Can you show me your /etc/ossec-init.conf file? To fix the permission, just do a:
# chgrp ossec /var/ossec/etc/shared/ar.conf *btw, Are you using the snapshot? I tought I have fixed this permission issue... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 9/15/06, Administrador Rede <[EMAIL PROTECTED]> wrote:
Hi Daniel, Ok, I'll fix my iptables rules. Sorry, but I don't know use netcat for test communication. How can I make this? About ar.conf permissions: dr-xr-x--- 2 root ossec 4.0K 2006-09-14 14:31 shared/ -r--r----- 1 root root 76 2006-09-14 16:20 ar.conf The correct is root.ossec? If yes, need to correct the process that create it, because if I delete this file, is create automatically with the permission show above. Very thanks again, -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- Amauri Tiago Marx Coordenadoria de Tecnologia da Informação e Comunicação, Ctic Universidade do Oeste de Santa Catarina, Unoesc Campus de São Miguel do Oeste www.unoescsmo.edu.br -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- ----- Original Message ----- From: "Daniel Cid" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Thursday, September 14, 2006 10:20 PM Subject: [ossec-list] Re: Other problems > > Hi Amauri, > > First off, for your iptables rule, do not open it for everyone. Just > for the specific > IPs that you need. Second, make sure that the agent firewall allows > outbound > traffic to port 1514 and them to come back. To test it, just run a > netcat from the > agent to the server on port 1514 and see if it can get to it (you should > see on > the server a message about unable to decrypt or invalid format).. > > Now, for your second problem, since ossec runs on chroot, when it says > "/etc/shared/ar.conf", it is actually looking at > /var/ossec/etc/shared.ar.conf... > Can you show us the permissions of /var/ossec/etc and > /var/ossec/etc/shared ? > Looks like remoted does not have permission to access it... > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > >> 2006/09/14 15:54:58 ossec-remoted: Error accessing file >> '/etc/shared/ar.conf' > > On 9/14/06, Amauri Tiago Marx <[EMAIL PROTECTED]> wrote: >> >> >> Hi Daniel, >> >> Yes, I install the latest snapshot in the server before the agents. >> In the server ossec, I have this rule on firewall: >> iptables -A INPUT -p udp --dport 1514 --sport 1024:65535 -j ACCEPT >> Need anymore? >> >> For the problem related to ar.conf, i'm confused. See errors logs: >> 2006/09/14 14:53:30 ossec-syscheckd: Started (pid: 24459). >> 2006/09/14 14:53:30 ossec-analysisd: Connected to '/queue/alerts/ar' >> (active-response queue) >> 2006/09/14 14:53:30 ossec-analysisd: Connected to '/queue/alerts/execq' >> (exec queue) >> 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file: >> '/var/log/messages'. >> 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file: >> '/var/log/secure'. >> 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file: >> '/var/log/syslog'. >> 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file: >> '/var/log/maillog'. >> 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file: >> '/usr/local/squid/var/logs/access.log'. >> 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file: >> '/var/log/apache/error_log'. >> 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file: >> '/var/log/apache/access_log'. >> 2006/09/14 14:53:33 ossec-logcollector: Started (pid: 24445). >> 2006/09/14 15:54:58 ossec-remoted: Error accessing file >> '/etc/shared/ar.conf' >> >> I think that have the same problems that's my last question.. the file >> /etc/shared/ar.conf doesn't exists, only exists >> /var/ossec/etc/shared/ar.conf (this file is created automatically when I >> start the ossec server). >> >> Very thanks, best regards, >> >> >> Amauri Tiago Marx
