ossec.conf error when starting Wazuh
804 views
Skip to first unread message
Sidney Guidry
Jul 12, 2023, 11:38:22 AM7/12/23
to Wazuh mailing list
Hello,
currently having an issue with starting wazuh. I made changes to the ossec.conf file started to see the error and reverted the changes. Error still persists.
Error : wazuh-analysisd: CRITICAL: (1226): Error reading XML file 'etc/ossec.conf': (line 0).
I have checked the permissions as well and everything looks to still be set to the default and haven't been changed.
Daniel Sappa
Jul 12, 2023, 12:44:08 PM7/12/23
to Wazuh mailing list
Hi Sydney!
This type of error is generally due to the wrong file format,
even more so if, as you say,
you have made modifications.
You can share the ossec.conf,
before taking into account deleting any data that you consider private,
please.
Daniel Sappa
Jul 12, 2023, 1:58:28 PM7/12/23
to Wazuh mailing list
configuration added to the end of the file, from line 365 onwards, must be part of a single
<ossec_config>
...
</ossec_config.
you can see other localfile's settings at line 295 e.g.
Anyway, you can add this new configuration anywhere as long as there is a single <ossec_config> tag.
Sidney Guidry
Jul 12, 2023, 2:41:17 PM7/12/23
to Wazuh mailing list
So I didn't add that configuration. But I did move it up so there is only one <ossec_config> and the closing </ossec_config>
It is still giving the same error
It is still giving the same error
Daniel Sappa
Jul 12, 2023, 4:41:01 PM7/12/23
to Wazuh mailing list
what is the command you are running?
are you running it as root?
run the following command assuming wazuh-analysisd is not running:
# /var/ossec/bin/wazuh-analysisd -t
tell me what is showing
also send me, please, the ossec.log file.
are you running it as root?
run the following command assuming wazuh-analysisd is not running:
# /var/ossec/bin/wazuh-analysisd -t
tell me what is showing
also send me, please, the ossec.log file.
Sidney Guidry
Jul 12, 2023, 5:05:58 PM7/12/23
to Wazuh mailing list
I am using systemd start wazuh-manager
here is the output for the command, it is the same.
wazuh-analysisd: CRITICAL: (1226): Error reading XML file 'etc/ossec.conf': (line 0).
here is the output for the command, it is the same.
wazuh-analysisd: CRITICAL: (1226): Error reading XML file 'etc/ossec.conf': (line 0).
Daniel Sappa
Jul 13, 2023, 8:03:40 AM7/13/23
to Wazuh mailing list
Hi again Sidney
The reasons for this are mainly permissions on the file or on one of the folders where the file is located.
This file should be located, by default, in /var/ossec/etc/ossec.conf and have read permissions for root and group
One test you can do is copy the ossec.conf file to another location, to $HOME e.g. and from there run:
This behavior is caused by wazuh-analysisd not being able to find the ossec.conf file.
The reasons for this are mainly permissions on the file or on one of the folders where the file is located.
This file should be located, by default, in /var/ossec/etc/ossec.conf and have read permissions for root and group
One test you can do is copy the ossec.conf file to another location, to $HOME e.g. and from there run:
# chmod 666 ~/ossec.conf
#~ /var/ossec/bin/wazuh-analysisd -t -c ~/ossec.conf
the error message doesn't to be shown.
Marcelo Osako
Jul 15, 2024, 2:36:29 AM7/15/24
to Wazuh | Mailing List
Estou com o mesmo problema, não estou conseguindo resolver. Já acertei as permissões, verifiquei o xml e nada de errado foi encontrado. Isso começou a acontecer depois de uma atualização que fiz no servidor.
Reply all
Reply to author
Forward
0 new messages