Hello all. I'm having a bit of difficulty with ossec and I haven't been able to find the issue. For some reason, when I run touch /etc/testfile.txt, an entry for a file creation event doesn't appear in alerts.json like, as far as I know, it is supposed to. I've made sure syscheckd is running, added an entry to local_rules.xml for a file added event, made sure I was adding in a watched directory, added another directory and tried there to be thourough, and still nothing. I'm at a loss as to why. Can anyone here offer any insight? As per the ossec troubleshooting page, I'll include the contents of a number of files and commands here. /var/ossec/bin/ossec-analysisd -V: OSSEC v4.3.0 - Atomicorp Inc.
/etc/ossec-init.conf: DIRECTORY="/var/ossec" VERSION="4.3.0" DATE="Wed Feb 17 12:19:51 EST 2021" TYPE="server" /var/ossec/etc/ossec.conf: <ossec_config> <global> <email_notification>no</email_notification> <white_list>127.0.0.1</white_list> <white_list>^localhost.localdomain$</white_list> <white_list>10.0.0.2</white_list> <logall>no</logall> <jsonout_output>yes</jsonout_output> <geoipdb>/usr/share/GeoIP/GeoLiteCity.dat</geoipdb> </global> <syscheck> <auto_ignore>no</auto_ignore> <alert_new_files>yes</alert_new_files> <frequency>86400</frequency> <directories realtime="yes" check_all="yes" whodata="yes" report_changes="yes">/etc</directories> <directories realtime="yes" check_all="yes" report_changes="yes">/home/mdavis</directories> <directories realtime="yes" check_all="yes" report_changes="yes">/var/ossec/active-response</directories> <directories realtime="yes" check_all="yes" report_changes="yes">/var/ossec/etc</directories> <directories realtime="yes" check_all="yes" report_changes="yes">/var/ossec/agentless</directories> <directories realtime="yes" check_all="yes" report_changes="yes">/bin</directories> <directories realtime="yes" check_all="yes" report_changes="yes">/lib</directories> <directories realtime="yes" check_all="yes" report_changes="yes">/lib64</directories> <directories realtime="yes" check_all="yes" report_changes="yes">/opt</directories> <directories realtime="yes" check_all="yes" report_changes="yes">/sbin</directories> <directories realtime="yes" check_all="yes" report_changes="yes">/usr/bin</directories> <directories realtime="yes" check_all="yes" report_changes="yes">/usr/lib</directories> <directories realtime="yes" check_all="yes" report_changes="yes">/usr/lib64</directories> <directories realtime="yes" check_all="yes" report_changes="yes">/usr/local/bin</directories> <directories realtime="yes" check_all="yes" report_changes="yes">/usr/local/lib</directories> <directories realtime="yes" check_all="yes" report_changes="yes">/usr/local/sbin</directories> <ignore>/etc/asl/VERSION</ignore> <ignore>/var/awp/etc/VERSION</ignore> <ignore>/etc/asl/aslw_aum.log</ignore> <ignore>/var/awp/etc/aum.log</ignore> <ignore>/etc/asl/DTC</ignore> <ignore>/var/awp/etc/DTC</ignore> <ignore>/etc/asl/whitelist</ignore> <ignore>/var/awp/etc/whitelist</ignore> <ignore>/var/awp/etc/whitelist.json</ignore> <ignore>/etc/asl/config</ignore> <ignore>/var/awp/etc/config</ignore> <ignore>/var/awp/etc/config.json</ignore> <ignore>/etc/asl/rules</ignore> <ignore>/var/awp/etc/rules.json</ignore> <ignore>/etc/asl/system.properties</ignore> <ignore>/var/awp/etc/system.properties</ignore> <ignore>/etc/mtab</ignore> <ignore>/var/tmp</ignore> <ignore>/var/ossec/queue</ignore> <ignore>/var/ossec/logs</ignore> <ignore>/var/ossec/stats</ignore> <ignore>/var/ossec/var</ignore> <ignore>/var/ossec/etc/rules.d</ignore> <ignore>/var/ossec/etc/shared</ignore> <ignore>/etc/mnttab</ignore> <ignore>/etc/grsec/learning.logs</ignore> <ignore>/etc/hosts.deny</ignore> <ignore>/etc/mail/statistics</ignore> <ignore>/etc/random-seed</ignore> <ignore>/etc/adjtime</ignore> <ignore>/etc/httpd/logs</ignore> <ignore>/etc/utmpx</ignore> <ignore>/etc/wtmpx</ignore> <ignore>/etc/cups/certs</ignore> <ignore>/etc/httpd/modsecurity.d/</ignore> <ignore>/etc/httpd/logs/</ignore> <ignore>/etc/httpd/domlogs/</ignore> <ignore>/etc/vfilters</ignore> <ignore>/var