On Tue, Feb 23, 2016 at 11:57 AM, Rui Zhang <jackcha...@gmail.com> wrote: > It is interesting that symlink works for ossec.conf under etc folder, but > doesn't work for client.keys under etc folder for agent type. >
It all depends on when the file is read. Perhaps ossec.conf is opened before the chroot? > On Wednesday, February 17, 2016 at 10:13:46 AM UTC-8, Santiago Bassett > wrote: >> >> Yes, if it is inside the jail then that should be ok. Also check that your >> ossec.conf is configured to look for the rules where you want. As well, >> symbolic links inside the jail should work. >> >> I hope that helps >> >> On Wed, Feb 17, 2016 at 7:49 AM, Rui Zhang <jackc...@gmail.com> wrote: >>> >>> Thank you, Santiago! Other than remounting a partition inside the jail, >>> can we configure the folder for rules files? If we can configure the folder, >>> would this also be inside the same jail too? I am thinking of configuring >>> the rules folder to /opt/ossec/rules, but I guess it will be looking for >>> rules under /var/ossec/opt/ossec/rules instead of /opt/ossec/rules. >>> >>> On Tuesday, February 16, 2016 at 6:24:46 PM UTC-8, Santiago Bassett >>> wrote: >>>> >>>> This is because ossec-analysisd process runs in a chroot environment, so >>>> it can't reach anything out of the jail (/var/ossec). >>>> >>>> In some scenarios, when really necessary, what we do is remount a >>>> partition inside the jail (mount -o bind). I don't recommend this, but it >>>> is >>>> a workaround that should work. >>>> >>>> Best >>>> >>>> On Tue, Feb 16, 2016 at 2:45 PM, Rui Zhang <jackc...@gmail.com> wrote: >>>>> >>>>> Hi, >>>>> >>>>> I am trying to use a symlink for local_rules.xml. Here is what I did >>>>> >>>>> cd /var/ossec/rules >>>>> cp local_rules.xml /opt/ossec/rules >>>>> mv local_rules.xml local_rules.xml.bak >>>>> ln -s /opt/ossec/rules/local_rules.xml local_rules.xml >>>>> >>>>> But I couln't start OSSEC after this change and when I check the log >>>>> file, it indicates that it couldn't read the XML file local_rules.xml. >>>>> 2016/02/16 14:22:49 ossec-analysisd(1226): ERROR: Error reading XML >>>>> file '/rules/local_rules.xml': XMLERR: File '/rules/local_rules.xml' not >>>>> found. (line 88). >>>>> 2016/02/16 14:22:49 ossec-analysisd(1220): ERROR: Error loading the >>>>> rules: 'local_rules.xml'. >>>>> 2016/02/16 14:22:52 ossec-syscheckd(1210): ERROR: Queue >>>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>>> 2016/02/16 14:22:52 ossec-rootcheck(1210): ERROR: Queue >>>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>>> 2016/02/16 14:22:58 ossec-logcollector(1210): ERROR: Queue >>>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>>> 2016/02/16 14:22:58 ossec-logcollector(1211): ERROR: Unable to access >>>>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>>>> >>>>> I checked the user/group and permission of those files, and they seem >>>>> to be identical. So OSSEC won't take symlink for rules XML file? >>>>> ll /opt/ossec/rules/local_rules.xml >>>>> -r-xr-x--- 1 root ossec 1551 Oct 12 14:21 >>>>> /opt/ossec/rules/local_rules.xml* >>>>> >>>>> ll local_rules.xml.bak >>>>> -r-xr-x--- 1 root ossec 1551 Oct 12 14:21 local_rules.xml.bak >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to ossec-list+...@googlegroups.com. >>>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.