On Fri, Jun 21, 2013 at 1:06 PM, David Blanton <[email protected]> wrote: > Here it is from the ossec.log: > > > 2013/06/21 11:01:24 ossec-analysisd: INFO: Connected to '/queue/alerts/ar' > (active-response queue) > 2013/06/21 11:01:24 ossec-analysisd: INFO: Connected to > '/queue/alerts/execq' (exec queue) > 2013/06/21 11:15:01 ossec-rootcheck: No rootcheck_files file: > '/var/ossec/etc/shared/rootkit_files.txt' > 2013/06/21 11:15:01 ossec-rootcheck: No rootcheck_trojans file: > '/var/ossec/etc/shared/rootkit_trojans.txt' > 2013/06/21 11:15:05 ossec-rootcheck: No unixaudit file: > '/var/ossec/etc/shared/system_audit_rcl.txt' > 2013/06/21 11:15:05 ossec-rootcheck: No unixaudit file: > '/var/ossec/etc/shared/cis_debian_linux_rcl.txt' > 2013/06/21 11:15:05 ossec-rootcheck: No unixaudit file: > '/var/ossec/etc/shared/cis_rhel_linux_rcl.txt' > 2013/06/21 11:15:05 ossec-rootcheck: No unixaudit file: > '/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt' >
There's another thread about these issues on the list, you might want to check it out. > I have OSSEC installed in /opt/ossec but it is trying to read it from > /var/ossec. How do I change that? > Did you just move the files to /opt/ossec? Or did you set that when you ran install.sh? > And another one is... > > 2013/06/21 12:17:15 ossec-remoted(1213): WARN: Message from 172.16.63.206 > not allowed. > 2013/06/21 12:17:21 ossec-remoted(1213): WARN: Message from 172.16.63.206 > not allowed. > 2013/06/21 12:17:25 ossec-remoted(1213): WARN: Message from 172.16.63.206 > not allowed. > " > Funny thing is, I deleted # rm -rf /opt/ossec from that client's machine (it > was just a test agent). > Now I'm not sure why it's still going/trying to communicate. I hashtagged > the IP in the client.keys as well. > Did you stop the ossec processes on that system? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
