subject:"\[ossec\-list\] Re\: Same old song ERROR\: Unable to access queue\: '\/var\/ossec\/queue\/ossec\/queue"

Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

2017-04-13 Thread dan (ddp)

On Mon, Apr 10, 2017 at 2:46 PM, Anoop Perayil  wrote:
> I am running OSSEC on a Security Onion build Ubuntu 14.04.5 LTS.
> The issue started after I added in more disk since I ran out of space in /
>

I really wish SO would partition their system properly. Big /, nothing
else is very annoying.
Check permissions. Maybe things didn't copy over properly?

> On Monday, 10 April 2017 23:52:07 UTC+5:30, Joshua Gimer wrote:
>>
>> Do you have SELinux running in an enforcing mode? What is the output of
>> sestatus?
>>
>> Josh
>>
>> On Wed, Oct 12, 2016 at 8:58 AM, Kernel Panic  wrote:
>>>
>>> Really do not know, just installed  it from repo and tried to start the
>>> service.
>>>
>>> Thanks
>>> Regards
>>>
>>> El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic
>>> escribió:

 Hi guys,
 Yes, I've been reading the error on the list, lots of cases and I got it
 too but I run out of idea.

 The log:

 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue
 '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue
 '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue
 '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access
 queue: '/var/ossec/queue/ossec/queue'. Giving up..
 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue
 '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue
 '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue
 '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access
 queue: '/var/ossec/queue/ossec/queue'. Giving up..

 The queue
 srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue

 Also read the local_rules may have issues, tested with -t and no errors
 displayed also with xmllint

 xmllint local_rules.xml

 --SNIP-

 There is a file also under /var/ossec/etc/decoder.xml that seems not
 good , is that correct?
 xmllint decoder.xml
 decoder.xml:52: parser error : Extra content at the end of the document

 ^

 And found this:

 xmllint  ossec.conf
 ossec.conf:74: parser error : Comment not terminated

 Line 74, what's missing here?

 72000

 ossec-hids-2.8.3-53.el6.art.x86_64
 ossec-hids-server-2.8.3-53.el6.art.x86_64
 ossec-wui-0.8-4.el6.art.noarch

 Thanks for your time and support
 Regards

>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>>
>>
>> --
>> Thanks,
>> Joshua Gimer
>>
>> ---
>>
>> http://www.linkedin.com/in/jgimer
>> http://twitter.com/jgimer
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

2017-04-13 Thread dan (ddp)

On Mon, Apr 10, 2017 at 2:34 PM, Felix Martel  wrote:
> Perhaps this is way off base, but have you added an agent for localhost ? In
> my context of a new install, a ton of issues went away after I added an
> agent for the localhost (name=localhost, IP=127.0.0.1). Didn't export the
> key or anything. Once I did that, my queue errors went away and my agents
> started reporting.
>

You shouldn't have to add an agent for the localhost, it's
automatically considered agent 000.

> If I have one rant regarding OSSEC HIDS, it's the structure and quality of
> documentation: Sketchy at best... Doing a lot of poking in the dark to solve
> issues.
>

Please help: https://github.com/ossec/ossec-docs


>
> On Tuesday, October 11, 2016 at 2:22:03 PM UTC-4, Kernel Panic wrote:
>>
>> Hi guys,
>> Yes, I've been reading the error on the list, lots of cases and I got it
>> too but I run out of idea.
>>
>> The log:
>>
>> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access
>> queue: '/var/ossec/queue/ossec/queue'. Giving up..
>> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue:
>> '/var/ossec/queue/ossec/queue'. Giving up..
>>
>> The queue
>> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
>>
>> Also read the local_rules may have issues, tested with -t and no errors
>> displayed also with xmllint
>>
>> xmllint local_rules.xml
>> 
>> --SNIP-
>> 
>> 
>> 
>>
>> There is a file also under /var/ossec/etc/decoder.xml that seems not good
>> , is that correct?
>> xmllint decoder.xml
>> decoder.xml:52: parser error : Extra content at the end of the document
>> 
>> ^
>>
>> And found this:
>>
>> xmllint  ossec.conf
>> ossec.conf:74: parser error : Comment not terminated
>> 
>>
>> Line 74, what's missing here?
>>
>>  
>> 
>> 72000
>>
>>
>>
>>
>>
>> ossec-hids-2.8.3-53.el6.art.x86_64
>> ossec-hids-server-2.8.3-53.el6.art.x86_64
>> ossec-wui-0.8-4.el6.art.noarch
>>
>> Thanks for your time and support
>> Regards
>>
>>
>>
>>
>>
>>
>>
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

2017-04-10 Thread Anoop Perayil

Yeap, I have an agent on the localhost; actually now that is the only 
active one. Rest all are disconnected since 
ossec-remoted is not running

