Hello, The "ossec/queue" file is actually a socket that *ossec-agentd* creates to allow *Syscheck *and *Logcollector *to send data. Then *ossec-agentd* delivers that data to the manager.
When you launched "/usr/local/ossec-hids/bin/ossec-control start", the application logged that *ossec-execd* was already running, but *ossec-agend* doesn't. This makes me think that there is an issue with the *ossec-agentd* program and, since it can't create the "ossec/queue" socket, no other program can continue working. So, please make sure that a valid key is installed. For this, run cat /usr/local/ossec-hids/etc/client.keys There should be any content. If no such content is shown, reinstall the key (with *manage_agents*). If everything is OK, restart the complete OSSEC agent, wait for about a minute, check the logs related to *ossec-agent* and check whether it's yet running: /usr/local/ossec-hids/bin/ossec-control restart cat ossec-agentd /usr/local/ossec-hids/logs/ossec.log /usr/local/ossec-hids/bin/ossec-control status If, after restarting the OSSEC agent, you see an error with "cat", share it with us so we may help you. But if you don't see any error log, and "ossec-control status" tells that *ossec-agentd* isn't running, this means that the program has crashed and then it would be interesting to reinstall it from sources with debugging features enabled and re-run it with the *valgrind* utility, in order to search for bugs. Hope it helps. Regards. On Sun, Dec 4, 2016 at 1:27 AM, dan (ddp) <ddp...@gmail.com> wrote: > > > On Dec 3, 2016 4:54 PM, "Eponymous -" <the.e...@gmail.com> wrote: > > Hi all, > > I've had many problems getting the OSSEC agent to start up correctly on > FreeBSD 10.3 (see: https://groups.google.com/forum/#!topic/ossec-list/VDT > 4cTObDPQ - "Chroot directory change option.) I figured it would best to > start a separate discussion. > > I've done a completely fresh install of *ossec-hids-client-2.8.2* from > pkg.freebsd.org and then simply changed the IP address to the correct > server address in ossec.conf and then added the key using manage-agents. > > Every time I start I get issues with permissions. > > /usr/local/ossec-hids/bin/ossec-control start > Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)... > ossec-execd already running... > 2016/12/03 21:42:08 ossec-agentd: INFO: Using notify time: 600 and max > time to reconnect: 1800 > Started ossec-agentd... > Started ossec-logcollector... > 2016/12/03 21:42:11 ossec-syscheckd(1210): ERROR: Queue > '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection > refused'. > 2016/12/03 21:42:11 ossec-rootcheck(1210): ERROR: Queue > '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection > refused'. > 2016/12/03 21:42:19 ossec-syscheckd(1210): ERROR: Queue > '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection > refused'. > 2016/12/03 21:42:19 ossec-rootcheck(1210): ERROR: Queue > '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection > refused'. > 2016/12/03 21:42:32 ossec-syscheckd(1210): ERROR: Queue > '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection > refused'. > 2016/12/03 21:42:32 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/usr/local/ossec-hids/queue/ossec/queue'. Giving up.. > ossec-syscheckd did not start > > This page: http://ossec-docs.readthedocs.io/en/latest/faq/unexpected.html > talks about checking that "ossec-analysisd" is running, but I can't see > that file anywhere in the install location so my guess is it was removed > and possibly merged into another binary. > > > That advice is for the server install or local install only. > > > Using tree, I checked all the permissions: > > # tree -ugap /usr/local/ossec-hids/ > /usr/local/ossec-hids/ > |-- [drwx------ ossec ossec ] .ssh > |-- [drwxr-xr-x root ossec ] active-response > | `-- [drwxr-xr-x root ossec ] bin > | |-- [-rwxr-xr-x root wheel ] disable-account.sh > | |-- [-rwxr-xr-x root wheel ] firewall-drop.sh > | |-- [-rwxr-xr-x root wheel ] host-deny.sh > | |-- [-rwxr-xr-x root wheel ] ip-customblock.sh > | |-- [-rwxr-xr-x root wheel ] ipfw.sh > | |-- [-rwxr-xr-x root wheel ] ipfw_mac.sh > | |-- [-rwxr-xr-x root wheel ] ossec-tweeter.sh > | |-- [-rwxr-xr-x root wheel ] pf.sh > | |-- [-rwxr-xr-x root wheel ] restart-ossec.sh > | `-- [-rwxr-xr-x root wheel ] route-null.sh > |-- [drwxr-xr-x root ossec ] agentless > | |-- [-rwxr-x--- root ossec ] main.exp > | |-- [-rwxr-x--- root ossec ] register_host.sh > | |-- [-rwxr-x--- root ossec ] ssh.exp > | |-- [-rwxr-x--- root ossec ] ssh_asa-fwsmconfig_diff > | |-- [-rwxr-x--- root ossec ] ssh_foundry_diff > | |-- [-rwxr-x--- root ossec ] ssh_generic_diff > | |-- [-rwxr-x--- root ossec ] ssh_integrity_check_bsd > | |-- [-rwxr-x--- root ossec ] ssh_integrity_check_linux > | |-- [-rwxr-x--- root ossec ] ssh_nopass.exp > | |-- [-rwxr-x--- root ossec ] ssh_pixconfig_diff > | |-- [-rwxr-x--- root ossec ] sshlogin.exp > | `-- [-rwxr-x--- root ossec ] su.exp > |-- [drwxr-xr-x root ossec ] bin > | |-- [-rwxr-x--- root wheel ] agent-auth > | |-- [-rwxr-x--- root wheel ] manage_agents > | |-- [-rwxr-x--- root wheel ] ossec-agentd > | |-- [-rwxr-x--- root wheel ] ossec-control > | |-- [-rwxr-x--- root wheel ] ossec-execd > | |-- [-rwxr-x--- root wheel ] ossec-logcollector > | |-- [-rwxr-x--- root wheel ] ossec-lua > | |-- [-rwxr-x--- root wheel ] ossec-luac > | |-- [-rwxr-x--- root wheel ] ossec-syscheckd > | `-- [-rwxr-x--- root wheel ] util.sh > |-- [drwxr-xr-x root ossec ] etc > | |-- [-r--r----- root ossec ] client.keys > | |-- [-r--r----- root ossec ] internal_options.conf > | |-- [-rwxr-xr-x root ossec ] ossec.conf > | |-- [-rwxr-xr-x root ossec ] ossec.conf.sample > | `-- [drwxr-xr-x root ossec ] shared > | |-- [-rwxrwx--- root ossec ] cis_debian_linux_rcl.txt > | |-- [-rwxrwx--- root ossec ] cis_rhel5_linux_rcl.txt > | |-- [-rwxrwx--- root ossec ] cis_rhel_linux_rcl.txt > | |-- [-rwxrwx--- root ossec ] rootkit_files.txt > | |-- [-rwxrwx--- root ossec ] rootkit_trojans.txt > | |-- [-rwxrwx--- root ossec ] system_audit_rcl.txt > | |-- [-rwxrwx--- root ossec ] win_applications_rcl.txt > | |-- [-rwxrwx--- root ossec ] win_audit_rcl.txt > | `-- [-rwxrwx--- root ossec ] win_malware_rcl.txt > |-- [drwxr-xr-x root ossec ] logs > | `-- [-rw-rw-r-- ossec ossec ] ossec.log > |-- [drwxr-xr-x root ossec ] queue > | |-- [drwxr-xr-x root ossec ] alerts > | | `-- [srw-rw---- root ossec ] execq > | |-- [drwxr-x--- ossec ossec ] diff > | |-- [drwxrwx--- ossec ossec ] ossec > | | `-- [srw-rw---- ossec ossec ] queue > | |-- [drwxr-xr-x root ossec ] rids > | `-- [drwxr-xr-x root ossec ] syscheck > |-- [drwxr-xr-x root ossec ] tmp > `-- [drwxr-xr-x root ossec ] var > `-- [drwxr-xr-x root ossec ] run > |-- [-rw-r----- root ossec ] ossec-execd-5576.pid > `-- [-rw-r----- root ossec ] ossec-logcollector-29444.pid > > This is my server.conf: > > <!-- OSSEC example config --> > > <ossec_config> > <client> > <server-ip>10.0.64.2</server-ip> > </client> > > <syscheck> > <!-- Frequency that syscheck is executed -- default every 2 hours --> > <frequency>7200</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin</directories> > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > </syscheck> > > <rootcheck> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</ > rootkit_trojans> > </rootcheck> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/system.log</location> > </localfile> > > </ossec_config> > > I'm really at the point of giving up as I've spent weeks trying to get > this working. > > Can anyone point me in the right direction? > > > Does itbwork if you compile from source? > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Victor M. Fernandez-Castro IT Security Engineer Wazuh Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