/ossec/bin/.process_list</ignore> <ignore>/usr/local/psa/handlers.default</ignore> <ignore>/usr/local/psa/admin/logs/</ignore> <ignore>/etc/mail/spamassassin/bayes/</ignore> <ignore>/etc/webmin/virtual-server/</ignore> <ignore>/usr/local/atmail/calendarserver/server/logs/</ignore> <ignore>/etc/mail/spamassassin/.razor</ignore> <ignore>/etc/relayhostusers</ignore> <ignore>/etc/relayhosts</ignore> <ignore>/etc/eximpopbeforesmtpwarning</ignore> <ignore>/etc/prelink.cache</ignore> <ignore>/etc/csf/stats/</ignore> <ignore>/etc/webmin</ignore> <ignore>/etc/dcc/log</ignore> <ignore>/etc/dcc/map</ignore> <ignore>/usr/local/psa/var/cgitory</ignore> <ignore>/usr/libexec/aqueduct</ignore> <ignore>/etc/portsentry/portsentry.history</ignore> <ignore>/var/ossec/active-response/ossec-hids-responses.log</ignore> <ignore>/etc/snmp/error_log</ignore> <ignore>/var/ossec/etc/</ignore> <ignore>/usr/src/</ignore> <ignore>/usr/local/src/</ignore> <ignore>/usr/lib/observium_agent/local/error_log</ignore> <ignore>/etc/recent_recipient_mail_server_ips</ignore> <ignore>/etc/named.conf.zonedir.cache</ignore> <ignore>/etc/recent_authed_mail_ips</ignore> <ignore>/etc/recent_authed_mail_ips_users</ignore> <ignore>/etc/magicspam/db</ignore> <ignore>/var/ossec/tmp</ignore> <ignore>/etc/letsencrypt/.certbot.lock</ignore> <ignore>/opt/dell/srvadmin/var/lib/openmanage/log</ignore> <ignore>/opt/dell/srvadmin/var/log</ignore> <ignore>/opt/dell/srvadmin/var/log/openmanage/install.log</ignore> <ignore>/opt/dell/srvadmin/var/log/openmanage/ssclp.log</ignore> <ignore>/opt/nimsoft/probles/service/hdb/hdb.log</ignore> <ignore>/opt/nimsoft/probes/system/cdm/_cdm.log</ignore> <ignore>/opt/nimsoft/probes/system/cdm/cdm.log</ignore> <ignore>/opt/nimsoft/robot/controller.log</ignore> <ignore>/opt/nimsoft/robot/spooler.log</ignore> <ignore>/opt/nimsoft/robot/nimbus.log</ignore> <ignore>/opt/nimsoft/robot/_spooler.log</ignore> <ignore>/opt/nimsoft/robot/_controller.log</ignore> </syscheck> <command> <name>awp-tracking</name> <executable>awp-sync.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <command> <name>ar-tracking</name> <executable>ar-tracking.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <command> <name>self-healing-17502</name> <executable>self-healing-17502</executable> <expect></expect> <timeout_allowed>no</timeout_allowed> </command> <command> <name>self-healing-17503</name> <executable>self-healing-17503</executable> <expect></expect> <timeout_allowed>no</timeout_allowed> </command> <command> <name>self-healing-30300</name> <executable>self-healing-30300</executable> <expect></expect> <timeout_allowed>no</timeout_allowed> </command> <command> <name>self-healing-30302</name> <executable>self-healing-30302</executable> <expect></expect> <timeout_allowed>no</timeout_allowed> </command> <command> <name>self-healing-52575</name> <executable>self-healing-52575</executable> <expect></expect> <timeout_allowed>no</timeout_allowed> </command> <command> <name>self-healing-60912</name> <executable>self-healing-60912</executable> <expect></expect> <timeout_allowed>no</timeout_allowed> </command> <command> <name>self-healing-60914</name> <executable>self-healing-60914</executable> <expect></expect> <timeout_allowed>no</timeout_allowed> </command> <command> <name>self-healing-52576</name> <executable>self-healing-52576</executable> <expect></expect> <timeout_allowed>no</timeout_allowed> </command> <command> <name>host-deny</name> <executable>host-deny.sh</executable> <expect>srcip</expect> <timeout_allowed>OSSEC_SHUN_ENABLE_TIMEOUT</timeout_allowed> </command> <command> <name>host-deny</name> <executable>host-deny.sh</executable> <expect>srcip</expect> <timeout_allowed>OSSEC_SHUN_ENABLE_TIMEOUT</timeout_allowed> </command> <command> <name>cloudflare-ban</name> <executable>cloudflare-ban.sh</executable> <expect>srcip</expect> <timeout_allowed>OSSEC_SHUN_ENABLE_TIMEOUT</timeout_allowed> </command> <command> <name>firewall-drop</name> <executable>asl-firewall-drop.sh</executable> <expect>srcip</expect> <timeout_allowed>OSSEC_SHUN_ENABLE_TIMEOUT</timeout_allowed> </command> <command> <name>awp-tracking</name> <executable>awp-sync.sh</executable> <expect>srcip</expect> <timeout_allowed>OSSEC_SHUN_ENABLE_TIMEOUT</timeout_allowed> </command> <command> <name>ar-tracking</name> <executable>ar-tracking.sh</executable> <expect>srcip</expect> <timeout_allowed>OSSEC_SHUN_ENABLE_TIMEOUT</timeout_allowed> </command> <command> <name>zabbix-alert</name> <executable>zabbix-alert.sh</executable> <expect>srcip</expect> <timeout_allowed>no</timeout_allowed> </command> <command> <name>self-healing-17502</name> <executable>self-healing-17502</executable> <expect>srcip</expect> <timeout_allowed>no</timeout_allowed> </command> <command> <name>self-healing-17503</name> <executable>self-healing-17503</executable> <expect>srcip</expect> <timeout_allowed>no</timeout_allowed> </command> <command> <name>self-healing-30300</name> <executable>self-healing-30300</executable> <expect>srcip</expect> <timeout_allowed>no</timeout_allowed> </command> <command> <name>self-healing-30302</name> <executable>self-healing-30302</executable> <expect>srcip</expect> <timeout_allowed>no</timeout_allowed> </command> <command> <name>self-healing-52575</name> <executable>self-healing-52575</executable> <expect>srcip</expect> <timeout_allowed>no</timeout_allowed> </command> <command> <name>self-healing-60912</name> <executable>self-healing-60912</executable> <expect>srcip</expect> <timeout_allowed>no</timeout_allowed> </command> <command> <name>self-healing-60914</name> <executable>self-healing-60914</executable> <expect>srcip</expect> <timeout_allowed>no</timeout_allowed> </command> <command> <name>self-healing-52576</name> <executable>self-healing-52576</executable> <expect>srcip</expect> <timeout_allowed>no</timeout_allowed> </command> <active-response> <command>awp-tracking</command> <location>local</location> <timeout>600</timeout> <level>6</level> </active-response> <active-response> <command>ar-tracking</command> <location>local</location> <timeout>600</timeout> <level>6</level> </active-response> <active-response> <command>self-healing-17502</command> <location>local</location> <rules_id>17502</rules_id> </active-response> <active-response> <command>self-healing-17503</command> <location>local</location> <rules_id>17503</rules_id> </active-response> <active-response> <command>self-healing-30300</command> <location>local</location> <rules_id>30300</rules_id> <rules_id>30301</rules_id> </active-response> <active-response> <command>self-healing-30302</command> <location>local</location> <rules_id>30302</rules_id> </active-response> <active-response> <command>self-healing-52575</command> <location>local</location> <rules_id>52575</rules_id> </active-response> <active-response> <command>self-healing-60912</command> <location>local</location> <rules_id>60912</rules_id> </active-response> <active-response> <command>self-healing-60914</command> <location>local</location> <rules_id>60914</rules_id> </active-response> <active-response> <command>self-healing-52576</command> <location>local</location> <rules_id>52576</rules_id> </active-response> <active-response> <command>host-deny</command> <location>local</location> </active-response> <active-response> <command>host-deny</command> <location>local</location> </active-response> <active-response> <command>cloudflare-ban</command> <location>local</location> </active-response> <active-response> <command>firewall-drop</command> <location>local</location> </active-response> <active-response> <command>awp-tracking</command> <location>local</location> </active-response> <active-response> <command>ar-tracking</command> <location>local</location> </active-response> <active-response> <command>zabbix-alert</command> <location>local</location> </active-response> <active-response> <command>self-healing-17502</command> <location>local</location> <rules_id>17502</rules_id> </active-response> <active-response> <command>self-healing-17503</command> <location>local</location> <rules_id>17503</rules_id> </active-response> <active-response> <command>self-healing-30300