Hi everyone, I`m trying to enable log forwarding from ossec server to syslog by enabling client-syslog option from ossec-control script. Running ossec-control startshows that ossec-csyslogd is started but after that running ossec-control status ossec-csyslogd dies. When debug is enabled everything is working as it should and syslog receives messages. Ossec server 2.7, OS RHEL5.9 i386, selinux disabled. Any idea anyone where could be a problem?
[root@~ bin]# ./ossec-control enable client-syslog [root@~ bin]# ./ossec-control restart Killing ossec-monitord .. Killing ossec-logcollector .. Killing ossec-remoted .. Killing ossec-syscheckd .. Killing ossec-analysisd .. ossec-maild not running .. ossec-execd not running .. ossec-csyslogd not running .. OSSEC HIDS v2.7 Stopped Starting OSSEC HIDS v2.7 (by Trend Micro Inc.)... Started ossec-csyslogd... 2013/02/18 14:14:25 ossec-maild: INFO: E-Mail notification disabled. Clean Exit. Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-remoted... Started ossec-syscheckd... Started ossec-monitord... Completed. [root@~ bin]# ./ossec-control status ossec-monitord is running... ossec-logcollector is running... ossec-remoted is running... ossec-syscheckd is running... ossec-analysisd is running... ossec-maild not running... ossec-execd not running... ossec-csyslogd: Process 6678 not used by ossec, removing .. ossec-csyslogd not running... ossec.log contains only one record about ossec-csyslogd, otherwise it`s clean. 2013/02/18 14:14:25 ossec-csyslogd: INFO: Started (pid: 6678). [root@~ bin]# ./ossec-control enable debug [root@~ bin]# ./ossec-control restart Killing ossec-monitord .. Killing ossec-logcollector .. Killing ossec-remoted .. Killing ossec-syscheckd .. Killing ossec-analysisd .. ossec-maild not running .. ossec-execd not running .. ossec-csyslogd not running .. OSSEC HIDS v2.7 Stopped Starting OSSEC HIDS v2.7 (by Trend Micro Inc.)... 2013/02/18 14:15:41 ossec-csyslogd: DEBUG: Starting ... Started ossec-csyslogd... 2013/02/18 14:15:41 ossec-maild: DEBUG: Starting ... 2013/02/18 14:15:41 ossec-maild: INFO: E-Mail notification disabled. Clean Exit. Started ossec-maild... Started ossec-execd... 2013/02/18 14:15:41 ossec-analysisd: DEBUG: Starting ... 2013/02/18 14:15:41 ossec-analysisd: DEBUG: Found user/group ... 2013/02/18 14:15:41 ossec-analysisd: DEBUG: Active response initialized ... 2013/02/18 14:15:41 adding rule: ...... [adding all rules] 2013/02/18 14:15:41 ossec-analysisd: DEBUG: Read configuration ... Started ossec-analysisd... 2013/02/18 14:15:41 ossec-logcollector: DEBUG: Starting ... Started ossec-logcollector... 2013/02/18 14:15:41 ossec-remoted: DEBUG: Starting ... Started ossec-remoted... 2013/02/18 14:15:41 ossec-rootcheck: DEBUG: Starting ... 2013/02/18 14:15:41 ossec-rootcheck: Starting queue ... 2013/02/18 14:15:42 ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set to: '110592'. Started ossec-syscheckd... 2013/02/18 14:15:42 ossec-monitord: DEBUG: Starting ... Started ossec-monitord... Completed. [root@~ bin]# ./ossec-control status ossec-monitord is running... ossec-logcollector is running... ossec-remoted is running... ossec-syscheckd is running... ossec-analysisd is running... ossec-maild not running... ossec-execd not running... ossec-csyslogd is running... ossec.log shows a bit more info now: 2013/02/18 14:15:41 ossec-csyslogd: DEBUG: Starting ... 2013/02/18 14:15:41 ossec-csyslogd: INFO: Chrooted to directory: /usr2/ossec, using user: ossecm 2013/02/18 14:15:41 ossec-csyslogd: INFO: Started (pid: 6883). 2013/02/18 14:15:41 ossec-csyslogd: INFO: File queue connected. 2013/02/18 14:15:41 ossec-csyslogd: INFO: Forwarding alerts via syslog to: '[syslog servr ip]:514'. After disabling debug on status query process dies again. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.