So it looks like the user ossec and group ossec where deleted. I can see in syslog where it says that userdel was used to delete user 'ossec'
I am not sure what did it. It had to be some script. Is there a way for me to find out what did it? I am the only person who manages this server. The syslog entry looks like this: Dec 4 23:48:53 system userdel[2558]: delete user 'ossec' I'm not sure how to tie that event to a process or script that may have done it. Thanks! Victor Pineiro Sent from my iPad On Dec 8, 2011, at 6:28 AM, "dan (ddp)" <ddp...@gmail.com> wrote: > What happened to your ossec group? > > On Dec 8, 2011 6:02 AM, "PS" <packetst...@gmail.com> wrote: > Hello list, > > I am seeing error 1203 when attempting to run any of the scripts from the > "/var/ossec/bin" folder. > > I have looked around for a fix and have not been able to find one. I have > seen that a couple of other people have had the same issue. When I first > installed it, I was able to start the agent and it was sending events to the > server. I just happened to look at the server and noticed that the agent was > disconnected. Nothing has changed since installation. Any clues? > > [root@system bin]# ./ossec-control start > Starting OSSEC HIDS v2.6 (by Trend Micro Inc.)... > 2011/12/08 07:51:49 ossec-execd(1203): ERROR: Invalid user '' or group > 'ossec' given. > > [root@system bin]# ./manage_agents -l > 2011/12/08 07:51:51 manage_agents(1203): ERROR: Invalid user '' or group > 'ossec' given. > > -r-xr-x--- 1 root 500 222857 Dec 4 08:32 agent-auth > -r-xr-x--- 1 root 500 297452 Dec 4 08:32 manage_agents > -r-xr-x--- 1 root 500 550237 Dec 4 08:32 ossec-agentd > -r-xr-x--- 1 root 500 4647 Jul 11 21:36 ossec-control > -r-xr-x--- 1 root 500 103724 Dec 4 08:32 ossec-execd > -r-xr-x--- 1 root 500 380464 Dec 4 08:32 ossec-logcollector > -r-xr-x--- 1 root 500 506300 Dec 4 08:32 ossec-syscheckd
