Hi, for me ossec-logtest shows also a lot oft output, but it does start. I think the issue is that you register your rules to every rule with level 2, so you generate a lot of children. That's why analysisd starts slow and the queue is not ready when the other processes expected it to be.
Best regards On 5 Aug 2014 16:45, "Tim Boyer" <[email protected]> wrote: > > > On Tuesday, August 5, 2014 9:20:10 AM UTC-4, dan (ddpbsd) wrote: >> >> On Tue, Aug 5, 2014 at 8:54 AM, Tim Boyer <[email protected]> wrote: >> > >> > >> > On Tuesday, August 5, 2014 7:40:10 AM UTC-4, dan (ddpbsd) wrote: >> >> >> >> On Mon, Aug 4, 2014 at 8:05 PM, Tim Boyer <[email protected]> wrote: >> >> > >> >> > >> >> > On Monday, August 4, 2014 11:18:26 AM UTC-4, dan (ddpbsd) wrote: >> >> >> >> >> >> On Mon, Aug 4, 2014 at 10:56 AM, Tim Boyer <[email protected]> >> wrote: >> >> >> > >> >> >> > On Monday, August 4, 2014 9:30:26 AM UTC-4, dan (ddpbsd) wrote: >> >> >> >> >> >> >> >> Is there anything useful in ossec.log related to this? Can you >> >> >> >> reproduce this on a recent version of OSSEC? >> >> >> >> >> >> >> >> >> >> >> > >> >> >> > Nothing helpful. Only difference between this startup and a >> normal >> >> >> > startup >> >> >> > is >> >> >> > >> >> >> > 2014/08/04 10:51:48 ossec-syscheckd(1210): ERROR: Queue >> >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Connection >> refused'. >> >> >> > 2014/08/04 10:51:48 ossec-rootcheck(1210): ERROR: Queue >> >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Connection >> refused'. >> >> >> > >> >> >> >> >> >> Nothing before this? These are a symptom of a failure somewhere. >> >> >> >> >> >> I just tried adding 30ish rules with srcip and didn't have any >> issues. >> >> >> I'm running post 2.8, and I don't have your exact setup, so this >> may >> >> >> prove nothing. >> >> >> >> >> >> > Looks like it's time to move to 2.8. Let me see what it will >> take. >> >> >> > Thanks... >> >> >> > >> >> >> >> >> > >> >> > Dang. Spoke too soon. It worked only because ossec.conf got >> >> > overwritten >> >> > during the upgrade, and didn't include local_nessus_rules.xml in the >> >> > rule >> >> > list. Put it in, and same problem. >> >> > >> >> > Next step: save everything; completely remove ossec; install 2.8 >> fresh. >> >> > Same problem. >> >> > >> >> > I suspect a timing problem. log says: >> >> > >> >> > 2014/08/04 19:53:01 ossec-analysisd: INFO: Reading rules file: >> >> > 'attack_rules.xml' >> >> > 2014/08/04 19:53:01 ossec-analysisd: INFO: Reading rules file: >> >> > 'local_rules.xml' >> >> > 2014/08/04 19:53:01 ossec-remoted: INFO: Started (pid: 15507). >> >> > 2014/08/04 19:53:01 ossec-remoted: INFO: Started (pid: 15508). >> >> > 2014/08/04 19:53:01 ossec-rootcheck: System audit file not >> configured. >> >> > 2014/08/04 19:53:01 ossec-analysisd: INFO: Reading rules file: >> >> > 'local_nessus_rules.xml' >> >> > >> >> > and I think that analysisd is still reading while other things are >> >> > starting. >> >> > But no idea how to prove or fix. >> >> > >> >> >> >> I don't really know what that means. >> >> Can you provide your ossec.conf and local_nessus_rules.xml? >> >> >> >> ossec.conf: >> > >> > >> >> Thank you. Putting the local_nessus_rules.xml file in place seems to >> make ossec-logtest loop through the rules over and over. >> >> I get (from ossec-logtest -tvd): >> LOTS OF OUTPUT >> 2014/08/05 09:13:17 9 : rule:105038, level 0, timeout: 0 >> 2014/08/05 09:13:17 8 : rule:105033, level 0, timeout: 0 >> 2014/08/05 09:13:17 9 : rule:105034, level 0, timeout: 0 >> 2014/08/05 09:13:17 10 : rule:105036, level 0, timeout: 0 >> 2014/08/05 09:13:17 11 : rule:105038, level 0, timeout: 0 >> 2014/08/05 09:13:17 10 : rule:105038, level 0, timeout: 0 >> 2014/08/05 09:13:17 9 : rule:105036, level 0, timeout: 0 >> 2014/08/05 09:13:17 10 : rule:105038, level 0, timeout: 0 >> 2014/08/05 09:13:17 9 : rule:105038, level 0, timeout: 0 >> 2014/08/05 09:13:17 8 : rule:105034, level 0, timeout: 0 >> 2014/08/05 09:13:17 9 : rule:105036, level 0, timeout: 0 >> 2014/08/05 09:13:17 10 : rule:105038, level 0, timeout: 0 >> 2014/08/05 09:13:17 9 : rule:105038, level 0, timeout: 0 >> 2014/08/05 09:13:17 8 : rule:105036, level 0, timeout: 0 >> 2014/08/05 09:13:17 9 : rule:105038, level 0, timeout: 0 >> 2014/08/05 09:13:17 8 : rule:105038, level 0, timeout: 0 >> 2014/08/05 09:13:17 7 : rule:105032, level 0, timeout: 0 >> >> I'm not sure where to start with this off hand, but that's where it's at >> so far. >> >> >> > Hey, I'm just overjoyed that it's not something obviously stupid I'm > doing. :) > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
