When I start ossec-hids via init script, ossec-analysisd dies shortly thereafter with the following error:
2016/09/13 01:07:43 ossec-analysisd: Rules in an inconsistent state. Exiting. Interestingly enough, I don't see this issue if I simply start ossec-analysisd by itself using: /var/ossec/bin/ossec-analysisd -d In this case, the last message I see is: 2016/09/13 01:17:28 ossec-analysisd: DEBUG: Startup completed. Waiting for new messages.. Config and system info below. Appreciate any assistance. Cheers. Todd Michael ------------- *# version* OSSEC HIDS v2.8.3 - Trend Micro Inc. ------------- *# /etc/ossec-init.conf* DIRECTORY="/var/ossec" VERSION="2.8.3" DATE="Fri Apr 8 14:30:15 EDT 2016" TYPE="server" ------------- *# /var/ossec/etc/ossec.conf* <ossec_config> <syscheck> <frequency>21600</frequency> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <ignore>/etc/mtab</ignore> <ignore>/etc/hosts.deny</ignore> <ignore>/etc/mail/statistics</ignore> <ignore>/etc/random-seed</ignore> <ignore>/etc/adjtime</ignore> <ignore>/etc/httpd/logs</ignore> </syscheck> <rootcheck> <disabled>no</disabled> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> </rootcheck> <localfile> <log_format>syslog</log_format> <location>/var/log/messages</location> </localfile> <global> <email_notification>yes</email_notification> <email_from>oss...@ossec1.domain.com</email_from> <email_to>m...@mydomain.com</email_to> <smtp_server>127.0.0.1</smtp_server> </global> <alerts> <email_alert_level>7</email_alert_level> <log_alert_level>1</log_alert_level> <use_geoip>no</use_geoip> </alerts> <remote> <connection>secure</connection> </remote> </ossec_config> ------------- *# uname* Linux ossec1-mgmt-usw2 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.