On Tuesday, 11 April 2017 00:04:46 UTC+5:30, Felix Martel wrote:
>
> Perhaps this is way off base, but have you added an agent for localhost ? 
> In my context of a new install, a ton of issues went away after I added an 
> agent for the localhost (name=localhost, IP=127.0.0.1). Didn't export the 
> key or anything. Once I did that, my queue errors went away and my agents 
> started reporting.
>
> If I have one rant regarding OSSEC HIDS, it's the structure and quality of 
> documentation: Sketchy at best... Doing a lot of poking in the dark to 
> solve issues.
>
> On Tuesday, October 11, 2016 at 2:22:03 PM UTC-4, Kernel Panic wrote:
>>
>> Hi guys,
>> Yes, I've been reading the error on the list, lots of cases and I got it 
>> too but I run out of idea.
>>
>> The log:
>>
>> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access 
>> queue: '/var/ossec/queue/ossec/queue'. Giving up..
>> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: 
>> '/var/ossec/queue/ossec/queue'. Giving up..
>>
>> The queue
>> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
>>
>> Also read the local_rules may have issues, tested with -t and no errors 
>> displayed also with xmllint
>>
>> xmllint local_rules.xml
>> 
>> --SNIP-
>> 
>> 
>> 
>>
>> There is a file also under /var/ossec/etc/decoder.xml that seems not good 
>> , is that correct?
>> xmllint decoder.xml
>> decoder.xml:52: parser error : Extra content at the end of the document
>> 
>> ^
>>
>> And found this:
>>
>> xmllint  ossec.conf
>> ossec.conf:74: parser error : Comment not terminated
>> 
>>
>> Line 74, what's missing here?
>>
>>  
>> 
>> 72000
>>
>>
>>
>>
>>
>> ossec-hids-2.8.3-53.el6.art.x86_64
>> ossec-hids-server-2.8.3-53.el6.art.x86_64
>> ossec-wui-0.8-4.el6.art.noarch
>>
>> Thanks for your time and support
>> Regards
>>
>>
>>
>>
>>
>>
>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

2017-04-10 Thread Anoop Perayil

I am running OSSEC on a Security Onion build Ubuntu 14.04.5 LTS.
The issue started after I added in more disk since I ran out of space in /

On Monday, 10 April 2017 23:52:07 UTC+5:30, Joshua Gimer wrote:
>
> Do you have SELinux running in an enforcing mode? What is the output of 
> sestatus?
>
> Josh
>
> On Wed, Oct 12, 2016 at 8:58 AM, Kernel Panic  > wrote:
>
>> Really do not know, just installed  it from repo and tried to start the 
>> service.
>>
>> Thanks
>> Regards
>>
>> El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió:
>>
>>> Hi guys,
>>> Yes, I've been reading the error on the list, lots of cases and I got it 
>>> too but I run out of idea.
>>>
>>> The log:
>>>
>>> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue 
>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>>> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue 
>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>>> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue 
>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>>> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access 
>>> queue: '/var/ossec/queue/ossec/queue'. Giving up..
>>> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue 
>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>>> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue 
>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>>> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue 
>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>>> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access 
>>> queue: '/var/ossec/queue/ossec/queue'. Giving up..
>>>
>>> The queue
>>> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
>>>
>>> Also read the local_rules may have issues, tested with -t and no errors 
>>> displayed also with xmllint
>>>
>>> xmllint local_rules.xml
>>> 
>>> --SNIP-
>>> 
>>> 
>>> 
>>>
>>> There is a file also under /var/ossec/etc/decoder.xml that seems not 
>>> good , is that correct?
>>> xmllint decoder.xml
>>> decoder.xml:52: parser error : Extra content at the end of the document
>>> 
>>> ^
>>>
>>> And found this:
>>>
>>> xmllint  ossec.conf
>>> ossec.conf:74: parser error : Comment not terminated
>>> 
>>>
>>> Line 74, what's missing here?
>>>
>>>  
>>> 
>>> 72000
>>>
>>>
>>>
>>>
>>>
>>> ossec-hids-2.8.3-53.el6.art.x86_64
>>> ossec-hids-server-2.8.3-53.el6.art.x86_64
>>> ossec-wui-0.8-4.el6.art.noarch
>>>
>>> Thanks for your time and support
>>> Regards
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> Thanks,
> Joshua Gimer
>
> ---
>
> http://www.linkedin.com/in/jgimer
> http://twitter.com/jgimer
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

2017-04-10 Thread Felix Martel

Perhaps this is way off base, but have you added an agent for localhost ? 
In my context of a new install, a ton of issues went away after I added an 
agent for the localhost (name=localhost, IP=127.0.0.1). Didn't export the 
key or anything. Once I did that, my queue errors went away and my agents 
started reporting.

