Hi, I have verified that on a new installation of OSSEC 3.6.0 new files do not trigger rule 554 as expected. I verified this both using scheduled and real-time scanning. This can be easily reproduced by installing an OSSEC server and adding: <directories check_all="yes" realtime="yes">/fimtest</directories> to the syscheck configuration, then creating a directory, restarting the ossec server, waiting for the scheduled scan to finish and adding and modifying files to the server. mkdir /fimtest /var/ossec/bin/ossec-control restart touch /fimtest/touchedfile echo 'file created' > /fimtest/testfile echo 'file modified' > /fimtest/testfile
After this only the last event generates an alert. I've opened an issue to report this here: https://github.com/ossec/ossec-hids/issues/1968 However it is also true that your configuration is not completely correct, as you can see in the error log there is a message indicating: 2021/03/23 10:06:21 ossec-analysisd: ERROR: (1235): Invalid value for element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT. I see you have several commands with the configuration: <timeout_allowed>OSSEC_SHUN_ENABLE_TIMEOUT</timeout_allowed> If you wish to disable timeout for these options, you should replace it with: <timeout_allowed>no</timeout_allowed> Let me know if this helps, Best Regards, Juan Carlos Tello On Tuesday, March 23, 2021 at 3:19:42 PM UTC+1 morgana...@gmail.com wrote: > Hello all. I'm having a bit of difficulty with ossec and I haven't been > able to find the issue. For some reason, when I run touch > /etc/testfile.txt, an entry for a file creation event doesn't appear in > alerts.json like, as far as I know, it is supposed to. I've made sure > syscheckd is running, added an entry to local_rules.xml for a file added > event, made sure I was adding in a watched directory, added another > directory and tried there to be thourough, and still nothing. I'm at a loss > as to why. Can anyone here offer any insight? As per the ossec > troubleshooting page, I'll include the contents of a number of files and > commands here. > /var/ossec/bin/ossec-analysisd -V: OSSEC v4.3.0 - Atomicorp Inc. > > /etc/ossec-init.conf: DIRECTORY="/var/ossec" > VERSION="4.3.0" > DATE="Wed Feb 17 12:19:51 EST 2021" > TYPE="server" > > /var/ossec/etc/ossec.conf: <ossec_config> > <global> > <email_notification>no</email_notification> > <white_list>127.0.0.1</white_list> > <white_list>^localhost.localdomain$</white_list> > <white_list>10.0.0.2</white_list> > <logall>no</logall> > <jsonout_output>yes</jsonout_output> > <geoipdb>/usr/share/GeoIP/GeoLiteCity.dat</geoipdb> > </global> > <syscheck> > <auto_ignore>no</auto_ignore> > <alert_new_files>yes</alert_new_files> > <frequency>86400</frequency> > <directories realtime="yes" check_all="yes" whodata="yes" > report_changes="yes">/etc</directories> > <directories realtime="yes" check_all="yes" > report_changes="yes">/home/mdavis</directories> > <directories realtime="yes" check_all="yes" > report_changes="yes">/var/ossec/active-response</directories> > <directories realtime="yes" check_all="yes" > report_changes="yes">/var/ossec/etc</directories> > <directories realtime="yes" check_all="yes" > report_changes="yes">/var/ossec/agentless</directories> > <directories realtime="yes" check_all="yes" > report_changes="yes">/bin</directories> > <directories realtime="yes" check_all="yes" > report_changes="yes">/lib</directories> > <directories realtime="yes" check_all="yes" > report_changes="yes">/lib64</directories> > <directories realtime="yes" check_all="yes" > report_changes="yes">/opt</directories> > <directories realtime="yes" check_all="yes" > report_changes="yes">/sbin</directories> > <directories realtime="yes" check_all="yes" > report_changes="yes">/usr/bin</directories> > <directories realtime="yes" check_all="yes" > report_changes="yes">/usr/lib</directories> > <directories realtime="yes" check_all="yes" > report_changes="yes">/usr/lib64</directories> > <directories