Thanks for the reply, Dan. I'll probably roll my own logrotate script and use the one from the Atomic repo 3.3.0 install as a base. And yes, ossec.log was empty because I hadn't started the agent yet. I had assumed a different purpose for that file, but now that I'm running a few agents reporting to a server it all makes more sense now. :)
Scott On Wed, Jun 17, 2020 at 8:26 AM dan (ddp) <[email protected]> wrote: > On Mon, Jun 15, 2020 at 3:09 PM Scott Wozny <[email protected]> wrote: > > > > I'm trying to get off the Atomic repo for a variety of reasons, so I > just did a 3.6.0 agent install from the tarball's script on a CentOS 7 > minimal machine to test the process and compatibility with my build > tweaks. One of the issues I had with the Atomic repo 3.3.0 package install > was /var/ossec/logs was of SELinux fcontext var_t rather than var_log_t > which made those files inaccessible on an enforcing machine to > logrotate_t. An easy fix, but I never got around to doing it. Now I see > there is no ossec-hids script in /etc/logrotate.d. Is this intentional (as > in, I need to roll my own) or could something have gone wrong during the > install? I didn't see anything in /var/log/messages or journalctl and > /var/ossec/logs/ossec.log (the only file in that directory) is empty. Is > there anywhere that install results are logged or am I just expected to go > through the output after ./install.sh? > > > > Any assistance or suggestions would be appreciated. > > > > We don't include a log rotate script. > We don't log anything in the install.sh (I usually tee it to a file > when I'm curious). > If ossec.log is empty, ossec probably isn't running. Or maybe an selinux > issue? > > > Thanks, > > > > Scott > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/63ff1d8d-3877-48b4-b3c1-d558b4427219o%40googlegroups.com > . > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/CAMyQvMq0y6SB1EHeNaT7hZxh%2BvYaGXnrZRnn6VEQgvXo7vF93A%40mail.gmail.com > . > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CACUKT_oJUevvdFspvmEJepyVkhntGerYcL-YwEapxZYEcvmHcg%40mail.gmail.com.