If I have one rant regarding OSSEC HIDS, it's the structure and quality of 
documentation: Sketchy at best... Doing a lot of poking in the dark to 
solve issues.

On Tuesday, October 11, 2016 at 2:22:03 PM UTC-4, Kernel Panic wrote:
>
> Hi guys,
> Yes, I've been reading the error on the list, lots of cases and I got it 
> too but I run out of idea.
>
> The log:
>
> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access 
> queue: '/var/ossec/queue/ossec/queue'. Giving up..
> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: 
> '/var/ossec/queue/ossec/queue'. Giving up..
>
> The queue
> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
>
> Also read the local_rules may have issues, tested with -t and no errors 
> displayed also with xmllint
>
> xmllint local_rules.xml
> 
> --SNIP-
> 
> 
> 
>
> There is a file also under /var/ossec/etc/decoder.xml that seems not good 
> , is that correct?
> xmllint decoder.xml
> decoder.xml:52: parser error : Extra content at the end of the document
> 
> ^
>
> And found this:
>
> xmllint  ossec.conf
> ossec.conf:74: parser error : Comment not terminated
> 
>
> Line 74, what's missing here?
>
>  
> 
> 72000
>
>
>
>
>
> ossec-hids-2.8.3-53.el6.art.x86_64
> ossec-hids-server-2.8.3-53.el6.art.x86_64
> ossec-wui-0.8-4.el6.art.noarch
>
> Thanks for your time and support
> Regards
>
>
>
>
>
>
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

2017-04-10 Thread Joshua Gimer

Do you have SELinux running in an enforcing mode? What is the output of
sestatus?

Josh

On Wed, Oct 12, 2016 at 8:58 AM, Kernel Panic 
wrote:

> Really do not know, just installed  it from repo and tried to start the
> service.
>
> Thanks
> Regards
>
> El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió:
>
>> Hi guys,
>> Yes, I've been reading the error on the list, lots of cases and I got it
>> too but I run out of idea.
>>
>> The log:
>>
>> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access
>> queue: '/var/ossec/queue/ossec/queue'. Giving up..
>> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue:
>> '/var/ossec/queue/ossec/queue'. Giving up..
>>
>> The queue
>> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
>>
>> Also read the local_rules may have issues, tested with -t and no errors
>> displayed also with xmllint
>>
>> xmllint local_rules.xml
>> 
>> --SNIP-
>> 
>> 
>> 
>>
>> There is a file also under /var/ossec/etc/decoder.xml that seems not good
>> , is that correct?
>> xmllint decoder.xml
>> decoder.xml:52: parser error : Extra content at the end of the document
>> 
>> ^
>>
>> And found this:
>>
>> xmllint  ossec.conf
>> ossec.conf:74: parser error : Comment not terminated
>> 
>>
>> Line 74, what's missing here?
>>
>>  
>> 
>> 72000
>>
>>
>>
>>
>>
>> ossec-hids-2.8.3-53.el6.art.x86_64
>> ossec-hids-server-2.8.3-53.el6.art.x86_64
>> ossec-wui-0.8-4.el6.art.noarch
>>
>> Thanks for your time and support
>> Regards
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Thanks,
Joshua Gimer

---

http://www.linkedin.com/in/jgimer
http://twitter.com/jgimer

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

2017-04-10 Thread Anoop Perayil

I am getting the exact same error -

2017/04/10 18:03:02 ossec-remoted: Unable to open agent file. errno: 13
2017/04/10 18:03:02 ossec-remoted(1103): ERROR: Unable to open file 
'/queue/rids/1024'.

how did you manage to get ossec-remoted back up and running?

