification under /etc, created some file modified other just to test, but still have no e-mail, I'm only getting an e-mail regarding a service log and nothing else, which is the parameter to tell ossec to send all the issues? Last question: 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file monitoring (not started). Which service is not started? the doc says the package inotify should be installed and I have it inotify-tools-3.13-2.el6.art.x86_64 Thank you very much!! Regards El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) escribió: > > On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic <netwar...@gmail.com > > wrote: > > > > Hi > > Let's see, shouldn't I have to configure on each tag to which directory > I > > want to apply it? as in check_all , directories, realtime and which > > directories, or are they global parameters? that's why I included home > and > > root on both of them. > > > > > Each option applies to the directories configured in it. > > > > > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin > > > > > This checks all of the hashes, owner, and permissions. > > > check_all="yes">/root,/home,/etc > > > > This does realtime checks of all of the above, and should produce an > error because the "/root," "/home," and "/etc" directories are > duplicated. > Duplication of directories can cause issues, so it's best not to do > it. The way to solve this is not to duplicate these directories in the > second configuration by not including them in the first. > For example: > > /bin,/sbin,/usr/bin,/usr/sbin > /root,/home,/etc > > Now, if you want to add "report_changes" to /etc, you'll have to > remove it from the above configuration. You'll end up with: > > /bin,/sbin,/usr/bin,/usr/sbin > /root,/home > report_changes="yes">/etc > > > > > Thank you very much > > Best Regerds > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Agent Duplicate Folders Message
Thank you very much for your clarification, now it's much more clear to me!!! Regards El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) escribió: > > On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic <netwar...@gmail.com > > wrote: > > > > Hi > > Let's see, shouldn't I have to configure on each tag to which directory > I > > want to apply it? as in check_all , directories, realtime and which > > directories, or are they global parameters? that's why I included home > and > > root on both of them. > > > > > Each option applies to the directories configured in it. > > > > > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin > > > > > This checks all of the hashes, owner, and permissions. > > > check_all="yes">/root,/home,/etc > > > > This does realtime checks of all of the above, and should produce an > error because the "/root," "/home," and "/etc" directories are > duplicated. > Duplication of directories can cause issues, so it's best not to do > it. The way to solve this is not to duplicate these directories in the > second configuration by not including them in the first. > For example: > > /bin,/sbin,/usr/bin,/usr/sbin > /root,/home,/etc > > Now, if you want to add "report_changes" to /etc, you'll have to > remove it from the above configuration. You'll end up with: > > /bin,/sbin,/usr/bin,/usr/sbin > /root,/home > report_changes="yes">/etc > > > > > Thank you very much > > Best Regerds > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Agent Duplicate Folders Message
Hi Let's see, shouldn't I have to configure on each tag to which directory I want to apply it? as in check_all , directories, realtime and which directories, or are they global parameters? that's why I included home and root on both of them. /root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin /root,/home,/etc Thank you very much Best Regerds El miércoles, 12 de octubre de 2016, 20:19:08 (UTC-3), dan (ddpbsd) escribió: > > On Oct 12, 2016 4:49 PM, "Kernel Panic" <netwar...@gmail.com > > wrote: > > > > Hi there guys, > > > > When starting the agent I've get this info: > > > > Starting ossec-hids: 2016/10/12 15:43:05 ossec-agentd: INFO: Using > notify time: 600 and max time to reconnect: 1800 > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: '/root'. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: '/etc'. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: '/bin'. > > > > 2016/10/12 15:43:11 ossec-syscheckd: INFO: Monitoring directory: ''. > > > > This is what I configured: > > > > > > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin > > check_all="yes">/root,/home,/etc > > You have "/root" in both of the above entries. > > > > > > > Why do you have all of these empty entries? They're not checking anything, > I'm actually a little surprised they didn't cause more problems. > > > > > > > > > > > > > Where is that data duplicated? I noticed that under the shared directory > there is an agent.conf which contains > > > > > > /etc,/usr/bin,/usr/sbin > > /bin,/sbin > > > > Is that configuration file taken into account? If I remove it it's > created once again. > > > > Yes, that file also provides configuration. It's provided by the OSSEC > server. > > > Thank you for your time and support > > Regards > > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Agent Duplicate Folders Message
Hi Is this much better now? is realtime a global option ( realtime to all ) or do I have to tell on which directories I want the realtime monitoring? /root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin /root,/home,/etc /root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin Thank you very much for your patience. Regards El miércoles, 12 de octubre de 2016, 20:19:08 (UTC-3), dan (ddpbsd) escribió: > > On Oct 12, 2016 4:49 PM, "Kernel Panic" <netwar...@gmail.com > > wrote: > > > > Hi there guys, > > > > When starting the agent I've get this info: > > > > Starting ossec-hids: 2016/10/12 15:43:05 ossec-agentd: INFO: Using > notify time: 600 and max time to reconnect: 1800 > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: '/root'. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: '/etc'. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: '/bin'. > > > > 2016/10/12 15:43:11 ossec-syscheckd: INFO: Monitoring directory: ''. > > > > This is what I configured: > > > > > > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin > > check_all="yes">/root,/home,/etc > > You have "/root" in both of the above entries. > > > > > > > Why do you have all of these empty entries? They're not checking anything, > I'm actually a little surprised they didn't cause more problems. > > > > > > > > > > > > > Where is that data duplicated? I noticed that under the shared directory > there is an agent.conf which contains > > > > > > /etc,/usr/bin,/usr/sbin > > /bin,/sbin > > > > Is that configuration file taken into account? If I remove it it's > created once again. > > > > Yes, that file also provides configuration. It's provided by the OSSEC > server. > > > Thank you for your time and support > > Regards > > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Agent Duplicate Folders Message
Hi Ok, so , are those global variables ? I thought I had to specify for every tag to which directory I wan it to apply that configuration, that's why I included root and home on both, realtime and check_all. /root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin /root,/home,/etc So, do I have to include the directories right? make sense, my bad. Thank you very much Best Regards El miércoles, 12 de octubre de 2016, 20:19:08 (UTC-3), dan (ddpbsd) escribió: > > On Oct 12, 2016 4:49 PM, "Kernel Panic" <netwar...@gmail.com > > wrote: > > > > Hi there guys, > > > > When starting the agent I've get this info: > > > > Starting ossec-hids: 2016/10/12 15:43:05 ossec-agentd: INFO: Using > notify time: 600 and max time to reconnect: 1800 > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: '/root'. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: '/etc'. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: '/bin'. > > > > 2016/10/12 15:43:11 ossec-syscheckd: INFO: Monitoring directory: ''. > > > > This is what I configured: > > > > > > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin > > check_all="yes">/root,/home,/etc > > You have "/root" in both of the above entries. > > > > > > > Why do you have all of these empty entries? They're not checking anything, > I'm actually a little surprised they didn't cause more problems. > > > > > > > > > > > > > Where is that data duplicated? I noticed that under the shared directory > there is an agent.conf which contains > > > > > > /etc,/usr/bin,/usr/sbin > > /bin,/sbin > > > > Is that configuration file taken into account? If I remove it it's > created once again. > > > > Yes, that file also provides configuration. It's provided by the OSSEC > server. > > > Thank you for your time and support > > Regards > > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Agent Duplicate Folders Message