realtime="yes" check_all="yes" > report_changes="yes">/usr/local/bin</directories> > <directories realtime="yes" check_all="yes" > report_changes="yes">/usr/local/lib</directories> > <directories realtime="yes" check_all="yes" > report_changes="yes">/usr/local/sbin</directories> > <ignore>/etc/asl/VERSION</ignore> > <ignore>/var/awp/etc/VERSION</ignore> > <ignore>/etc/asl/aslw_aum.log</ignore> > <ignore>/var/awp/etc/aum.log</ignore> > <ignore>/etc/asl/DTC</ignore> > <ignore>/var/awp/etc/DTC</ignore> > <ignore>/etc/asl/whitelist</ignore> > <ignore>/var/awp/etc/whitelist</ignore> > <ignore>/var/awp/etc/whitelist.json</ignore> > <ignore>/etc/asl/config</ignore> > <ignore>/var/awp/etc/config</ignore> > <ignore>/var/awp/etc/config.json</ignore> > <ignore>/etc/asl/rules</ignore> > <ignore>/var/awp/etc/rules.json</ignore> > <ignore>/etc/asl/system.properties</ignore> > <ignore>/var/awp/etc/system.properties</ignore> > <ignore>/etc/mtab</ignore> > <ignore>/var/tmp</ignore> > <ignore>/var/ossec/queue</ignore> > <ignore>/var/ossec/logs</ignore> > <ignore>/var/ossec/stats</ignore> > <ignore>/var/ossec/var</ignore> > <ignore>/var/ossec/etc/rules.d</ignore> > <ignore>/var/ossec/etc/shared</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/grsec/learning.logs</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/httpd/modsecurity.d/</ignore> > <ignore>/etc/httpd/logs/</ignore> > <ignore>/etc/httpd/domlogs/</ignore> > <ignore>/etc/vfilters</ignore> > <ignore>/var/ossec/bin/.process_list</ignore> > <ignore>/usr/local/psa/handlers.default</ignore> > <ignore>/usr/local/psa/admin/logs/</ignore> > <ignore>/etc/mail/spamassassin/bayes/</ignore> > <ignore>/etc/webmin/virtual-server/</ignore> > <ignore>/usr/local/atmail/calendarserver/server/logs/</ignore> > <ignore>/etc/mail/spamassassin/.razor</ignore> > <ignore>/etc/relayhostusers</ignore> > <ignore>/etc/relayhosts</ignore> > <ignore>/etc/eximpopbeforesmtpwarning</ignore> > <ignore>/etc/prelink.cache</ignore> > <ignore>/etc/csf/stats/</ignore> > <ignore>/etc/webmin</ignore> > <ignore>/etc/dcc/log</ignore> > <ignore>/etc/dcc/map</ignore> > <ignore>/usr/local/psa/var/cgitory</ignore> > <ignore>/usr/libexec/aqueduct</ignore> > <ignore>/etc/portsentry/portsentry.history</ignore> > > <ignore>/var/ossec/active-response/ossec-hids-responses.log</ignore> > <ignore>/etc/snmp/error_log</ignore> > <ignore>/var/ossec/etc/</ignore> > <ignore>/usr/src/</ignore> > <ignore>/usr/local/src/</ignore> > <ignore>/usr/lib/observium_agent/local/error_log</ignore> > <ignore>/etc/recent_recipient_mail_server_ips</ignore> > <ignore>/etc/named.conf.zonedir.cache</ignore> > <ignore>/etc/recent_authed_mail_ips</ignore> > <ignore>/etc/recent_authed_mail_ips_users</ignore> > <ignore>/etc/magicspam/db</ignore> > <ignore>/var/ossec/tmp</ignore> > <ignore>/etc/letsencrypt/.certbot.lock</ignore> > <ignore>/opt/dell/srvadmin/var/lib/openmanage/log</ignore> > <ignore>/opt/dell/srvadmin/var/log</ignore> > <ignore>/opt/dell/srvadmin/var/log/openmanage/install.log</ignore> > <ignore>/opt/dell/srvadmin/var/log/openmanage/ssclp.log</ignore> > <ignore>/opt/nimsoft/probles/service/hdb/hdb.log</ignore> > <ignore>/opt/nimsoft/probes/system/cdm/_cdm.log</ignore> > <ignore>/opt/nimsoft/probes/system/cdm/cdm.log</ignore> > <ignore>/opt/nimsoft/robot/controller.log</ignore> > <ignore>/opt/nimsoft/robot/spooler.log</ignore> > <ignore>/opt/nimsoft/robot/nimbus.log</ignore> > <ignore>/opt/nimsoft/robot/_spooler.log</ignore> > <ignore>/opt/nimsoft/robot/_controller.log</ignore> > </syscheck> > <command> > <name>awp-tracking</name> > <executable>awp-sync.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > <command> > <name>ar-tracking</name> > <executable>ar-tracking.