Hi, the <rules> section is missing in your ossec.conf. Did you remove it?.
Regards. On Tuesday, September 13, 2016 at 10:19:19 AM UTC+2, toddmichael wrote: > > When I start ossec-hids via init script, ossec-analysisd dies shortly > thereafter with the following error: > > 2016/09/13 01:07:43 ossec-analysisd: Rules in an inconsistent state. > Exiting. > > Interestingly enough, I don't see this issue if I simply start > ossec-analysisd by itself using: > > /var/ossec/bin/ossec-analysisd -d > > In this case, the last message I see is: > > 2016/09/13 01:17:28 ossec-analysisd: DEBUG: Startup completed. Waiting for > new messages.. > > Config and system info below. Appreciate any assistance. Cheers. > > Todd Michael > > ------------- > > *# version* > OSSEC HIDS v2.8.3 - Trend Micro Inc. > > ------------- > > *# /etc/ossec-init.conf* > DIRECTORY="/var/ossec" > VERSION="2.8.3" > DATE="Fri Apr 8 14:30:15 EDT 2016" > TYPE="server" > > ------------- > > *# /var/ossec/etc/ossec.conf* > <ossec_config> > <syscheck> > <frequency>21600</frequency> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin</directories> > <ignore>/etc/mtab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > </syscheck> > <rootcheck> > <disabled>no</disabled> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> > </rootcheck> > <localfile> > <log_format>syslog</log_format> > <location>/var/log/messages</location> > </localfile> > <global> > <email_notification>yes</email_notification> > <email_from>oss...@ossec1.domain.com <javascript:></email_from> > <email_to>m...@mydomain.com <javascript:></email_to> > <smtp_server>127.0.0.1</smtp_server> > </global> > <alerts> > <email_alert_level>7</email_alert_level> > <log_alert_level>1</log_alert_level> > <use_geoip>no</use_geoip> > </alerts> > <remote> > <connection>secure</connection> > </remote> > </ossec_config> > > ------------- > > *# uname* > Linux ossec1-mgmt-usw2 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 > 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