On Wednesday, 12 October 2016 20:00:47 UTC+5:30, Kernel Panic wrote:
>
> Hi guys
> The remote service was not starting, now it up and running, and have to 
> say that this was pure pain!!
>
> */var/ossec/bin/ossec-remoted -df*
> 2016/10/12 09:08:05 ossec-remoted: DEBUG: Starting ...
> 2016/10/12 09:08:05 ossec-remoted: INFO: Started (pid: 21609).
> 2016/10/12 09:08:05 ossec-remoted: DEBUG: Forking remoted: '0'.
> z77s-tpuppetm01:/var/ossec/etc# 2016/10/12 09:08:05 ossec-remoted: INFO: 
> Started (pid: 21610).
> 2016/10/12 09:08:05 ossec-remoted: DEBUG: Running manager_init
> 2016/10/12 09:08:05 ossec-remoted: INFO: (unix_domain) Maximum send buffer 
> set to: '4194304'.
> 2016/10/12 09:08:05 ossec-remoted(4111): INFO: Maximum number of agents 
> allowed: '16384'.
> 2016/10/12 09:08:05 ossec-remoted(1410): INFO: Reading authentication keys 
> file.
> 2016/10/12 09:08:05 ossec-remoted: DEBUG: OS_StartCounter.
> 2016/10/12 09:08:05 ossec-remoted: OS_StartCounter: keysize: 1
> 2016/10/12 09:08:05 ossec-remoted: Unable to open agent file. errno: 13
> *2016/10/12 09:08:05 ossec-remoted(1103): ERROR: Unable to open file 
> '/queue/rids/001'.* 
>
> netstat -antuwp | grep ossec
> udp0  0 0.0.0.0:1514
> 0.0.0.0:*   21908/ossec-remoted
>
> Thank you very much!
> Regards
>
>
> El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió:
>>
>> Hi guys,
>> Yes, I've been reading the error on the list, lots of cases and I got it 
>> too but I run out of idea.
>>
>> The log:
>>
>> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access 
>> queue: '/var/ossec/queue/ossec/queue'. Giving up..
>> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: 
>> '/var/ossec/queue/ossec/queue'. Giving up..
>>
>> The queue
>> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
>>
>> Also read the local_rules may have issues, tested with -t and no errors 
>> displayed also with xmllint
>>
>> xmllint local_rules.xml
>> 
>> --SNIP-
>> 
>> 
>> 
>>
>> There is a file also under /var/ossec/etc/decoder.xml that seems not good 
>> , is that correct?
>> xmllint decoder.xml
>> decoder.xml:52: parser error : Extra content at the end of the document
>> 
>> ^
>>
>> And found this:
>>
>> xmllint  ossec.conf
>> ossec.conf:74: parser error : Comment not terminated
>> 
>>
>> Line 74, what's missing here?
>>
>>  
>> 
>> 72000
>>
>>
>>
>>
>>
>> ossec-hids-2.8.3-53.el6.art.x86_64
>> ossec-hids-server-2.8.3-53.el6.art.x86_64
>> ossec-wui-0.8-4.el6.art.noarch
>>
>> Thanks for your time and support
>> Regards
>>
>>
>>
>>
>>
>>
>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

2016-10-12 Thread Kernel Panic

Really do not know, just installed  it from repo and tried to start the 
service.

Thanks
Regards

El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió:
>
> Hi guys,
> Yes, I've been reading the error on the list, lots of cases and I got it 
> too but I run out of idea.
>
> The log:
>
> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access 
> queue: '/var/ossec/queue/ossec/queue'. Giving up..
> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: 
> '/var/ossec/queue/ossec/queue'. Giving up..
>
> The queue
> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
>
> Also read the local_rules may have issues, tested with -t and no errors 
> displayed also with xmllint
>
> xmllint local_rules.xml
> 
> --SNIP-
> 
> 
> 
>
> There is a file also under /var/ossec/etc/decoder.xml that seems not good 
> , is that correct?
> xmllint decoder.xml
> decoder.xml:52: parser error : Extra content at the end of the document
> 
> ^
>
> And found this:
>
> xmllint  ossec.conf
> ossec.conf:74: parser error : Comment not terminated
> 
>
> Line 74, what's missing here?
>
>  
> 
> 72000
>
>
>
>
>
> ossec-hids-2.8.3-53.el6.art.x86_64
> ossec-hids-server-2.8.3-53.el6.art.x86_64
> ossec-wui-0.8-4.el6.art.noarch
>
> Thanks for your time and support
> Regards
>
>
>
>
>
>
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

2016-10-12 Thread dan (ddp)

On Wed, Oct 12, 2016 at 10:30 AM, Kernel Panic  wrote:
> Hi guys
> The remote service was not starting, now it up and running, and have to say
> that this was pure pain!!
>

It would be interesting to find out what happened to your setup to
give you such troubles.

