There is no interesting output on "agent_control -r -a" Here is my standard syscheck config section:
<syscheck> <frequency>14400</frequency> <prefilter_cmd>/usr/sbin/prelink -y</prefilter_cmd> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <ignore>/etc/hosts.deny</ignore> <ignore>/etc/mail/statistics</ignore> <ignore>/etc/random-seed</ignore> <ignore>/etc/adjtime</ignore> <ignore>/etc/httpd/logs</ignore> <ignore>/etc/utmpx</ignore> <ignore>/etc/wtmpx</ignore> <ignore>/etc/cups/certs</ignore> <ignore>/etc/dumpdates</ignore> <ignore>/etc/svc/volatile</ignore> <ignore>/etc/prelink.cache</ignore> </syscheck> On Tue, Mar 10, 2015 at 9:37 PM, Santiago Bassett < santiago.bass...@gmail.com> wrote: > Any output when running "agent_control -r -a" > > Could you share your syscheck config? > > Best > > > On Tue, Mar 10, 2015 at 6:48 PM, Cagri Ersen <cagri.er...@gmail.com> > wrote: > >> No it's not related inodes. There is tone of free inodes on the system. >> >> >> On Tuesday, March 10, 2015 at 3:36:59 PM UTC+2, Santiago Bassett wrote: >>> >>> Check if you have any available Inode. You can do that with "df -i" >>> >>> >>> >>> On Tue, Mar 10, 2015 at 1:14 AM, Cagri Ersen <cagri...@gmail.com> wrote: >>> >>>> Hi all, >>>> >>>> I have a weird problem with ossec-remoted and logcollector daemons. >>>> When I start the ossec services as normaly, everyting seems to OK, all >>>> services run properly like below and nothing wrong in the logs. >>>> >>>> ossec-monitord is running... >>>> ossec-logcollector is running... >>>> ossec-remoted is running... >>>> ossec-syscheckd is running... >>>> ossec-analysisd is running... >>>> ossec-maild is running... >>>> ossec-execd not running... >>>> >>>> Although all agents seem to connected to server, ossec doesn't work >>>> properly, it sometimes generate alerts sometimes doesn't. I tried to test >>>> it many times by creating an user or generate a syslog messages with a >>>> $badwords (core_dumped etc.) from the agent which should be fire an alert >>>> on ossec server. >>>> >>>> When I enable debug mode to inspect the problem, then remoted and >>>> logcollector services don't start properly and I get following error >>>> messages: >>>> >>>> # /var/ossec/bin/ossec-control enable debug >>>> # /var/ossec/bin/ossec-control restart >>>> ... >>>> 2015/03/10 01:53:32 ossec-rootcheck: Starting queue ... >>>> 2015/03/10 01:53:35 ossec-syscheckd(1210): ERROR: Queue >>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>> 2015/03/10 01:53:35 ossec-rootcheck(1210): ERROR: Queue >>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>> 2015/03/10 01:53:43 ossec-syscheckd: INFO: (unix_domain) Maximum send >>>> buffer set to: '65536'. >>>> Started ossec-syscheckd... >>>> 2015/03/10 01:53:43 ossec-monitord: DEBUG: Starting ... >>>> Started ossec-monitord... >>>> Completed. >>>> >>>> ----- >>>> >>>> ossec-monitord is running... >>>> ossec-logcollector not running... >>>> ossec-remoted not running... >>>> ossec-syscheckd is running... >>>> ossec-analysisd is running... >>>> ossec-maild is running... >>>> >>>> But this happens only if debug mode is enabled. When I disable it, all >>>> services run aganin normally (at least it seems) and ossec-remoted starts >>>> to listen 1514. >>>> >>>> I've read the throubleshooting section of the document and checked >>>> server but I couldn't find any misconfiguration or wrong permissions, so I >>>> don't have any idea what's wrong with it... >>>> >>>> Can you guys please help me ? >>>> >>>> Thanks. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ossec-list+...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Cagri Ersen http://www.syslogs.org -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.