</command> <location>local</location> <rules_id>30300</rules_id> <rules_id>30301</rules_id> </active-response> <active-response> <command>self-healing-30302</command> <location>local</location> <rules_id>30302</rules_id> </active-response> <active-response> <command>self-healing-52575</command> <location>local</location> <rules_id>52575</rules_id> </active-response> <active-response> <command>self-healing-60912</command> <location>local</location> <rules_id>60912</rules_id> </active-response> <active-response> <command>self-healing-60914</command> <location>local</location> <rules_id>60914</rules_id> </active-response> <active-response> <command>self-healing-52576</command> <location>local</location> <rules_id>52576</rules_id> </active-response> <alerts> <log_alert_level>1</log_alert_level> <email_alert_level>7</email_alert_level> </alerts> <auth> <disabled>yes</disabled> <port>1515</port> <use_source_ip>no</use_source_ip> <force_insert>yes</force_insert> <force_time>0</force_time> <purge>yes</purge> <use_password>no</use_password> <ssl_verify_host>no</ssl_verify_host> <ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert> <ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key> <ssl_auto_negotiate>no</ssl_auto_negotiate> <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers> <limit_maxagents>yes</limit_maxagents> </auth> <localfile> <log_format>syslog</log_format> <location>/var/log/messages</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/secure</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/maillog</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/tortixd/audit_log</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/httpd/audit_log</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/httpd/error_log</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/tortixd/asl_error_log</location> </localfile> <localfile> <log_format>audit</log_format> <location>/var/log/audit/audit.log</location> </localfile> <localfile> <log_format>command</log_format> <command>df -P</command> <frequency>360</frequency> </localfile> <localfile> <log_format>command</log_format> <command>uptime</command> <frequency>360</frequency> </localfile> <localfile> <log_format>full_command</log_format> <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command> <frequency>360</frequency> </localfile> <localfile> <log_format>full_command</log_format> <command>last -n 5</command> <frequency>360</frequency> </localfile> <logging></logging> <remote> <connection>secure</connection> <port>1514</port> <protocol>udp</protocol> </remote> <remote> <connection>syslog</connection> <port>514</port> <protocol>udp</protocol> <allowed-ips>0.0.0.0/0</allowed-ips> </remote> <rootcheck> <frequency>43200</frequency> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt</system_audit> <disabled>no</disabled> <skip_nfs>yes</skip_nfs> </rootcheck> <rules> <decoder_dir pattern=".xml$">etc/decoders.d</decoder_dir> <rule_dir pattern=".xml$">etc/rules.d</rule_dir> <list>etc/lists/audit-key</list> <list>etc/lists/threat/threat1</list> <list>etc/lists/threat/threat2</list> <list>etc/lists/threat/threat3</list> <list>etc/lists/threat/threat4</list> <list>etc/lists/threat/threat5</list> <list>etc/lists/threat/threat6</list> <list>etc/lists/threat/threat7</list> <list>etc/lists/threat/threat8</list> <list>etc/lists/threat/threat9</list> <list>etc/lists/threat/threat10</list> <list>etc/lists/threat/threat11</list> <list>etc/lists/threat/threat12</list> </rules> <sca> <enabled>yes</enabled> <scan_on_start>yes</scan_on_start> <interval>12h</interval> <skip_nfs>yes</skip_nfs> <policies> <policy>sca_unix_audit.yml</policy> <policy>system_audit_pw.yml</policy> <policy>system_audit_ssh.yml</policy> <policy>cis_rhel7_linux.yml</policy> </policies> </sca> <vulnerability-detector> <enabled>yes</enabled> <interval>5m</interval> <ignore_time>6h</ignore_time> <run_on_start>yes</run_on_start> <provider name="canonical"> <os>precise</os> <os>trusty</os> <os>xenial</os> <os>bionic</os> <enabled>no</enabled> <update_interval>1h</update_interval> </provider> <provider