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > <command> > <name>self-healing-17502</name> > <executable>self-healing-17502</executable> > <expect></expect> > <timeout_allowed>no</timeout_allowed> > </command> > <command> > <name>self-healing-17503</name> > <executable>self-healing-17503</executable> > <expect></expect> > <timeout_allowed>no</timeout_allowed> > </command> > <command> > <name>self-healing-30300</name> > <executable>self-healing-30300</executable> > <expect></expect> > <timeout_allowed>no</timeout_allowed> > </command> > <command> > <name>self-healing-30302</name> > <executable>self-healing-30302</executable> > <expect></expect> > <timeout_allowed>no</timeout_allowed> > </command> > <command> > <name>self-healing-52575</name> > <executable>self-healing-52575</executable> > <expect></expect> > <timeout_allowed>no</timeout_allowed> > </command> > <command> > <name>self-healing-60912</name> > <executable>self-healing-60912</executable> > <expect></expect> > <timeout_allowed>no</timeout_allowed> > </command> > <command> > <name>self-healing-60914</name> > <executable>self-healing-60914</executable> > <expect></expect> > <timeout_allowed>no</timeout_allowed> > </command> > <command> > <name>self-healing-52576</name> > <executable>self-healing-52576</executable> > <expect></expect> > <timeout_allowed>no</timeout_allowed> > </command> > <command> > <name>host-deny</name> > <executable>host-deny.sh</executable> > <expect>srcip</expect> > <timeout_allowed>OSSEC_SHUN_ENABLE_TIMEOUT</timeout_allowed> > </command> > <command> > <name>host-deny</name> > <executable>host-deny.sh</executable> > <expect>srcip</expect> > <timeout_allowed>OSSEC_SHUN_ENABLE_TIMEOUT</timeout_allowed> > </command> > <command> > <name>cloudflare-ban</name> > <executable>cloudflare-ban.sh</executable> > <expect>srcip</expect> > <timeout_allowed>OSSEC_SHUN_ENABLE_TIMEOUT</timeout_allowed> > </command> > <command> > <name>firewall-drop</name> > <executable>asl-firewall-drop.sh</executable> > <expect>srcip</expect> > <timeout_allowed>OSSEC_SHUN_ENABLE_TIMEOUT</timeout_allowed> > </command> > <command> > <name>awp-tracking</name> > <executable>awp-sync.sh</executable> > <expect>srcip</expect> > <timeout_allowed>OSSEC_SHUN_ENABLE_TIMEOUT</timeout_allowed> > </command> > <command> > <name>ar-tracking</name> > <executable>ar-tracking.sh</executable> > <expect>srcip</expect> > <timeout_allowed>OSSEC_SHUN_ENABLE_TIMEOUT</timeout_allowed> > </command> > <command> > <name>zabbix-alert</name> > <executable>zabbix-alert.sh</executable> > <expect>srcip</expect> > <timeout_allowed>no</timeout_allowed> > </command> > <command> > <name>self-healing-17502</name> > <executable>self-healing-17502</executable> > <expect>srcip</expect> > <timeout_allowed>no</timeout_allowed> > </command> > <command> > <name>self-healing-17503</name> > <executable>self-healing-17503</executable> > <expect>srcip</expect> > <timeout_allowed>no</timeout_allowed> > </command> > <command> > <name>self-healing-30300</name> > <executable>self-healing-30300</executable> > <expect>srcip</expect> > <timeout_allowed>no</timeout_allowed> > </command> > <command> > <name>self-healing-30302</name> > <executable>self-healing-30302</executable> > <expect>srcip</expect> > <timeout_allowed>no</timeout_allowed> > </command> > <command> > <name>self-healing-52575</name> > <executable>self-healing-52575</executable> > <expect>srcip</expect> > <timeout_allowed>no</timeout_allowed> > </command> > <command> > <name>self-healing-60912</name> > <executable>self-healing-60912</executable> > <expect>srcip</expect> > <timeout_allowed>no</timeout_allowed> > </command> > <command> > <name>self-healing-60914</name> > <executable>self-healing-60914</executable> > <expect>srcip</expect> > <timeout_allowed>no</timeout_allowed> > </command> > <command> > <name>self-healing-52576</name> > <executable>self-healing-52576</executable> > <expect>srcip</expect> > <timeout_allowed>no</timeout_allowed> > </command> > <active-response> > <command>awp-tracking</command> > <location>local</location> > <timeout>600</timeout> > <level>6</level> > </