Check the permissions on the folders created during the agent install. I bet QUEUE is set to "root" instead of "ossec" owner -- change it and things should be happy. I need to report this - but there are some definite problems during agent (and server) installs for permissions (2.7, have not verified in 2.7.1)
~J On Wednesday, August 14, 2013 1:07:56 PM UTC-7, Jared wrote: > > Okay, so getting lots of errors in ossec.log: > > 2013/08/14 19:37:36 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > 2013/08/14 19:41:56 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' > not accessible: 'Connection refused'. > 2013/08/14 19:41:58 ossec-logcollector(1224): ERROR: Error sending message > to queue. > 2013/08/14 19:41:59 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' > not accessible: 'Connection refused'. > 2013/08/14 19:41:59 ossec-remoted(1211): ERROR: Unable to access queue: > '/queue/ossec/queue'. Giving up.. > 2013/08/14 19:42:01 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2013/08/14 19:42:01 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > 2013/08/14 19:46:06 ossec-monitord(1224): ERROR: Error sending message to > queue. > > With the attached agent.conf applied. When I remove the agent.conf file > and restart the ossec server, all the agents reconnect and all is well. I > am guessing... that I have an error in the logic on this file. I have > confirmed that on each agent server, the correct files are being parsed per > each <config-profile></config-profile> statement in the local ossec.conf. > Here is an example: > > <config-profile>D2C-NAT</config-profile> > > Would really like to understand what I am missing. Again, I really > appreciate all of the help on this an other posts!!! > > On Wednesday, July 17, 2013 10:44:26 AM UTC-4, dan (ddpbsd) wrote: >> >> >> On Jul 17, 2013 10:06 AM, "Jared" <[email protected]> wrote: >> > >> > Sorry to open an old thread, but I have a related question. >> > >> > Is there any way to tell a host that it is a web or db server through >> the push of the agent.conf? Or is it a requirement to update the ossec.conf >> on every server to tell it what group it is a member of? >> > >> >> No idea, I'll have to try it and find out. >> >> > Thank you, >> > >> > Jared >> > >> > On Monday, June 24, 2013 2:25:53 PM UTC-4, dan (ddpbsd) wrote: >> >> >> >> On Mon, Jun 24, 2013 at 1:15 PM, Jared <[email protected]> wrote: >> >> > Question: >> >> > >> >> > How are "Profiles" associated with clients / agents? >> >> > >> >> > Scenario: >> >> > >> >> > Agent ID = 001 = Web01 = IIS and MySQL = Windows >> >> > >> >> > Agent ID = 002 = Web02 = Apache/Tomcat and MySQL = CentOs >> >> > >> >> > I would like to have a profile for each server type so that I no >> longer see >> >> > the following errors: >> >> > >> >> > 2013/06/24 10:08:52 ossec-agent(1952): INFO: Monitoring variable log >> file: >> >> > 'C:\Tomcat7\logs\localhost_access_log.2013-06-24.txt'. >> >> > 2013/06/24 10:08:52 ossec-agent(1103): ERROR: Unable to open file >> >> > 'C:\Tomcat7\logs\localhost_access_log.2013-06-24.txt'. >> >> > >> >> > >> >> > For Windows servers that do not have Tomcat for example? >> >> > >> >> > Based on the following from the web documentation from >> >> > >> http://www.ossec.net/doc/syntax/head_agent_config.html?highlight=profile#profile: >> >> >> >> > >> >> > profile >> >> > This option to agent_config allows you to assign a profile name to >> the the >> >> > block. Any agent may use this block if it is configured to use the >> defined >> >> > profile. >> >> > >> >> > Example: <agent_config profile=”webservers”> >> >> > >> >> > >> >> > How do I tell Agent 002 that it should be associated with >> "LinuxWebs" >> >> > >> >> > <agent_config profile=”LinuxWebs”> >> >> > >> >> > >> >> > >> >> > How do I tell Agent 002 that it should be subordinate to "WinWebs" >> >> > >> >> > <agent_config profile=”LinuxWebs”> >> >> > >> >> > >> >> > >> >> > In the following config: >> >> > >> >> > <agent_config profile=”LinuxWebs”> >> >> > <localfile> >> >> > <location>/var/log/secure</location> >> >> > <log_format>syslog</log_format> >> >> > </localfile> >> >> > >> >> > >> >> > </agent_config> >> >> > >> >> > Thanks for all of the posts and info? Very helpful list!! >> >> > >> >> > Jared >> >> > >> >> >> >> In the agent's ossec.conf add a <config-profile> entry to the <client> >> >> section. Example: >> >> >> >> <ossec_config> >> >> <client> >> >> <server-ip>192.168.17.9</server-ip> >> >> <config-profile>openbsd-firewall,openbsd-test</config-profile> >> >> </client> >> >> </ossec_config> >> >> >> >> The above agent is a member of the openbsd-firewall and openbsd-test >> >> profiles in agent.conf. >> >> >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
