On Oct 11, 2016 2:22 PM, "Kernel Panic" <netwar...@gmail.com> wrote:
>
> Hi guys,
> Yes, I've been reading the error on the list, lots of cases and I got it too but I run out of idea.
>
> The log:
>
Are there any errors befoew these messages?
Maybe try starting the daemons manually one at a time (with -df) to see which fails.
> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
>
> The queue
> srw-rw----. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
>
> Also read the local_rules may have issues, tested with -t and no errors displayed also with xmllint
>
> xmllint local_rules.xml
> <?xml version="1.0"?>
> --SNIP-
> </group>
> <!-- SYSLOG,LOCAL -->
> <!-- EOF -->
>
> There is a file also under /var/ossec/etc/decoder.xml that seems not good , is that correct?
> xmllint decoder.xml
> decoder.xml:52: parser error : Extra content at the end of the document
> <decoder name="pam">
> ^
>
Did you modify this file?
Does `ossec-logtest -t` complain about it?
> And found this:
>
> xmllint ossec.conf
> ossec.conf:74: parser error : Comment not terminated
> <!-- Frequency that syscheck is executed
> <!-- Frequency that syscheck is executed -- default every 20 hours -->
>
> Line 74, what's missing here?
>
I see the "-->" there. Right after "hours." xmllint doesn't apply to ossec.
> <syscheck>
> <!-- Frequency that syscheck is executed -- default every 20 hours -->
> <frequency>72000</frequency>
>
>
>
>
>
> ossec-hids-2.8.3-53.el6.art.x86_64
> ossec-hids-server-2.8.3-53.el6.art.x86_64
> ossec-wui-0.8-4.el6.art.noarch
>
> Thanks for your time and support
> Regards
>
>
>
>
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
/var/ossec/bin/ossec-remoted -df
2016/10/12 09:08:05 ossec-remoted: DEBUG: Starting ...
2016/10/12 09:08:05 ossec-remoted: INFO: Started (pid: 21609).
2016/10/12 09:08:05 ossec-remoted: DEBUG: Forking remoted: '0'.
z77s-tpuppetm01:/var/ossec/etc# 2016/10/12 09:08:05 ossec-remoted: INFO: Started (pid: 21610).
2016/10/12 09:08:05 ossec-remoted: DEBUG: Running manager_init
2016/10/12 09:08:05 ossec-remoted: INFO: (unix_domain) Maximum send buffer set to: '4194304'.
2016/10/12 09:08:05 ossec-remoted(4111): INFO: Maximum number of agents allowed: '16384'.
2016/10/12 09:08:05 ossec-remoted(1410): INFO: Reading authentication keys file.
2016/10/12 09:08:05 ossec-remoted: DEBUG: OS_StartCounter.
2016/10/12 09:08:05 ossec-remoted: OS_StartCounter: keysize: 1
2016/10/12 09:08:05 ossec-remoted: Unable to open agent file. errno: 13
2016/10/12 09:08:05 ossec-remoted(1103): ERROR: Unable to open file '/queue/rids/001'.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.