active-response> > <active-response> > <command>ar-tracking</command> > <location>local</location> > <timeout>600</timeout> > <level>6</level> > </active-response> > <active-response> > <command>self-healing-17502</command> > <location>local</location> > <rules_id>17502</rules_id> > </active-response> > <active-response> > <command>self-healing-17503</command> > <location>local</location> > <rules_id>17503</rules_id> > </active-response> > <active-response> > <command>self-healing-30300</command> > <location>local</location> > <rules_id>30300</rules_id> > <rules_id>30301</rules_id> > </active-response> > <active-response> > <command>self-healing-30302</command> > <location>local</location> > <rules_id>30302</rules_id> > </active-response> > <active-response> > <command>self-healing-52575</command> > <location>local</location> > <rules_id>52575</rules_id> > </active-response> > <active-response> > <command>self-healing-60912</command> > <location>local</location> > <rules_id>60912</rules_id> > </active-response> > <active-response> > <command>self-healing-60914</command> > <location>local</location> > <rules_id>60914</rules_id> > </active-response> > <active-response> > <command>self-healing-52576</command> > <location>local</location> > <rules_id>52576</rules_id> > </active-response> > <active-response> > <command>host-deny</command> > <location>local</location> > </active-response> > <active-response> > <command>host-deny</command> > <location>local</location> > </active-response> > <active-response> > <command>cloudflare-ban</command> > <location>local</location> > </active-response> > <active-response> > <command>firewall-drop</command> > <location>local</location> > </active-response> > <active-response> > <command>awp-tracking</command> > <location>local</location> > </active-response> > <active-response> > <command>ar-tracking</command> > <location>local</location> > </active-response> > <active-response> > <command>zabbix-alert</command> > <location>local</location> > </active-response> > <active-response> > <command>self-healing-17502</command> > <location>local</location> > <rules_id>17502</rules_id> > </active-response> > <active-response> > <command>self-healing-17503</command> > <location>local</location> > <rules_id>17503</rules_id> > </active-response> > <active-response> > <command>self-healing-30300</command> > <location>local</location> > <rules_id>30300</rules_id> > <rules_id>30301</rules_id> > </active-response> > <active-response> > <command>self-healing-30302</command> > <location>local</location> > <rules_id>30302</rules_id> > </active-response> > <active-response> > <command>self-healing-52575</command> > <location>local</location> > <rules_id>52575</rules_id> > </active-response> > <active-response> > <command>self-healing-60912</command> > <location>local</location> > <rules_id>60912</rules_id> > </active-response> > <active-response> > <command>self-healing-60914</command> > <location>local</location> > <rules_id>60914</rules_id> > </active-response> > <active-response> > <command>self-healing-52576</command> > <location>local</location> > <rules_id>52576</rules_id> > </active-response> > <alerts> > <log_alert_level>1</log_alert_level> > <email_alert_level>7</email_alert_level> > </alerts> > <auth> > <disabled>yes</disabled> > <port>1515</port> > <use_source_ip>no</use_source_ip> > <force_insert>yes</force_insert> > <force_time>0</force_time> > <purge>yes</purge> > <use_password>no</use_password> > <ssl_verify_host>no</ssl_verify_host> > <ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert> > <ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key> > <ssl_auto_negotiate>no</ssl_auto_negotiate> > > <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers> > <limit_maxagents>yes</limit_maxagents> > </auth> > <localfile> > <log_format>syslog</log_format> > <location>/var/log/messages</location> > </localfile> > <localfile> > <log_format>syslog</log_format> > <location>/var/log/secure</location> > </localfile> > <localfile> > <log_format>syslog</log_format> > <location>/var/log/maillog</location> > </localfile> > <localfile> > <log_format>apache</log_format> > <location>/var/log/tortixd/audit_log</location> > </localfile> > <localfile> > <log_format>apache</log_format> > <location>/var/log/httpd/audit_log</location> > </localfile> > <localfile> > <log_format>apache</log_format> > <location>/var/log/httpd/error_log</location> > </localfile> > <localfile> > <log_format>apache</log_format> > <location>/var/log/tortixd/asl_error_log</location> > </localfile> > <localfile> > <log_format>audit</log_format> > <location>/var/log/audit/audit.log</location> > </localfile> > <localfile> > <log_format>command</log_format> > <command>df -P</command> > <frequency>360</frequency> > </localfile> > <localfile> > <log_format>command</log_format> > <command>uptime</command> > <frequency>360</frequency> > </localfile> > <localfile> > <log_format>full_command</log_format> > <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | > sort</command> > <frequency>360</frequency> > </localfile> > <localfile> > <log_format>full_command</log_format> > <command>last -n 5</command> > <frequency>360</frequency> > </localfile> > <logging></logging> > <remote> > <connection>secure</connection> > <port>1514</port> > <protocol>udp</protocol> > </remote> > <remote> > <connection>syslog</connection> > <port>514</port> > <protocol>udp</protocol> > <allowed-ips>0.0.0.0/0</allowed-ips> > </remote> > <rootcheck> > <frequency>43200</frequency> > > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> > > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt</system_audit> > <disabled>no</disabled> > <skip_nfs>yes</skip_nfs> > </rootcheck> > <rules> > <decoder_dir pattern=".xml$">etc/decoders.d</decoder_dir> > <rule_dir pattern=".xml$">etc/rules.d</rule_dir> > <list>etc/lists/audit-key</list> > <list>etc/lists/threat/threat1</list> > <list>etc/lists/threat/threat2</list> > <list>etc/lists/threat/threat3</list> > <list>etc/lists/threat/threat4</list> > <list>etc/lists/threat/threat5</list> > <list>etc/lists/threat/threat6</list> > <list>etc/lists/threat/threat7</list> > <list>etc/lists/threat/threat8</list> > <list>etc/lists/threat/threat9</list> > <list>etc/lists/threat/threat10</list> > <list>etc/lists/threat/threat11</list> > <list>etc/lists/threat/threat12</list> > </rules> > <sca> > <enabled>yes</enabled> > <scan_on_start>yes</scan_on_start> > <interval>12h</interval> > <skip_nfs>yes</skip_nfs> > <policies> > <policy>sca_unix_audit.yml</policy> > <policy>system_audit_pw.yml</policy> > <policy>system_audit_ssh.yml</policy> > <policy>cis_rhel7_linux.yml</policy> > </policies> > </sca> > <vulnerability-detector> > <enabled>yes</enabled> > <interval>5m</interval> > <ignore_time>6h</ignore_time> > <run_on_start>yes</run_on_start> > <provider name="canonical"> > <os>precise</os> > <os>trusty</os> > <os>xenial</os> > <os>bionic</os> > <enabled>no</enabled> > <update_interval>1h</update_interval> > </provider> > <provider name="debian"> > <os>wheezy</os> > <os>stretch</os> > <os>jessie</os> > <os>buster</os> > <enabled>no</enabled> > <update_interval>1h</update_interval> > </provider> > <provider name="redhat"> > <enabled>yes</enabled> > <update_interval>1h</update_interval> > <update_from_year>2010</update_from_year> > </provider> > <provider name="nvd"> > <enabled>yes</enabled> > <update_interval>1h</update_interval> > <update_from_year>2010</update_from_year> > </provider> > </vulnerability-detector> > <wodle name="open-scap"> > <disabled>no</disabled> > <timeout>1800</timeout> > <interval>1d</interval> > <scan-on-start>yes</scan-on-start> > <content type="xccdf" path="ssg-centos-7-ds.xml"> > <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile> > <profile>xccdf_org.ssgproject.content_profile_common</profile> > </content> > <content