name="debian"> <os>wheezy</os> <os>stretch</os> <os>jessie</os> <os>buster</os> <enabled>no</enabled> <update_interval>1h</update_interval> </provider> <provider name="redhat"> <enabled>yes</enabled> <update_interval>1h</update_interval> <update_from_year>2010</update_from_year> </provider> <provider name="nvd"> <enabled>yes</enabled> <update_interval>1h</update_interval> <update_from_year>2010</update_from_year> </provider> </vulnerability-detector> <wodle name="open-scap"> <disabled>no</disabled> <timeout>1800</timeout> <interval>1d</interval> <scan-on-start>yes</scan-on-start> <content type="xccdf" path="ssg-centos-7-ds.xml"> <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile> <profile>xccdf_org.ssgproject.content_profile_common</profile> </content> <content type="xccdf" path="ssg-rhel7-ds.xml"> <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile> <profile>xccdf_org.ssgproject.content_profile_common</profile> </content> <content type="oval" path="com.redhat.rhsa-RHEL7.xml"></content> </wodle> <wodle name="syscollector"> <disabled>no</disabled> <interval>1h</interval> <scan_on_start>yes</scan_on_start> <hardware>yes</hardware> <os>yes</os> <network>yes</network> <packages>yes</packages> <ports>yes</ports> <processes>yes</processes> </wodle> </ossec_config> /var/ossec/logs/ossec.log: 2021/03/23 10:05:58 ossec-analysisd: ERROR: (1202): Configuration error at '/var/ossec/etc/ossec.conf'. 2021/03/23 10:05:58 ossec-analysisd: CRITICAL: (1202): Configuration error at '/var/ossec/etc/ossec.conf'. 2021/03/23 10:05:58 ossec-modulesd: ERROR: Unable to connect to socket '/var/ossec/queue/db/wdb'. 2021/03/23 10:05:58 ossec-modulesd: ERROR: Unable to connect to socket '/queue/db/wdb'. 2021/03/23 10:05:58 ossec-modulesd: ERROR: Unable to connect to socket '/queue/db/wdb' 2021/03/23 10:05:58 ossec-modulesd: ERROR: Error querying OSSEC DB to get the agent status. 2021/03/23 10:05:58 ossec-modulesd:database: ERROR: Couldn't get database status for agent '0'. 2021/03/23 10:05:58 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 1 seconds to reconnect. 2021/03/23 10:05:59 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 2 seconds to reconnect. 2021/03/23 10:06:01 ossec-db: CRITICAL: (2301): Definition not found for: 'ossec_db.commit_time_min'. 2021/03/23 10:06:01 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 3 seconds to reconnect. 2021/03/23 10:06:01 ossec-analysisd: ERROR: (1235): Invalid value for element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT. 2021/03/23 10:06:01 ossec-analysisd: ERROR: (1202): Configuration error at '/var/ossec/etc/ossec.conf'. 2021/03/23 10:06:01 ossec-analysisd: CRITICAL: (1202): Configuration error at '/var/ossec/etc/ossec.conf'. 2021/03/23 10:06:04 ossec-modulesd: ERROR: Unable to connect to socket '/var/ossec/queue/db/wdb'. 2021/03/23 10:06:04 ossec-modulesd: ERROR: Unable to connect to socket '/queue/db/wdb'. 2021/03/23 10:06:04 ossec-modulesd: ERROR: Unable to connect to socket '/queue/db/wdb' 2021/03/23 10:06:04 ossec-modulesd: ERROR: Error querying OSSEC DB to get the agent status. 2021/03/23 10:06:04 ossec-modulesd:database: ERROR: Couldn't get database status for agent '0'. 2021/03/23 10:06:04 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 1 seconds to reconnect. 2021/03/23 10:06:04 ossec-db: CRITICAL: (2301): Definition not found for: 'ossec_db.commit_time_min'. 2021/03/23 10:06:04 ossec-analysisd: ERROR: (1235): Invalid value for element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT. 2021/03/23 10:06:04 ossec-analysisd: ERROR: (1202): Configuration error at '/var/ossec/etc/ossec.conf'. 2021/03/23 10:06:04 ossec-analysisd: CRITICAL: (1202): Configuration error at '/var/ossec/etc/ossec.conf'. 2021/03/23 10:06:05 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 2 seconds to reconnect. 2021/03/23 10:06:07 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 3 seconds to reconnect. 2021/03/23 10:06:07 ossec-db: CRITICAL: (2301): Definition not found for: 'ossec_db.commit_time_min'. 