There is a work-around which I have used. Dan is correct - you can't get to the folder outside of the chroot-ed jail. You can however, bring the folder in via:
mount --bind /var/ossec/logs /data/logs/ossec The trick is to bind the directory so the system still thinks it is part of the jail. Cheers Kat On Friday, January 13, 2017 at 1:28:42 PM UTC-6, Joel wrote: > > hi all, > > man, not having a good day. > > I was starting to run out of space on my / volume as a result of ossec > logs piling up. i need to keep the logs, so i added a new drive (to the > ossec VMW vm) mounted it and then moved the logs/ directory to the new > mount. > > now, when starting ossec, ossec-analysisd won't start. I think it's > trying to chroot and can't cross the filesystem boundary...? > > 2017/01/13 19:24:47 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' >> not accessible: 'Connection refused'. >> 2017/01/13 19:24:47 ossec-analysisd(1301): ERROR: Unable to connect to >> active response queue. >> 2017/01/13 19:24:50 ossec-analysisd(1210): ERROR: Queue >> '/queue/alerts/execq' not accessible: 'Connection refused'. >> 2017/01/13 19:24:50 ossec-analysisd(1301): ERROR: Unable to connect to >> active response queue. >> 2017/01/13 19:24:50 ossec-analysisd: DEBUG: Active response Init >> completed. >> 2017/01/13 19:24:50 ossec-analysisd(1107): ERROR: Could not create >> directory '/logs/archives/2017/' due to [(2)-(No such file or directory)]. > > > and > > [root@e-ossec-001: /var/ossec]# ls -ald /data/logs/ossec/ >> drwxr-xr-x 6 ossec ossec 129 Jan 13 19:03 /data/logs/ossec/ >> [root@e-ossec-001: /var/ossec]# ls -al /var/ossec/ >> total 24 >> dr-xr-x--- 16 root ossec 4096 Jan 13 18:55 . >> drwxr-xr-x. 20 root root 4096 Jan 13 19:21 .. >> dr-xr-x--- 3 root ossec 16 Jan 12 22:05 active-response >> dr-xr-x--- 2 root ossec 4096 Oct 6 13:37 agentless >> drwxr-x--- 3 root ossec 19 Oct 6 13:37 backup >> dr-xr-x--- 2 root root 4096 Jan 12 18:43 bin >> dr-xr-x--- 5 root ossec 4096 Jan 13 16:34 etc >> drwxr-x--- 2 root ossec 34 Oct 6 13:37 integrations >> lrwxrwxrwx 1 root root 16 Jan 13 18:55 logs -> /data/logs/ossec >> dr-xr-x--- 4 root root 34 Oct 6 13:37 lua >> dr-xr-x--- 11 root ossec 150 Oct 6 13:38 queue >> dr-xr-x--- 2 root ossec 4096 Oct 17 13:36 rules >> drwx------ 2 root ossec 6 Oct 6 13:37 .ssh >> drwxr-x--- 5 ossec ossec 61 Oct 6 13:57 stats >> dr-xr-x--T 2 root ossec 6 Oct 6 13:37 tmp >> dr-xr-x--- 3 root root 20 Oct 6 13:37 update >> dr-xr-x--- 3 root ossec 16 Jan 13 19:24 var > > > do I need to keep it allon the same volume? > > thanks! > > Joel > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