type="xccdf" path="ssg-rhel7-ds.xml"> > <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile> > <profile>xccdf_org.ssgproject.content_profile_common</profile> > </content> > <content type="oval" path="com.redhat.rhsa-RHEL7.xml"></content> > </wodle> > <wodle name="syscollector"> > <disabled>no</disabled> > <interval>1h</interval> > <scan_on_start>yes</scan_on_start> > <hardware>yes</hardware> > <os>yes</os> > <network>yes</network> > <packages>yes</packages> > <ports>yes</ports> > <processes>yes</processes> > </wodle> > </ossec_config> > > /var/ossec/logs/ossec.log: 2021/03/23 10:05:58 ossec-analysisd: ERROR: > (1202): Configuration error at '/var/ossec/etc/ossec.conf'. > 2021/03/23 10:05:58 ossec-analysisd: CRITICAL: (1202): Configuration error > at '/var/ossec/etc/ossec.conf'. > 2021/03/23 10:05:58 ossec-modulesd: ERROR: Unable to connect to socket > '/var/ossec/queue/db/wdb'. > 2021/03/23 10:05:58 ossec-modulesd: ERROR: Unable to connect to socket > '/queue/db/wdb'. > 2021/03/23 10:05:58 ossec-modulesd: ERROR: Unable to connect to socket > '/queue/db/wdb' > 2021/03/23 10:05:58 ossec-modulesd: ERROR: Error querying OSSEC DB to get > the agent status. > 2021/03/23 10:05:58 ossec-modulesd:database: ERROR: Couldn't get database > status for agent '0'. > 2021/03/23 10:05:58 ossec-modulesd: INFO: Cannot find > '/var/ossec/queue/db/wdb'. Waiting 1 seconds to reconnect. > 2021/03/23 10:05:59 ossec-modulesd: INFO: Cannot find > '/var/ossec/queue/db/wdb'. Waiting 2 seconds to reconnect. > 2021/03/23 10:06:01 ossec-db: CRITICAL: (2301): Definition not found for: > 'ossec_db.commit_time_min'. > 2021/03/23 10:06:01 ossec-modulesd: INFO: Cannot find > '/var/ossec/queue/db/wdb'. Waiting 3 seconds to reconnect. > 2021/03/23 10:06:01 ossec-analysisd: ERROR: (1235): Invalid value for > element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT. > 2021/03/23 10:06:01 ossec-analysisd: ERROR: (1202): Configuration error at > '/var/ossec/etc/ossec.conf'. > 2021/03/23 10:06:01 ossec-analysisd: CRITICAL: (1202): Configuration error > at '/var/ossec/etc/ossec.conf'. > 2021/03/23 10:06:04 ossec-modulesd: ERROR: Unable to connect to socket > '/var/ossec/queue/db/wdb'. > 2021/03/23 10:06:04 ossec-modulesd: ERROR: Unable to connect to socket > '/queue/db/wdb'. > 2021/03/23 10:06:04 ossec-modulesd: ERROR: Unable to connect to socket > '/queue/db/wdb' > 2021/03/23 10:06:04 ossec-modulesd: ERROR: Error querying OSSEC DB to get > the agent status. > 2021/03/23 10:06:04 ossec-modulesd:database: ERROR: Couldn't get database > status for agent '0'. > 2021/03/23 10:06:04 ossec-modulesd: INFO: Cannot find > '/var/ossec/queue/db/wdb'. Waiting 1 seconds to reconnect. > 2021/03/23 10:06:04 ossec-db: CRITICAL: (2301): Definition not found for: > 'ossec_db.commit_time_min'. > 2021/03/23 10:06:04 ossec-analysisd: ERROR: (1235): Invalid value for > element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT. > 2021/03/23 10:06:04 ossec-analysisd: ERROR: (1202): Configuration error at > '/var/ossec/etc/ossec.conf'. > 2021/03/23 10:06:04 ossec-analysisd: CRITICAL: (1202): Configuration error > at '/var/ossec/etc/ossec.conf'. > 2021/03/23 10:06:05 ossec-modulesd: INFO: Cannot find > '/var/ossec/queue/db/wdb'. Waiting 2 seconds to reconnect. > 2021/03/23 10:06:07 ossec-modulesd: INFO: Cannot find > '/var/ossec/queue/db/wdb'. Waiting 3 seconds to reconnect. > 2021/03/23 10:06:07 ossec-db: CRITICAL: (2301): Definition not found for: > 'ossec_db.commit_time_min'. > 2021/03/23 10:06:08 ossec-analysisd: ERROR: (1235): Invalid value for > element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT. > 2021/03/23 10:06:08 ossec-analysisd: ERROR: (1202): Configuration error at > '/var/ossec/etc/ossec.conf'. > 2021/03/23 10:06:08 ossec-analysisd: CRITICAL: (1202): Configuration error > at '/var/ossec/etc/ossec.conf'. > 2021/03/23 10:06:10 ossec-modulesd: ERROR: Unable to connect to socket > '/var/ossec/queue/db/wdb'. > 