2021/03/23 10:06:08 ossec-analysisd: ERROR: (1235): Invalid value for element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT. 2021/03/23 10:06:08 ossec-analysisd: ERROR: (1202): Configuration error at '/var/ossec/etc/ossec.conf'. 2021/03/23 10:06:08 ossec-analysisd: CRITICAL: (1202): Configuration error at '/var/ossec/etc/ossec.conf'. 2021/03/23 10:06:10 ossec-modulesd: ERROR: Unable to connect to socket '/var/ossec/queue/db/wdb'. 2021/03/23 10:06:10 ossec-modulesd: ERROR: Unable to connect to socket '/queue/db/wdb'. 2021/03/23 10:06:10 ossec-modulesd: ERROR: Unable to connect to socket '/queue/db/wdb' 2021/03/23 10:06:10 ossec-modulesd: ERROR: Error querying OSSEC DB to get the agent status. 2021/03/23 10:06:10 ossec-modulesd:database: ERROR: Couldn't get database status for agent '0'. 2021/03/23 10:06:10 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 1 seconds to reconnect. 2021/03/23 10:06:11 ossec-db: CRITICAL: (2301): Definition not found for: 'ossec_db.commit_time_min'. 2021/03/23 10:06:11 ossec-analysisd: ERROR: (1235): Invalid value for element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT. 2021/03/23 10:06:11 ossec-analysisd: ERROR: (1202): Configuration error at '/var/ossec/etc/ossec.conf'. 2021/03/23 10:06:11 ossec-analysisd: CRITICAL: (1202): Configuration error at '/var/ossec/etc/ossec.conf'. 2021/03/23 10:06:11 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 2 seconds to reconnect. 2021/03/23 10:06:13 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 3 seconds to reconnect. 2021/03/23 10:06:14 ossec-db: CRITICAL: (2301): Definition not found for: 'ossec_db.commit_time_min'. 2021/03/23 10:06:14 ossec-analysisd: ERROR: (1235): Invalid value for element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT. 2021/03/23 10:06:14 ossec-analysisd: ERROR: (1202): Configuration error at '/var/ossec/etc/ossec.conf'. 2021/03/23 10:06:14 ossec-analysisd: CRITICAL: (1202): Configuration error at '/var/ossec/etc/ossec.conf'. 2021/03/23 10:06:16 ossec-modulesd: ERROR: Unable to connect to socket '/var/ossec/queue/db/wdb'. 2021/03/23 10:06:16 ossec-modulesd: ERROR: Unable to connect to socket '/queue/db/wdb'. 2021/03/23 10:06:16 ossec-modulesd: ERROR: Unable to connect to socket '/queue/db/wdb' 2021/03/23 10:06:16 ossec-modulesd: ERROR: Error querying OSSEC DB to get the agent status. 2021/03/23 10:06:16 ossec-modulesd:database: ERROR: Couldn't get database status for agent '0'. 2021/03/23 10:06:16 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 1 seconds to reconnect. 2021/03/23 10:06:17 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 2 seconds to reconnect. 2021/03/23 10:06:17 ossec-db: CRITICAL: (2301): Definition not found for: 'ossec_db.commit_time_min'. 2021/03/23 10:06:17 ossec-analysisd: ERROR: (1235): Invalid value for element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT. 2021/03/23 10:06:17 ossec-analysisd: ERROR: (1202): Configuration error at '/var/ossec/etc/ossec.conf'. 2021/03/23 10:06:17 ossec-analysisd: CRITICAL: (1202): Configuration error at '/var/ossec/etc/ossec.conf'. 2021/03/23 10:06:19 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 3 seconds to reconnect. 2021/03/23 10:06:20 ossec-db: CRITICAL: (2301): Definition not found for: 'ossec_db.commit_time_min'. 2021/03/23 10:06:21 ossec-analysisd: ERROR: (1235): Invalid value for element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT. 2021/03/23 10:06:21 ossec-analysisd: ERROR: (1202): Configuration error at '/var/ossec/etc/ossec.conf'. 2021/03/23 10:06:21 ossec-analysisd: CRITICAL: (1202): Configuration error at '/var/ossec/etc/ossec.conf'. Note ossec.log was too big to grab all of it. This is the last chunk of lines. uname -a: Linux localhost.localdomain 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux I think that is all the info the troubleshooting page suggests. If you need more info, say so and I'll see if I can post it. If anyone has any insight into this issue, I'd appreciate it. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/9e85ec91-876c-493c-baae-061213b9af7fn%40googlegroups.com.