Hi there guys, When starting the agent I've get this info: *Starting ossec-hids: 2016/10/12 15:43:05 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800* 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: '/root'. 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''. 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''. 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''. 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''. 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''. 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: '/etc'. 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: '/bin'. 2016/10/12 15:43:11 ossec-syscheckd: INFO: Monitoring directory: ''. This is what I configured: /root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin /root,/home,/etc Where is that data duplicated? I noticed that under the shared directory there is an agent.conf which contains /etc,/usr/bin,/usr/sbin /bin,/sbin Is that configuration file taken into account? If I remove it it's created once again. Thank you for your time and support Regards -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
Really do not know, just installed it from repo and tried to start the service. Thanks Regards El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió: > > Hi guys, > Yes, I've been reading the error on the list, lots of cases and I got it > too but I run out of idea. > > The log: > > 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > > The queue > srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue > > Also read the local_rules may have issues, tested with -t and no errors > displayed also with xmllint > > xmllint local_rules.xml > > --SNIP- > > > > > There is a file also under /var/ossec/etc/decoder.xml that seems not good > , is that correct? > xmllint decoder.xml > decoder.xml:52: parser error : Extra content at the end of the document > > ^ > > And found this: > > xmllint ossec.conf > ossec.conf:74: parser error : Comment not terminated > > > Line 74, what's missing here? > > > > 72000 > > > > > > ossec-hids-2.8.3-53.el6.art.x86_64 > ossec-hids-server-2.8.3-53.el6.art.x86_64 > ossec-wui-0.8-4.el6.art.noarch > > Thanks for your time and support > Regards > > > > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
Hi guys The remote service was not starting, now it up and running, and have to say that this was pure pain!! */var/ossec/bin/ossec-remoted -df* 2016/10/12 09:08:05 ossec-remoted: DEBUG: Starting ... 2016/10/12 09:08:05 ossec-remoted: INFO: Started (pid: 21609). 2016/10/12 09:08:05 ossec-remoted: DEBUG: Forking remoted: '0'. z77s-tpuppetm01:/var/ossec/etc# 2016/10/12 09:08:05 ossec-remoted: INFO: Started (pid: 21610). 2016/10/12 09:08:05 ossec-remoted: DEBUG: Running manager_init 2016/10/12 09:08:05 ossec-remoted: INFO: (unix_domain) Maximum send buffer set to: '4194304'. 2016/10/12 09:08:05 ossec-remoted(4111): INFO: Maximum number of agents allowed: '16384'. 2016/10/12 09:08:05 ossec-remoted(1410): INFO: Reading authentication keys file. 2016/10/12 09:08:05 ossec-remoted: DEBUG: OS_StartCounter. 2016/10/12 09:08:05 ossec-remoted: OS_StartCounter: keysize: 1 2016/10/12 09:08:05 ossec-remoted: Unable to open agent file. errno: 13 *2016/10/12 09:08:05 ossec-remoted(1103): ERROR: Unable to open file '/queue/rids/001'.* netstat -antuwp | grep ossec udp0 0 0.0.0.0:1514 0.0.0.0:* 21908/ossec-remoted Thank you very much! Regards El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió: > > Hi guys, > Yes, I've been reading the error on the list, lots of cases and I got it > too but I run out of idea. > > The log: > > 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > > The queue > srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue > > Also read the local_rules may have issues, tested with -t and no errors > displayed also with xmllint > > xmllint local_rules.xml > > --SNIP- > > > > > There is a file also under /var/ossec/etc/decoder.xml that seems not good > , is that correct? > xmllint decoder.xml > decoder.xml:52: parser error : Extra content at the end of the document > > ^ > > And found this: > > xmllint ossec.conf > ossec.conf:74: parser error : Comment not terminated > > > Line 74, what's missing here? > > > > 72000 > > > > > > ossec-hids-2.8.3-53.el6.art.x86_64 > ossec-hids-server-2.8.3-53.el6.art.x86_64 > ossec-wui-0.8-4.el6.art.noarch > > Thanks for your time and support > Regards > > > > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