2021/03/23 10:06:10 ossec-modulesd: ERROR: Unable to connect to socket > '/queue/db/wdb'. > 2021/03/23 10:06:10 ossec-modulesd: ERROR: Unable to connect to socket > '/queue/db/wdb' > 2021/03/23 10:06:10 ossec-modulesd: ERROR: Error querying OSSEC DB to get > the agent status. > 2021/03/23 10:06:10 ossec-modulesd:database: ERROR: Couldn't get database > status for agent '0'. > 2021/03/23 10:06:10 ossec-modulesd: INFO: Cannot find > '/var/ossec/queue/db/wdb'. Waiting 1 seconds to reconnect. > 2021/03/23 10:06:11 ossec-db: CRITICAL: (2301): Definition not found for: > 'ossec_db.commit_time_min'. > 2021/03/23 10:06:11 ossec-analysisd: ERROR: (1235): Invalid value for > element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT. > 2021/03/23 10:06:11 ossec-analysisd: ERROR: (1202): Configuration error at > '/var/ossec/etc/ossec.conf'. > 2021/03/23 10:06:11 ossec-analysisd: CRITICAL: (1202): Configuration error > at '/var/ossec/etc/ossec.conf'. > 2021/03/23 10:06:11 ossec-modulesd: INFO: Cannot find > '/var/ossec/queue/db/wdb'. Waiting 2 seconds to reconnect. > 2021/03/23 10:06:13 ossec-modulesd: INFO: Cannot find > '/var/ossec/queue/db/wdb'. Waiting 3 seconds to reconnect. > 2021/03/23 10:06:14 ossec-db: CRITICAL: (2301): Definition not found for: > 'ossec_db.commit_time_min'. > 2021/03/23 10:06:14 ossec-analysisd: ERROR: (1235): Invalid value for > element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT. > 2021/03/23 10:06:14 ossec-analysisd: ERROR: (1202): Configuration error at > '/var/ossec/etc/ossec.conf'. > 2021/03/23 10:06:14 ossec-analysisd: CRITICAL: (1202): Configuration error > at '/var/ossec/etc/ossec.conf'. > 2021/03/23 10:06:16 ossec-modulesd: ERROR: Unable to connect to socket > '/var/ossec/queue/db/wdb'. > 2021/03/23 10:06:16 ossec-modulesd: ERROR: Unable to connect to socket > '/queue/db/wdb'. > 2021/03/23 10:06:16 ossec-modulesd: ERROR: Unable to connect to socket > '/queue/db/wdb' > 2021/03/23 10:06:16 ossec-modulesd: ERROR: Error querying OSSEC DB to get > the agent status. > 2021/03/23 10:06:16 ossec-modulesd:database: ERROR: Couldn't get database > status for agent '0'. > 2021/03/23 10:06:16 ossec-modulesd: INFO: Cannot find > '/var/ossec/queue/db/wdb'. Waiting 1 seconds to reconnect. > 2021/03/23 10:06:17 ossec-modulesd: INFO: Cannot find > '/var/ossec/queue/db/wdb'. Waiting 2 seconds to reconnect. > 2021/03/23 10:06:17 ossec-db: CRITICAL: (2301): Definition not found for: > 'ossec_db.commit_time_min'. > 2021/03/23 10:06:17 ossec-analysisd: ERROR: (1235): Invalid value for > element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT. > 2021/03/23 10:06:17 ossec-analysisd: ERROR: (1202): Configuration error at > '/var/ossec/etc/ossec.conf'. > 2021/03/23 10:06:17 ossec-analysisd: CRITICAL: (1202): Configuration error > at '/var/ossec/etc/ossec.conf'. > 2021/03/23 10:06:19 ossec-modulesd: INFO: Cannot find > '/var/ossec/queue/db/wdb'. Waiting 3 seconds to reconnect. > 2021/03/23 10:06:20 ossec-db: CRITICAL: (2301): Definition not found for: > 'ossec_db.commit_time_min'. > 2021/03/23 10:06:21 ossec-analysisd: ERROR: (1235): Invalid value for > element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT. > 2021/03/23 10:06:21 ossec-analysisd: ERROR: (1202): Configuration error at > '/var/ossec/etc/ossec.conf'. > 2021/03/23 10:06:21 ossec-analysisd: CRITICAL: (1202): Configuration error > at '/var/ossec/etc/ossec.conf'. > Note ossec.log was too big to grab all of it. This is the last chunk of > lines. > > uname -a: Linux localhost.localdomain 3.10.0-1062.12.1.el7.x86_64 #1 SMP > Tue Feb 4 23:02:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux > > I think that is all the info the troubleshooting page suggests. If you > need more info, say so and I'll see if I can post it. If anyone has any > insight into this issue, I'd appreciate it. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/c290b642-520a-4acc-82e8-43414a97f4d9n%40googlegroups.com.