> /var/ossec/bin/ossec-remoted -df
> 2016/10/12 09:08:05 ossec-remoted: DEBUG: Starting ...
> 2016/10/12 09:08:05 ossec-remoted: INFO: Started (pid: 21609).
> 2016/10/12 09:08:05 ossec-remoted: DEBUG: Forking remoted: '0'.
> z77s-tpuppetm01:/var/ossec/etc# 2016/10/12 09:08:05 ossec-remoted: INFO:
> Started (pid: 21610).
> 2016/10/12 09:08:05 ossec-remoted: DEBUG: Running manager_init
> 2016/10/12 09:08:05 ossec-remoted: INFO: (unix_domain) Maximum send buffer
> set to: '4194304'.
> 2016/10/12 09:08:05 ossec-remoted(4111): INFO: Maximum number of agents
> allowed: '16384'.
> 2016/10/12 09:08:05 ossec-remoted(1410): INFO: Reading authentication keys
> file.
> 2016/10/12 09:08:05 ossec-remoted: DEBUG: OS_StartCounter.
> 2016/10/12 09:08:05 ossec-remoted: OS_StartCounter: keysize: 1
> 2016/10/12 09:08:05 ossec-remoted: Unable to open agent file. errno: 13
> 2016/10/12 09:08:05 ossec-remoted(1103): ERROR: Unable to open file
> '/queue/rids/001'.
>
>
> netstat -antuwp | grep ossec
> udp0  0 0.0.0.0:15140.0.0.0:*
> 21908/ossec-remoted
>
> Thank you very much!
> Regards
>
>
> El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió:
>>
>> Hi guys,
>> Yes, I've been reading the error on the list, lots of cases and I got it
>> too but I run out of idea.
>>
>> The log:
>>
>> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access
>> queue: '/var/ossec/queue/ossec/queue'. Giving up..
>> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue:
>> '/var/ossec/queue/ossec/queue'. Giving up..
>>
>> The queue
>> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
>>
>> Also read the local_rules may have issues, tested with -t and no errors
>> displayed also with xmllint
>>
>> xmllint local_rules.xml
>> 
>> --SNIP-
>> 
>> 
>> 
>>
>> There is a file also under /var/ossec/etc/decoder.xml that seems not good
>> , is that correct?
>> xmllint decoder.xml
>> decoder.xml:52: parser error : Extra content at the end of the document
>> 
>> ^
>>
>> And found this:
>>
>> xmllint  ossec.conf
>> ossec.conf:74: parser error : Comment not terminated
>> 
>>
>> Line 74, what's missing here?
>>
>>  
>> 
>> 72000
>>
>>
>>
>>
>>
>> ossec-hids-2.8.3-53.el6.art.x86_64
>> ossec-hids-server-2.8.3-53.el6.art.x86_64
>> ossec-wui-0.8-4.el6.art.noarch
>>
>> Thanks for your time and support
>> Regards
>>
>>
>>
>>
>>
>>
>>
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

2016-10-12 Thread Kernel Panic

Hi guys
The remote service was not starting, now it up and running, and have to say 
that this was pure pain!!

*/var/ossec/bin/ossec-remoted -df*
2016/10/12 09:08:05 ossec-remoted: DEBUG: Starting ...
2016/10/12 09:08:05 ossec-remoted: INFO: Started (pid: 21609).
2016/10/12 09:08:05 ossec-remoted: DEBUG: Forking remoted: '0'.
z77s-tpuppetm01:/var/ossec/etc# 2016/10/12 09:08:05 ossec-remoted: INFO: 
Started (pid: 21610).
2016/10/12 09:08:05 ossec-remoted: DEBUG: Running manager_init
2016/10/12 09:08:05 ossec-remoted: INFO: (unix_domain) Maximum send buffer 
set to: '4194304'.
2016/10/12 09:08:05 ossec-remoted(4111): INFO: Maximum number of agents 
allowed: '16384'.
2016/10/12 09:08:05 ossec-remoted(1410): INFO: Reading authentication keys 
file.
2016/10/12 09:08:05 ossec-remoted: DEBUG: OS_StartCounter.
2016/10/12 09:08:05 ossec-remoted: OS_StartCounter: keysize: 1
2016/10/12 09:08:05 ossec-remoted: Unable to open agent file. errno: 13
*2016/10/12 09:08:05 ossec-remoted(1103): ERROR: Unable to open file 
'/queue/rids/001'.* 

netstat -antuwp | grep ossec
udp0  0 0.0.0.0:1514
0.0.0.0:*   21908/ossec-remoted

Thank you very much!
Regards


El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió:
>
> Hi guys,
> Yes, I've been reading the error on the list, lots of cases and I got it 
> too but I run out of idea.
>
> The log:
>
> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access 
> queue: '/var/ossec/queue/ossec/queue'. Giving up..
> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: 
> '/var/ossec/queue/ossec/queue'. Giving up..
>
> The queue
> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
>
> Also read the local_rules may have issues, tested with -t and no errors 
> displayed also with xmllint
>
> xmllint local_rules.xml
> 
> --SNIP-
> 
> 
> 
>
> There is a file also under /var/ossec/etc/decoder.xml that seems not good 
> , is that correct?
> xmllint decoder.xml
> decoder.xml:52: parser error : Extra content at the end of the document
> 
> ^
>
> And found this:
>
> xmllint  ossec.conf
> ossec.conf:74: parser error : Comment not terminated
> 
>
> Line 74, what's missing here?
>
>  
> 
> 72000
>
>
>
>
>
> ossec-hids-2.8.3-53.el6.art.x86_64
> ossec-hids-server-2.8.3-53.el6.art.x86_64
> ossec-wui-0.8-4.el6.art.noarch
>
> Thanks for your time and support
> Regards
>
>
>
>
>
>
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

