Dear All
Please bare my simple overview, Request some guidance in addressing issue
In our Linux system, we are trying to incorporate intrusion detection and file integrity monitoring alerts. For this OSSEC seems to be best open source option available in market.
System Configuration:
Ossec in server Mode : Debian 8 (Jessie)
The compilation was succesful :
root@debian:/opt/ossecData#
/opt/venkat/ossecData/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...
System is running fine.
However, tried the same in CLIENT machine ()
Ossec in server Mode : Debian 6 (Squeeze)
Installation completed successfully,
when i tried to start ossces agent :
root@vir-deb:/opt/ossecData# /opt/ossecData/bin/ossec-control start
Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)...
Deleting PID file '/opt/ossecData/var/run/ossec-logcollector-5760.pid' not used...
Deleting PID file '/opt/ossecData/var/run/ossec-agentd-5756.pid' not used...
ossec-execd already running...
2016/05/24 15:25:16 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800
Started ossec-agentd...
Started ossec-logcollector...
2016/05/24 15:25:19 ossec-syscheckd(1210): ERROR: Queue '/opt/ossecData/queue/ossec/queue' not accessible: 'Connection refused'.
2016/05/24 15:25:19 ossec-rootcheck(1210): ERROR: Queue '/opt/ossecData/queue/ossec/queue' not accessible: 'Connection refused'.
2016/05/24 15:25:27 ossec-syscheckd(1210): ERROR: Queue '/opt/ossecData/queue/ossec/queue' not accessible: 'Connection refused'.
2016/05/24 15:25:27 ossec-rootcheck(1210): ERROR: Queue '/opt/ossecData/queue/ossec/queue' not accessible: 'Connection refused'.
2016/05/24 15:25:40 ossec-syscheckd(1210): ERROR: Queue '/opt/ossecData/queue/ossec/queue' not accessible: 'Connection refused'.
2016/05/24 15:25:40 ossec-rootcheck(1211): ERROR: Unable to access queue: '/opt/ossecData/queue/ossec/queue'. Giving up..
According to docs for this error code , they asked to look at the status of
ossec-analysisd . But in my case on my client machine , I am unable to locate
ossec-analysisd.
-r-xr-x--- 1 root ossec 247218 May 24 14:39 agent-auth
-r-xr-x--- 1 root ossec 250505 May 24 14:39 manage_agents
-r-xr-x--- 1 root ossec 501580 May 24 14:39 ossec-agentd
-r-xr-x--- 1 root ossec 4834 Oct 13 2015 ossec-control
-r-xr-x--- 1 root ossec 105035 May 24 14:38 ossec-execd
-r-xr-x--- 1 root ossec 384947 May 24 14:39 ossec-logcollector
-r-xr-x--- 1 root ossec 174370 May 18 17:38 ossec-lua
-r-xr-x--- 1 root ossec 117632 May 18 17:38 ossec-luac
-r-xr-x--- 1 root ossec 499976 May 24 14:39 ossec-syscheckd
-r-xr-x--- 1 root ossec 4360 Oct 13 2015 util.sh
Am I missing something..
Regards
Venkat.S