ossec-analysisd won't start, "could not create directory"

[Joel]

hi all,

man, not having a good day.

I was starting to run out of space on my / volume as a result of ossec logs piling up.   i need to keep the logs, so i added a new drive (to the ossec VMW vm) mounted it and then moved the logs/ directory to the new mount.

now, when starting ossec, ossec-analysisd won't start.  I think it's trying to chroot and can't cross the filesystem boundary...?

2017/01/13 19:24:47 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' not accessible: 'Connection refused'.
2017/01/13 19:24:47 ossec-analysisd(1301): ERROR: Unable to connect to active response queue.
2017/01/13 19:24:50 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/execq' not accessible: 'Connection refused'.
2017/01/13 19:24:50 ossec-analysisd(1301): ERROR: Unable to connect to active response queue.
2017/01/13 19:24:50 ossec-analysisd: DEBUG: Active response Init completed.
2017/01/13 19:24:50 ossec-analysisd(1107): ERROR: Could not create directory '/logs/archives/2017/' due to [(2)-(No such file or directory)].

and

[root@e-ossec-001: /var/ossec]# ls -ald /data/logs/ossec/
drwxr-xr-x 6 ossec ossec 129 Jan 13 19:03 /data/logs/ossec/
[root@e-ossec-001: /var/ossec]# ls -al /var/ossec/
total 24
dr-xr-x---  16 root  ossec 4096 Jan 13 18:55 .
drwxr-xr-x. 20 root  root  4096 Jan 13 19:21 ..
dr-xr-x---   3 root  ossec   16 Jan 12 22:05 active-response
dr-xr-x---   2 root  ossec 4096 Oct  6 13:37 agentless
drwxr-x---   3 root  ossec   19 Oct  6 13:37 backup
dr-xr-x---   2 root  root  4096 Jan 12 18:43 bin
dr-xr-x---   5 root  ossec 4096 Jan 13 16:34 etc
drwxr-x---   2 root  ossec   34 Oct  6 13:37 integrations
lrwxrwxrwx   1 root  root    16 Jan 13 18:55 logs -> /data/logs/ossec
dr-xr-x---   4 root  root    34 Oct  6 13:37 lua
dr-xr-x---  11 root  ossec  150 Oct  6 13:38 queue
dr-xr-x---   2 root  ossec 4096 Oct 17 13:36 rules
drwx------   2 root  ossec    6 Oct  6 13:37 .ssh
drwxr-x---   5 ossec ossec   61 Oct  6 13:57 stats
dr-xr-x--T   2 root  ossec    6 Oct  6 13:37 tmp
dr-xr-x---   3 root  root    20 Oct  6 13:37 update
dr-xr-x---   3 root  ossec   16 Jan 13 19:24 var

do I need to keep it allon the same volume?

thanks!

Joel

[dan (ddp)]

If you mounted the new drive under /var/ossec, you would probably be fine. /data is outside of the chroot

thanks!

Joel

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kat]

There is a work-around which I have used. 

Dan is correct - you can't get to the folder outside of the chroot-ed jail. You can however, bring the folder in via:

mount --bind /var/ossec/logs /data/logs/ossec

The trick is to bind the directory so the system still thinks it is part of the jail.

Cheers

Kat

[dan (ddp)]

On Tue, Jan 24, 2017 at 2:12 PM, Kat <uncom...@gmail.com> wrote:
> There is a work-around which I have used.
> Dan is correct - you can't get to the folder outside of the chroot-ed jail.
> You can however, bring the folder in via:
>
> mount --bind /var/ossec/logs /data/logs/ossec
>
> The trick is to bind the directory so the system still thinks it is part of
> the jail.
>

Assuming you're using a system where this is supported:
[ddp@ix] :; man mount | grep bind
[ddp@ix] :;

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to ossec-list+...@googlegroups.com.

[Kat]

My bad - I should have explained "bind" a bit more.  This is actually part of the FUSE filesystem (http://bindfs.org)

You will need to install fuse utils and Userspace programs -- example:

#yum search fuse 

fuse.x86_64 : File System in Userspace (FUSE) utilities

I could write it all up -- perhaps I will do a quick userguide doc that can be added to OSSEC.  I specifically use this method with sshfs to mount a larger file store on the backend of my OSSEC managers.

Kat

On Friday, January 13, 2017 at 1:28:42 PM UTC-6, Joel wrote:

[dan (ddp)]

On Wed, Jan 25, 2017 at 3:05 PM, Kat <uncom...@gmail.com> wrote:
> My bad - I should have explained "bind" a bit more. This is actually part
> of the FUSE filesystem (http://bindfs.org)
> You will need to install fuse utils and Userspace programs -- example:
>
> #yum search fuse
>
>
> fuse.x86_64 : File System in Userspace (FUSE) utilities
>
>
> I could write it all up -- perhaps I will do a quick userguide doc that can
> be added to OSSEC. I specifically use this method with sshfs to mount a
> larger file store on the backend of my OSSEC managers.
>

It would possibly be a good candidate for this section of the documentation:
https://ossec.github.io/docs/cookbooks/index.html (excuse the obvious
typo, it's being corrected)

[Kat]

I'll write something up and submit it. 

Kat

On Friday, January 13, 2017 at 1:28:42 PM UTC-6, Joel wrote: