ossec-analysisd: Rules in an inconsistent state. Exiting

308 views
Skip to first unread message

toddmichael

unread,
Sep 13, 2016, 4:19:19 AM9/13/16
to ossec-list
When I start ossec-hids via init script, ossec-analysisd dies shortly thereafter with the following error:

2016/09/13 01:07:43 ossec-analysisd: Rules in an inconsistent state. Exiting.

Interestingly enough, I don't see this issue if I simply start ossec-analysisd by itself using:

/var/ossec/bin/ossec-analysisd -d

In this case, the last message I see is:

2016/09/13 01:17:28 ossec-analysisd: DEBUG: Startup completed. Waiting for new messages..

Config and system info below.  Appreciate any assistance.  Cheers.

Todd Michael

-------------

# version
OSSEC HIDS v2.8.3 - Trend Micro Inc.

-------------

# /etc/ossec-init.conf
DIRECTORY="/var/ossec"
VERSION="2.8.3"
DATE="Fri Apr  8 14:30:15 EDT 2016"
TYPE="server"

-------------

# /var/ossec/etc/ossec.conf
<ossec_config>
  <syscheck>
    <frequency>21600</frequency>
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin</directories>
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
  </syscheck>
  <rootcheck>
    <disabled>no</disabled>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
  </rootcheck>
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>
  <global>
    <email_notification>yes</email_notification>
    <email_from>oss...@ossec1.domain.com</email_from>
    <email_to>m...@mydomain.com</email_to>
    <smtp_server>127.0.0.1</smtp_server>
  </global>
  <alerts>
    <email_alert_level>7</email_alert_level>
    <log_alert_level>1</log_alert_level>
    <use_geoip>no</use_geoip>
  </alerts>
  <remote>
    <connection>secure</connection>
  </remote>
</ossec_config>

-------------

# uname
Linux ossec1-mgmt-usw2 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux



Jesus Linares

unread,
Sep 13, 2016, 5:40:31 AM9/13/16
to ossec-list
Hi,

the <rules> section is missing in your ossec.conf. Did you remove it?.

Regards.
Reply all
Reply to author
Forward
0 new messages