There is no interesting output on "agent_control -r -a"
Here is my standard syscheck config section:
<syscheck>
<frequency>14400</frequency>
<prefilter_cmd>/usr/sbin/prelink -y</prefilter_cmd>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/etc/prelink.cache</ignore>
</syscheck>
On Tue, Mar 10, 2015 at 9:37 PM, Santiago Bassett <
santiago.bass...@gmail.com> wrote:
> Any output when running "agent_control -r -a"
>
> Could you share your syscheck config?
>
> Best
>
>
> On Tue, Mar 10, 2015 at 6:48 PM, Cagri Ersen <cagri.er...@gmail.com>
> wrote:
>
>> No it's not related inodes. There is tone of free inodes on the system.
>>
>>
>> On Tuesday, March 10, 2015 at 3:36:59 PM UTC+2, Santiago Bassett wrote:
>>>
>>> Check if you have any available Inode. You can do that with "df -i"
>>>
>>>
>>>
>>> On Tue, Mar 10, 2015 at 1:14 AM, Cagri Ersen <cagri...@gmail.com> wrote:
>>>
>>>> Hi all,
>>>>
>>>> I have a weird problem with ossec-remoted and logcollector daemons.
>>>> When I start the ossec services as normaly, everyting seems to OK, all
>>>> services run properly like below and nothing wrong in the logs.
>>>>
>>>> ossec-monitord is running...
>>>> ossec-logcollector is running...
>>>> ossec-remoted is running...
>>>> ossec-syscheckd is running...
>>>> ossec-analysisd is running...
>>>> ossec-maild is running...
>>>> ossec-execd not running...
>>>>
>>>> Although all agents seem to connected to server, ossec doesn't work
>>>> properly, it sometimes generate alerts sometimes doesn't. I tried to test
>>>> it many times by creating an user or generate a syslog messages with a
>>>> $badwords (core_dumped etc.) from the agent which should be fire an alert
>>>> on ossec server.
>>>>
>>>> When I enable debug mode to inspect the problem, then remoted and
>>>> logcollector services don't start properly and I get following error
>>>> messages:
>>>>
>>>> # /var/ossec/bin/ossec-control enable debug
>>>> # /var/ossec/bin/ossec-control restart
>>>> ...
>>>> 2015/03/10 01:53:32 ossec-rootcheck: Starting queue ...
>>>> 2015/03/10 01:53:35 ossec-syscheckd(1210): ERROR: Queue
>>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>>>> 2015/03/10 01:53:35 ossec-rootcheck(1210): ERROR: Queue
>>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>>>> 2015/03/10 01:53:43 ossec-syscheckd: INFO: (unix_domain) Maximum send
>>>> buffer set to: '65536'.
>>>> Started ossec-syscheckd...
>>>> 2015/03/10 01:53:43 ossec-monitord: DEBUG: Starting ...
>>>> Started ossec-monitord...
>>>> Completed.
>>>>
>>>> -----
>>>>
>>>> ossec-monitord is running...
>>>> ossec-logcollector not running...
>>>> ossec-remoted not running...
>>>> ossec-syscheckd is running...
>>>> ossec-analysisd is running...
>>>> ossec-maild is running...
>>>>
>>>> But this happens only if debug mode is enabled. When I disable it, all
>>>> services run aganin normally (at least it seems) and ossec-remoted starts
>>>> to listen 1514.
>>>>
>>>> I've read the throubleshooting section of the document and checked
>>>> server but I couldn't find any misconfiguration or wrong permissions, so I
>>>> don't have any idea what's wrong with it...
>>>>
>>>> Can you guys please help me ?
>>>>
>>>> Thanks.
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to ossec-list+...@googlegroups.com.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
Cagri Ersen
http://www.syslogs.org
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
