On Tue, Jan 24, 2017 at 2:12 PM, Kat <uncommon...@gmail.com> wrote: > There is a work-around which I have used. > Dan is correct - you can't get to the folder outside of the chroot-ed jail. > You can however, bring the folder in via: > > mount --bind /var/ossec/logs /data/logs/ossec > > The trick is to bind the directory so the system still thinks it is part of > the jail. >
Assuming you're using a system where this is supported: [ddp@ix] :; man mount | grep bind [ddp@ix] :; > Cheers > Kat > > > On Friday, January 13, 2017 at 1:28:42 PM UTC-6, Joel wrote: >> >> hi all, >> >> man, not having a good day. >> >> I was starting to run out of space on my / volume as a result of ossec >> logs piling up. i need to keep the logs, so i added a new drive (to the >> ossec VMW vm) mounted it and then moved the logs/ directory to the new >> mount. >> >> now, when starting ossec, ossec-analysisd won't start. I think it's >> trying to chroot and can't cross the filesystem boundary...? >> >>> 2017/01/13 19:24:47 ossec-analysisd(1210): ERROR: Queue >>> '/queue/alerts/ar' not accessible: 'Connection refused'. >>> 2017/01/13 19:24:47 ossec-analysisd(1301): ERROR: Unable to connect to >>> active response queue. >>> 2017/01/13 19:24:50 ossec-analysisd(1210): ERROR: Queue >>> '/queue/alerts/execq' not accessible: 'Connection refused'. >>> 2017/01/13 19:24:50 ossec-analysisd(1301): ERROR: Unable to connect to >>> active response queue. >>> 2017/01/13 19:24:50 ossec-analysisd: DEBUG: Active response Init >>> completed. >>> 2017/01/13 19:24:50 ossec-analysisd(1107): ERROR: Could not create >>> directory '/logs/archives/2017/' due to [(2)-(No such file or directory)]. >> >> >> and >> >>> [root@e-ossec-001: /var/ossec]# ls -ald /data/logs/ossec/ >>> drwxr-xr-x 6 ossec ossec 129 Jan 13 19:03 /data/logs/ossec/ >>> [root@e-ossec-001: /var/ossec]# ls -al /var/ossec/ >>> total 24 >>> dr-xr-x--- 16 root ossec 4096 Jan 13 18:55 . >>> drwxr-xr-x. 20 root root 4096 Jan 13 19:21 .. >>> dr-xr-x--- 3 root ossec 16 Jan 12 22:05 active-response >>> dr-xr-x--- 2 root ossec 4096 Oct 6 13:37 agentless >>> drwxr-x--- 3 root ossec 19 Oct 6 13:37 backup >>> dr-xr-x--- 2 root root 4096 Jan 12 18:43 bin >>> dr-xr-x--- 5 root ossec 4096 Jan 13 16:34 etc >>> drwxr-x--- 2 root ossec 34 Oct 6 13:37 integrations >>> lrwxrwxrwx 1 root root 16 Jan 13 18:55 logs -> /data/logs/ossec >>> dr-xr-x--- 4 root root 34 Oct 6 13:37 lua >>> dr-xr-x--- 11 root ossec 150 Oct 6 13:38 queue >>> dr-xr-x--- 2 root ossec 4096 Oct 17 13:36 rules >>> drwx------ 2 root ossec 6 Oct 6 13:37 .ssh >>> drwxr-x--- 5 ossec ossec 61 Oct 6 13:57 stats >>> dr-xr-x--T 2 root ossec 6 Oct 6 13:37 tmp >>> dr-xr-x--- 3 root root 20 Oct 6 13:37 update >>> dr-xr-x--- 3 root ossec 16 Jan 13 19:24 var >> >> >> do I need to keep it allon the same volume? >> >> thanks! >> >> Joel > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