2016-10-12 Thread Kernel Panic

These are  my udp ports:

udp0  0 0.0.0.0:161 0.0.0.0:*
udp0  0 0.0.0.0:82310.0.0.0:*
udp0  0 127.0.0.1:703   0.0.0.0:*
udp0  0 0.0.0.0:51797   0.0.0.0:*
udp0  0 127.0.0.1:3030  0.0.0.0:*
udp0  0 0.0.0.0:111 0.0.0.0:*
udp0  0 0.0.0.0:627 0.0.0.0:*
udp0  0 10.77.1.147:123 0.0.0.0:*
udp0  0 127.0.0.1:123   0.0.0.0:*
udp0  0 0.0.0.0:123 0.0.0.0:*
udp0  0 :::41574:::*
udp0  0 :::111  :::*
udp0  0 :::627  :::*
udp0  0 fe80::250:56ff:fe88:2b2b:123 :::*
udp0  0 ::1:123 :::*
udp0  0 :::123  :::*

On the remote section I've got the following ( the documentation says it 
will take default values )

 
secure
  

Thank you for your time and support
Regards




El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió:
>
> Hi guys,
> Yes, I've been reading the error on the list, lots of cases and I got it 
> too but I run out of idea.
>
> The log:
>
> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access 
> queue: '/var/ossec/queue/ossec/queue'. Giving up..
> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: 
> '/var/ossec/queue/ossec/queue'. Giving up..
>
> The queue
> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
>
> Also read the local_rules may have issues, tested with -t and no errors 
> displayed also with xmllint
>
> xmllint local_rules.xml
> 
> --SNIP-
> 
> 
> 
>
> There is a file also under /var/ossec/etc/decoder.xml that seems not good 
> , is that correct?
> xmllint decoder.xml
> decoder.xml:52: parser error : Extra content at the end of the document
> 
> ^
>
> And found this:
>
> xmllint  ossec.conf
> ossec.conf:74: parser error : Comment not terminated
> 
>
> Line 74, what's missing here?
>
>  
> 
> 72000
>
>
>
>
>
> ossec-hids-2.8.3-53.el6.art.x86_64
> ossec-hids-server-2.8.3-53.el6.art.x86_64
> ossec-wui-0.8-4.el6.art.noarch
>
> Thanks for your time and support
> Regards
>
>
>
>
>
>
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

2016-10-12 Thread Kernel Panic

Hi guys
Well, after fixing lots of permission it seems it's working now:

/var/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted not running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...


Now,  which is the port that should be listening for agent connections?

>From the client:
Trying to connect to server (x.x.x.x:1514)

On the server:

lsof -i:1514 ( nothing)

Thanks in advance.
Regards




El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió:
>
> Hi guys,
> Yes, I've been reading the error on the list, lots of cases and I got it 
> too but I run out of idea.
>
> The log:
>
> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access 
> queue: '/var/ossec/queue/ossec/queue'. Giving up..
> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: 
> '/var/ossec/queue/ossec/queue'. Giving up..
>
> The queue
> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
>
> Also read the local_rules may have issues, tested with -t and no errors 
> displayed also with xmllint
>
> xmllint local_rules.xml
> 
> --SNIP-
> 
> 
> 
>
> There is a file also under /var/ossec/etc/decoder.xml that seems not good 
> , is that correct?
> xmllint decoder.xml
> decoder.xml:52: parser error : Extra content at the end of the document
> 
> ^
>
> And found this:
>
> xmllint  ossec.conf
> ossec.conf:74: parser error : Comment not terminated
> 
>
> Line 74, what's missing here?
>
>  
> 
> 72000
>
>
>
>
>
> ossec-hids-2.8.3-53.el6.art.x86_64
> ossec-hids-server-2.8.3-53.el6.art.x86_64
> ossec-wui-0.8-4.el6.art.noarch
>
> Thanks for your time and support
> Regards
>
>
>
>
>
>
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

2016-10-12 Thread dan (ddp)

On Wed, Oct 12, 2016 at 9:09 AM, Kernel Panic  wrote:
>
> chmod 777 /var/ossec/queue/ossec/queue
> z77s-tpuppetm01:/var/ossec/logs# /var/ossec/bin/ossec-syscheckd -df
> 2016/10/12 08:09:05 ossec-syscheckd: DEBUG: Starting ...
> 2016/10/12 08:09:05 ossec-rootcheck: DEBUG: Starting ...
> 2016/10/12 08:09:05 ossec-rootcheck: Starting queue ...
> 2016/10/12 08:09:08 ossec-syscheckd(1210): ERROR: Queue
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/12 08:09:08 ossec-rootcheck(1210): ERROR: Queue
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>

Make sure you're starting these in the correct order. Based on an
`ossec-control start` I get the following order:
ossec-maild
ossec-execd
ossec-analysisd
ossec-logcollector
ossec-remoted
ossec-syscheckd
ossec-monitord

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

2016-10-12 Thread Kernel Panic


chmod 777 /var/ossec/queue/ossec/queue
z77s-tpuppetm01:/var/ossec/logs# /var/ossec/bin/ossec-syscheckd -df
2016/10/12 08:09:05 ossec-syscheckd: DEBUG: Starting ...
2016/10/12 08:09:05 ossec-rootcheck: DEBUG: Starting ...
2016/10/12 08:09:05 ossec-rootcheck: Starting queue ...
2016/10/12 08:09:08 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 08:09:08 ossec-rootcheck(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.