These are my udp ports: udp0 0 0.0.0.0:161 0.0.0.0:* udp0 0 0.0.0.0:82310.0.0.0:* udp0 0 127.0.0.1:703 0.0.0.0:* udp0 0 0.0.0.0:51797 0.0.0.0:* udp0 0 127.0.0.1:3030 0.0.0.0:* udp0 0 0.0.0.0:111 0.0.0.0:* udp0 0 0.0.0.0:627 0.0.0.0:* udp0 0 10.77.1.147:123 0.0.0.0:* udp0 0 127.0.0.1:123 0.0.0.0:* udp0 0 0.0.0.0:123 0.0.0.0:* udp0 0 :::41574:::* udp0 0 :::111 :::* udp0 0 :::627 :::* udp0 0 fe80::250:56ff:fe88:2b2b:123 :::* udp0 0 ::1:123 :::* udp0 0 :::123 :::* On the remote section I've got the following ( the documentation says it will take default values ) secure Thank you for your time and support Regards El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió: > > Hi guys, > Yes, I've been reading the error on the list, lots of cases and I got it > too but I run out of idea. > > The log: > > 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > > The queue > srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue > > Also read the local_rules may have issues, tested with -t and no errors > displayed also with xmllint > > xmllint local_rules.xml > > --SNIP- > > > > > There is a file also under /var/ossec/etc/decoder.xml that seems not good > , is that correct? > xmllint decoder.xml > decoder.xml:52: parser error : Extra content at the end of the document > > ^ > > And found this: > > xmllint ossec.conf > ossec.conf:74: parser error : Comment not terminated > > > Line 74, what's missing here? > > > > 72000 > > > > > > ossec-hids-2.8.3-53.el6.art.x86_64 > ossec-hids-server-2.8.3-53.el6.art.x86_64 > ossec-wui-0.8-4.el6.art.noarch > > Thanks for your time and support > Regards > > > > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
Hi guys Well, after fixing lots of permission it seems it's working now: /var/ossec/bin/ossec-control status ossec-monitord is running... ossec-logcollector is running... ossec-remoted not running... ossec-syscheckd is running... ossec-analysisd is running... ossec-maild is running... ossec-execd is running... Now, which is the port that should be listening for agent connections? >From the client: Trying to connect to server (x.x.x.x:1514) On the server: lsof -i:1514 ( nothing) Thanks in advance. Regards El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió: > > Hi guys, > Yes, I've been reading the error on the list, lots of cases and I got it > too but I run out of idea. > > The log: > > 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > > The queue > srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue > > Also read the local_rules may have issues, tested with -t and no errors > displayed also with xmllint > > xmllint local_rules.xml > > --SNIP- > > > > > There is a file also under /var/ossec/etc/decoder.xml that seems not good > , is that correct? > xmllint decoder.xml > decoder.xml:52: parser error : Extra content at the end of the document > > ^ > > And found this: > > xmllint ossec.conf > ossec.conf:74: parser error : Comment not terminated > > > Line 74, what's missing here? > > > > 72000 > > > > > > ossec-hids-2.8.3-53.el6.art.x86_64 > ossec-hids-server-2.8.3-53.el6.art.x86_64 > ossec-wui-0.8-4.el6.art.noarch > > Thanks for your time and support > Regards > > > > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
chmod 777 /var/ossec/queue/ossec/queue z77s-tpuppetm01:/var/ossec/logs# /var/ossec/bin/ossec-syscheckd -df 2016/10/12 08:09:05 ossec-syscheckd: DEBUG: Starting ... 2016/10/12 08:09:05 ossec-rootcheck: DEBUG: Starting ... 2016/10/12 08:09:05 ossec-rootcheck: Starting queue ... 2016/10/12 08:09:08 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/12 08:09:08 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió: > > Hi guys, > Yes, I've been reading the error on the list, lots of cases and I got it > too but I run out of idea. > > The log: > > 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > > The queue > srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue > > Also read the local_rules may have issues, tested with -t and no errors > displayed also with xmllint > > xmllint local_rules.xml > > --SNIP- > > > > > There is a file also under /var/ossec/etc/decoder.xml that seems not good > , is that correct? > xmllint decoder.xml > decoder.xml:52: parser error : Extra content at the end of the document > > ^ > > And found this: > > xmllint ossec.conf > ossec.conf:74: parser error : Comment not terminated > > > Line 74, what's missing here? > > > > 72000 > > > > > > ossec-hids-2.8.3-53.el6.art.x86_64 > ossec-hids-server-2.8.3-53.el6.art.x86_64 > ossec-wui-0.8-4.el6.art.noarch > > Thanks for your time and support > Regards > > > > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
