|
Hello List,
Has anyone experienced ploblems that Ossec doesn't
startup when set in debug mode 1 or 2 ?
Strange behaviour.
It's a local installation and when starting up it ends
with:
Queue /var/ossec/queue/ossec/queue not accessible (5
times) and then ends with
Unable to access queue ..... Giving
up.
Any idea ??
Dear list (and Magnus :-) )
Because there's the new version 1 and the problems we have
are with version 0.9.3 we tried deploying version 1 and
BINGO!
Although we still deploy the Local installation, Ossec
seems to be running fine now.
Can't find anything relevant in the changelog regarding the
problems we've had but we're almost there.
Looking good and continuing.
Thanks
Jos van Hout
Hi
Jos
Have you checked on
user creation during compile, ossecm, ossecr, ossece, etc and ownership? >From my
experience with 5.3 it doesnt seem to create the users resulting in wrong
ownership of files and directories under the ossec root directory. Note, I ran
into different problems on a 5.2 machine (ugly compile errors). Maybe this has
something to do with the linux environment on aix machines in general since
there are so many different versions for different os levels floating
around.
Hope this
helps.
Magnus
From:
ossec-list@xxxxxxxxxxxxxxxx [mailto:ossec-list@xxxxxxxxxxxxxxxx] On Behalf Of Hout, Jos van
Sent: 30. janúar 2007 13:48
To: ossec-list@xxxxxxxxx
Subject: [ossec-list] Problems with Ossec
on AIX
Dear list,
We have compiled Ossec on AIX 5.1
and deployed on another AIX 5.1 system and have choosen Local as the
installation type.
Compiltaion is without
errors.
Debugging for Analysisd is set to
2.
When Ossec is started all processes
start. After a few seconds logcollector and analysisd stop with the following
error (see ossec.log below)
# more
./logs/ossec.log
2007/01/30 13:32:55 ossec-maild:
E-Mail notification disabled. Clean Exit.
2007/01/30
13:32:56 ossec-execd: Started (pid: 843924).
2007/01/30
13:32:56 ossec-analysisd: Total rules
enabled: '0'
2007/01/30 13:32:56 ossec-analysisd:
Ignoring file: '/etc/mtab'
2007/01/30 13:32:56
ossec-analysisd: Ignoring file: '/etc/mnttab'
2007/01/30
13:32:56 ossec-analysisd: Ignoring file: '/etc/hosts.deny'
2007/01/30 13:32:56 ossec-analysisd:
Ignoring file: '/etc/mail/statistics'
2007/01/30
13:32:56 ossec-analysisd: Ignoring file: '/etc/random-seed'
2007/01/30 13:32:56 ossec-analysisd:
Ignoring file: '/etc/adjtime'
2007/01/30 13:32:56
ossec-analysisd: Ignoring file: '/etc/httpd/logs'
2007/01/30 13:32:56 ossec-analysisd:
Ignoring file: '/etc/utmpx'
2007/01/30 13:32:56
ossec-analysisd: Ignoring file: '/etc/wtmpx'
2007/01/30
13:32:56 ossec-analysisd: Ignoring file: '/etc/cups/certs'
2007/01/30 13:32:56 ossec-analysisd:
Ignoring file: 'C:\WINDOWS/System32/LogFiles'
2007/01/30
13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Debug'
2007/01/30 13:32:56 ossec-analysisd:
Ignoring file: 'C:\WINDOWS/WindowsUpdate.log'
2007/01/30
13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/iis6.log'
2007/01/30 13:32:56 ossec-analysisd:
Ignoring file: 'C:\WINDOWS/system32/wbem/Logs'
2007/01/30 13:32:56 ossec-analysisd:
Ignoring file: 'C:\WINDOWS/system32/wbem/Repository'
2007/01/30 13:32:56 ossec-analysisd:
Ignoring file: 'C:\WINDOWS/Prefetch'
2007/01/30
13:32:56 ossec-analysisd: Ignoring file:
'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl'
2007/01/30
13:32:56 ossec-analysisd: Ignoring file:
'C:\WINDOWS/SoftwareDistribution'
2007/01/30
13:32:56 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Temp'
2007/01/30 13:32:56 ossec-analysisd:
Ignoring file: 'C:\WINDOWS/system32/config'
2007/01/30
13:32:56 ossec-analysisd: Ignoring file:
'C:\WINDOWS/system32/spool'
2007/01/30 13:32:56
ossec-analysisd: Ignoring file: 'C:\WINDOWS/system32/CatRoot'
2007/01/30 13:32:56
ossec-logcollector: DEBUG: Waiting main daemons to settle.
2007/01/30 13:32:58 ossec-syscheckd:
Started (pid: 573470).
2007/01/30 13:33:02
ossec-logcollector: DEBUG: Entering LogCollectorStart().
2007/01/30 13:33:02
ossec-logcollector(1950): Analyzing file: '/var/log/messages'.
2007/01/30 13:33:02
ossec-logcollector(1950): Analyzing file: '/var/log/syslog'.
2007/01/30 13:33:02
ossec-logcollector(1950): Analyzing file:
'/data/PD/logs/www/request.log'.
2007/01/30 13:33:02
ossec-logcollector: Started (pid: 704610).
2007/01/30
13:33:22 ossec-logcollector: DEBUG: Reading syslog message: 'x.x.x.x - Unauth
[30/Jan/2007:13:33:03 +0100]
"HEAD / HTTP/1.0" 200
0'
2007/01/30 13:33:22
ossec-logcollector:
socketerr.
2007/01/30 13:33:22
ossec-logcollector(1224): Error sending message to queue.
2007/01/30 13:33:25
ossec-logcollector(1210): Queue
'/var/ossec/queue/ossec/queue' not accessible.
2007/01/30 13:33:25
ossec-logcollector(1211): Unable to access
queue: '/var/ossec/queue/ossec/queue'. Giving up..
And I end up with the following
status for the Ossec processes.
# ./bin/ossec-control
status
ossec-monitord is
running...
ossec-logcollector not
running...
ossec-syscheckd is
running...
ossec-analysisd not
running...
ossec-maild not
running...
ossec-execd is
running...
root@epoqws1:/var/ossec
From the Ossec site I gather that
the queue error is because analysisd is not running.
-
Ossec does not seem to be able to read in the rules
I
think that Ossec is a beautiful product and has exactly the functionality that
we need.
Running Ossec on AIX however isn't
that straightforward and I cannot find that much info about it.
I've already changed from a
server-client setup to a Local setup in the hope that that would be running
smoothly.
I very much hope that somebody can
give me a clue about what to change in order to make Ossec function
well.
Very much hope for any
info.
Jos
van Hout
The Netherlands
--
No virus found in this incoming message.
Checked by AVG
Free Edition.
Version: 7.1.410 / Virus Database: 268.17.14/658 - Release
Date: 29.1.2007
--
No virus found in this outgoing message.
Checked by AVG
Free Edition.
Version: 7.1.410 / Virus Database: 268.17.14/658 - Release
Date: 29.1.2007
|