On Thu, Nov 6, 2014 at 6:44 AM, Chris H <chris.hemb...@gmail.com> wrote: > Has anyone got Hybrid working? >
I have agents that work and I have managers that work. So basically yes. What distro/version are you using? Can you try strace to see if that gives you more information on what's going on? Looking at the code, I think better information should be logged, maybe try turning on debug? > according to lsof, nothing else seems to be accessing the files at the time > that the agent stops processing them. > > I've figured out why it's looking at additional files/directories, it's > pulled in the shared agent config; I'd forgotten I'd configured that :) > > > > On Tuesday, November 4, 2014 3:43:43 PM UTC, Chris H wrote: >> >> Hi. I've set selinux to Permissive, no difference. It sends some logs >> out, in the 2 minutes before it stops processing the file. >> >> Thanks. >> >> On Tuesday, November 4, 2014 12:56:49 PM UTC, dan (ddpbsd) wrote: >>> >>> On Mon, Nov 3, 2014 at 12:39 PM, Chris H <chris....@gmail.com> wrote: >>> > Hi. I'm trying to get a hybrid server working, and seeing some odd >>> > behaviour. I'm running 2.8.1. >>> > >>> > When the agent component starts, the logs state: >>> > >>> > 2014/11/03 17:00:24 ossec-agentd: INFO: Started (pid: 26197). >>> > 2014/11/03 17:00:24 ossec-agentd: INFO: Server IP Address: 192.168.1.1 >>> > 2014/11/03 17:00:24 ossec-agentd: INFO: Trying to connect to server >>> > (192.168.1.1:1514). >>> > 2014/11/03 17:00:24 ossec-agentd: INFO: Using IPv4 for: 192.168.1.1 . >>> > 2014/11/03 17:00:24 ossec-rootcheck: Rootcheck disabled. Exiting. >>> > 2014/11/03 17:00:24 ossec-syscheckd: WARN: Rootcheck module disabled. >>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Started (pid: 26205). >>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: >>> > '/etc'. >>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: >>> > '/usr/bin'. >>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: >>> > '/usr/sbin'. >>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: >>> > '/bin'. >>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: >>> > '/sbin'. >>> > 2014/11/03 17:00:30 ossec-agentd(1210): ERROR: Queue >>> > '/queue/alerts/execq' >>> > not accessible: 'Queue not found'. >>> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: >>> > '/logs/ossec/logs/alerts/alerts.log'. >>> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: >>> > '/var/log/userhistory.log'. >>> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: >>> > '/var/log/messages'. >>> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: >>> > '/var/log/secure'. >>> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: >>> > '/var/log/audit'. >>> > 2014/11/03 17:00:30 ossec-logcollector: INFO: Started (pid: 26201). >>> > 2014/11/03 17:00:45 ossec-agentd: INFO: Unable to connect to the active >>> > response queue (disabled). >>> > 2014/11/03 17:00:46 ossec-agentd(4102): INFO: Connected to the server >>> > (192.168.1.1:1514). >>> > 2014/11/03 17:01:30 ossec-syscheckd: INFO: Starting syscheck scan >>> > (forwarding database). >>> > 2014/11/03 17:01:30 ossec-syscheckd: INFO: Starting syscheck database >>> > (pre-scan). >>> > >>> > I don't know why it's monitoring most of those, as the ossec.conf for >>> > the >>> > agent only specifies '/logs/ossec/logs/alerts/alerts.log'. A couple of >>> > minutes later, it stops parsing the alerts.log, with: >>> > >>> > 2014/11/03 17:02:40 ossec-logcollector(1904): INFO: File not available, >>> > ignoring it: '/logs/ossec/logs/alerts/alerts.log'. >>> > >>> > Any idea why it's stopping parsing the log file? I do have logstash >>> > consuming the logs too, and thought it might be that, but it happens >>> > even if >>> > I disable logstash. It's happening almost exactly 2 minutes after the >>> > process starts. I've tried setting the permissions on the log file to >>> > 644, >>> > too, but that makes no difference. >>> > >>> >>> Is SELinux or something blocking access to it? >>> >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to ossec-list+...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
