[Ossec-list] OSSEC seems to die occasionally

[kayvan at sylvan.com (Kayvan A. Sylvan)]

On Tue, Apr 18, 2006 at 01:39:11AM -0500, Thomas M. Jett wrote:
> 
> Check the file permissions on /var/ossec/queue  I had the same problem
> when I first installed ossec, and it became obvious pretty quick that
> that directory was the problem. All you'll have to do is change the
> permissions so that ossec can write to it.

I don't think that's the issue. I did not change the permissions
and OSSEC has been running just fine since it last crashed.

I think the ossec user just needs to be able to read what's in
/var/ossec/queue, not write to it. Daniel or someone else who knows,
please correct me if I am wrong.

# ls -l /var/ossec
total 72
dr-xr-x---  3 root  ossec 4096 Apr  5 11:14 active-response
dr-xr-x---  2 root  ossec 4096 Apr  5 11:14 bin
dr-xr-x---  3 root  ossec 4096 Apr 10 14:16 etc
drwxr-x---  5 ossec ossec 4096 Apr  5 11:14 logs
dr-xr-x---  8 root  ossec 4096 Apr  5 11:14 queue
dr-xr-x---  2 root  ossec 4096 Apr 15 11:10 rules
drwxr-x---  5 ossec ossec 4096 Apr  5 11:21 stats
dr-xr-x---  2 root  ossec 4096 Apr  5 11:14 tmp
dr-xr-x---  3 root  ossec 4096 Apr  5 11:14 var

# ps | grep oss
ossecm    7268     1  0 Apr17 ?        00:00:00 /var/ossec/bin/ossec-maild
root      7272     1  0 Apr17 ?        00:00:00 /var/ossec/bin/ossec-execd
ossec     7276     1  0 Apr17 ?        00:01:52 /var/ossec/bin/ossec-analysisd
root      7280     1  0 Apr17 ?        00:00:00 /var/ossec/bin/ossec-logcollector
root      7286     1  0 Apr17 ?        00:01:20 /var/ossec/bin/ossec-syscheckd

-- 
Kayvan A. Sylvan          | Proud husband of       | Father to my kids:
Sylvan Associates, Inc.   | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen.    | Robin Gregory (2/28/92)