After correcting some permission I've got some upgrades but still some preocess complain about the queue. /var/ossec/bin/ossec-control status ossec-monitord is running... ossec-logcollector is running... ossec-remoted: Process 15564 not used by ossec, removing .. ossec-remoted not running... ossec-syscheckd is running... ossec-analysisd: Process 1 not used by ossec, removing .. ossec-analysisd not running... ossec-maild is running... ossec-execd is running... tail -f ossec.log 2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'. 2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'. 2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: '/bin'. 2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. 2016/10/12 08:05:08 ossec-syscheckd: Setting SCHED_BATCH returned: 0 2016/10/12 08:06:48 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2016/10/12 08:06:48 ossec-syscheckd: socketerr (not available). 2016/10/12 08:06:48 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2016/10/12 08:06:51 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/12 08:06:51 ossec-syscheckd(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2016/10/12 08:07:03 ossec-logcollector: socketerr (not available). 2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/log/authlog'. 2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/log/xferlog'. 2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/www/logs/access_log'. 2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/www/logs/error_log'. El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió: > > Hi guys, > Yes, I've been reading the error on the list, lots of cases and I got it > too but I run out of idea. > > The log: > > 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > > The queue > srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue > > Also read the local_rules may have issues, tested with -t and no errors > displayed also with xmllint > > xmllint local_rules.xml > > --SNIP- > > > > > There is a file also under /var/ossec/etc/decoder.xml that seems not good > , is that correct? > xmllint decoder.xml > decoder.xml:52: parser error : Extra content at the end of the document > > ^ > > And found this: > > xmllint ossec.conf > ossec.conf:74: parser error : Comment not terminated > > > Line 74, what's missing here? > > > > 72000 > > > > > > ossec-hids-2.8.3-53.el6.art.x86_64 > ossec-hids-server-2.8.3-53.el6.art.x86_64 > ossec-wui-0.8-4.el6.art.noarch > > Thanks for your time and support > Regards > > > > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
de 2016, 15:22:03 (UTC-3), Kernel Panic escribió: > > Hi guys, > Yes, I've been reading the error on the list, lots of cases and I got it > too but I run out of idea. > > The log: > > 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > > The queue > srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue > > Also read the local_rules may have issues, tested with -t and no errors > displayed also with xmllint > > xmllint local_rules.xml > > --SNIP- > > > > > There is a file also under /var/ossec/etc/decoder.xml that seems not good > , is that correct? > xmllint decoder.xml > decoder.xml:52: parser error : Extra content at the end of the document > > ^ > > And found this: > > xmllint ossec.conf > ossec.conf:74: parser error : Comment not terminated > > > Line 74, what's missing here? > > > > 72000 > > > > > > ossec-hids-2.8.3-53.el6.art.x86_64 > ossec-hids-server-2.8.3-53.el6.art.x86_64 > ossec-wui-0.8-4.el6.art.noarch > > Thanks for your time and support > Regards > > > > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
Hi guys, Yes, I've been reading the error on the list, lots of cases and I got it too but I run out of idea. The log: 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. The queue srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue Also read the local_rules may have issues, tested with -t and no errors displayed also with xmllint xmllint local_rules.xml --SNIP- There is a file also under /var/ossec/etc/decoder.xml that seems not good , is that correct? xmllint decoder.xml decoder.xml:52: parser error : Extra content at the end of the document ^ And found this: xmllint ossec.conf ossec.conf:74: parser error : Comment not terminated Line 74, what's missing here? 72000 ossec-hids-2.8.3-53.el6.art.x86_64 ossec-hids-server-2.8.3-53.el6.art.x86_64 ossec-wui-0.8-4.el6.art.noarch Thanks for your time and support Regards -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.