El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió:
>
> Hi guys,
> Yes, I've been reading the error on the list, lots of cases and I got it 
> too but I run out of idea.
>
> The log:
>
> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access 
> queue: '/var/ossec/queue/ossec/queue'. Giving up..
> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: 
> '/var/ossec/queue/ossec/queue'. Giving up..
>
> The queue
> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
>
> Also read the local_rules may have issues, tested with -t and no errors 
> displayed also with xmllint
>
> xmllint local_rules.xml
> 
> --SNIP-
> 
> 
> 
>
> There is a file also under /var/ossec/etc/decoder.xml that seems not good 
> , is that correct?
> xmllint decoder.xml
> decoder.xml:52: parser error : Extra content at the end of the document
> 
> ^
>
> And found this:
>
> xmllint  ossec.conf
> ossec.conf:74: parser error : Comment not terminated
> 
>
> Line 74, what's missing here?
>
>  
> 
> 72000
>
>
>
>
>
> ossec-hids-2.8.3-53.el6.art.x86_64
> ossec-hids-server-2.8.3-53.el6.art.x86_64
> ossec-wui-0.8-4.el6.art.noarch
>
> Thanks for your time and support
> Regards
>
>
>
>
>
>
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

2016-10-12 Thread Kernel Panic

After correcting some permission I've got some upgrades but still some 
preocess complain about the queue.

/var/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted: Process 15564 not used by ossec, removing ..
ossec-remoted not running...
ossec-syscheckd is running...
ossec-analysisd: Process 1 not used by ossec, removing ..
ossec-analysisd not running...
ossec-maild is running...
ossec-execd is running...

tail -f ossec.log
2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: 
'/usr/sbin'.
2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2016/10/12 08:05:08 ossec-syscheckd: Setting SCHED_BATCH returned: 0
2016/10/12 08:06:48 ossec-syscheckd: INFO: Starting syscheck scan 
(forwarding database).
2016/10/12 08:06:48 ossec-syscheckd: socketerr (not available).
2016/10/12 08:06:48 ossec-syscheckd(1224): ERROR: Error sending message to 
queue.
2016/10/12 08:06:51 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 08:06:51 ossec-syscheckd(1211): ERROR: Unable to access queue: 
'/var/ossec/queue/ossec/queue'. Giving up..

2016/10/12 08:07:03 ossec-logcollector: socketerr (not available).
2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, 
ignoring it: '/var/log/authlog'.
2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, 
ignoring it: '/var/log/xferlog'.
2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, 
ignoring it: '/var/www/logs/access_log'.
2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, 
ignoring it: '/var/www/logs/error_log'.





El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió:
>
> Hi guys,
> Yes, I've been reading the error on the list, lots of cases and I got it 
> too but I run out of idea.
>
> The log:
>
> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access 
> queue: '/var/ossec/queue/ossec/queue'. Giving up..
> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: 
> '/var/ossec/queue/ossec/queue'. Giving up..
>
> The queue
> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
>
> Also read the local_rules may have issues, tested with -t and no errors 
> displayed also with xmllint
>
> xmllint local_rules.xml
> 
> --SNIP-
> 
> 
> 
>
> There is a file also under /var/ossec/etc/decoder.xml that seems not good 
> , is that correct?
> xmllint decoder.xml
> decoder.xml:52: parser error : Extra content at the end of the document
> 
> ^
>
> And found this:
>
> xmllint  ossec.conf
> ossec.conf:74: parser error : Comment not terminated
> 
>
> Line 74, what's missing here?
>
>  
> 
> 72000
>
>
>
>
>
> ossec-hids-2.8.3-53.el6.art.x86_64
> ossec-hids-server-2.8.3-53.el6.art.x86_64
> ossec-wui-0.8-4.el6.art.noarch
>
> Thanks for your time and support
> Regards
>
>
>
>
>
>
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

2016-10-12 Thread Kernel Panic

Hi

Did not modify that file, I I realized some of them were in xml format just 
wanted to check
This is what I've get running the services manually with  -df

2016/10/12 07:31:20 ossec-syscheckd: DEBUG: Starting ...
2016/10/12 07:31:20 ossec-rootcheck: DEBUG: Starting ...
2016/10/12 07:31:20 ossec-rootcheck: Starting queue ...
2016/10/12 07:31:23 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:31:23 ossec-rootcheck(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:31:31 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:31:31 ossec-rootcheck(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:31:44 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:31:44 ossec-rootcheck(1211): ERROR: Unable to access queue: 
'/var/ossec/queue/ossec/queue'. Giving up..

2016/10/12 07:34:23 ossec-monitord: DEBUG: Starting ...
2016/10/12 07:34:23 ossec-monitord: INFO: Chrooted to directory: 
/var/ossec, using user: ossec
2016/10/12 07:34:23 ossec-monitord: INFO: Started (pid: 12499).
2016/10/12 07:34:36 ossec-monitord(1210): ERROR: Queue '/queue/ossec/queue' 
not accessible: 'Connection refused'.
2016/10/12 07:34:36 ossec-monitord(1211): ERROR: Unable to access queue: 
'/queue/ossec/queue'. Giving up..


2016/10/12 07:46:50 ossec-analysisd: DEBUG: FTSInit completed.
2016/10/12 07:46:56 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' 
not accessible: 'Connection refused'.
2016/10/12 07:46:56 ossec-analysisd(1301): ERROR: Unable to connect to 
active response queue.
2016/10/12 07:46:59 ossec-analysisd(1210): ERROR: Queue 
'/queue/alerts/execq' not accessible: 'Connection refused'.
2016/10/12 07:46:59 ossec-analysisd(1301): ERROR: Unable to connect to 
active response queue.
2016/10/12 07:46:59 ossec-analysisd: DEBUG: Active response Init completed.
2016/10/12 07:46:59 alerts: Error opening logfile: 
'/logs/alerts/2016/Oct/ossec-alerts-12.log'

var/ossec/queue/alerts# ls -la
srwxrwxrwx.  1 apache ossec0 Oct 12 07:52 ar
srw-rw.  1 apache ossec0 Oct 11 15:55 execq

ls -la logs/archives/2016/Oct/ossec-archive-12.log
-rw-r-. 2 apache ossec 0 Oct 12 07:43 
logs/archives/2016/Oct/ossec-archive-12.log


ossec-remoted: Error accessing file '/etc/shared/system_audit_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file 
'/etc/shared/win_audit_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file 
'/etc/shared/rootkit_trojans.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file 
'/etc/shared/rootkit_files.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file 
'/etc/shared/cis_rhel5_linux_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file 
'/etc/shared/win_malware_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file 
'/etc/shared/cis_debian_linux_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file 
'/etc/shared/cis_rhel_linux_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file 
'/etc/shared/win_applications_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file 
'/etc/shared/system_audit_ssh.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file 
'/etc/shared/cis_rhel6_linux_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file 
'/etc/shared/cis_rhel7_linux_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: DEBUG: Running manager_init
2016/10/12 07:58:32 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' 
not accessible: 'Connection refused'.
2016/10/12 07:58:32 ossec-remoted(1211): ERROR: Unable to access queue: 
'/queue/ossec/queue'. Giving up..

/var/ossec/etc/shared# ls -la
total 204
drwxrwxr-x. 2 ossec  ossec  4096 Oct 11 09:23 .
drwxrwxr-x. 6 apache ossec  4096 Oct 11 15:47 ..
-rw-rw. 1 ossec  ossec  2949 Apr  8  2016 agent.conf
-rw-rw. 1 ossec  ossec   153 Oct 12 07:53 ar.conf
-rw-rw. 1 ossec  root  11136 Apr  8  2016 cis_debian_linux_rcl.txt
-rw-rw. 1 ossec  root  31813 Apr  8  2016 cis_rhel5_linux_rcl.txt
-rw-rw. 1 ossec  root  30004 Apr  8  2016 cis_rhel6_linux_rcl.txt
-rw-rw. 1 ossec  root  32808 Apr  8  2016 cis_rhel7_linux_rcl.txt
-rw-rw. 1 ossec  root  15845 Apr  8  2016 cis_rhel_linux_rcl.txt
-rw-rw. 1 ossec  ossec  3132 Oct 12 07:58 merged.mg
-rw-rw. 1 ossec  root  15942 Apr  8  2016 rootkit_files.txt
-rw-rw. 1 ossec  root   5301 Apr  8  2016 rootkit_trojans.txt
-rw-rw. 1 ossec  root   4958 Apr  8  2016 system_audit_rcl.txt
-rw-rw. 1 ossec  root   1774 Apr  8  2016 system_audit_ssh.txt
-rw-rw. 1 ossec  root   4829 Apr  8  2016 win_applications_rcl.txt
-rw-rw. 1 ossec  root   3944 Apr  8  2016 win_audit_rcl.txt
-rw-rw. 1 ossec  root   5005 Apr  8  2016 win_malware_rcl.txt


Thanks in advance.


El martes, 11 de octubre

Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

16 matches

Site Navigation

Mail list logo

Footer information