2

I'm trying to set up OSSEC on a CemtOS 6.5 server. This is to be installed as an agent, not a server or local instance. The package successfully installed and I created the clients.key file, but when I try to start the daemon I receive the error 

error: queue not accessible (/var/ossec/etc/queue/ossec) connection refused

The log file is of no help. I've never worked with OSSEC and unfortunately the documentation seems weak.

After googling this for a bit, most of the people with this issue have some permissions incorrectly set. I don't think that's the case for me though because I 777'd everything in the OSSEC directory structure and made sure all files and dirs were owned by the ossec user.

In my research, some times the problem is caused by errors in the rules file. To my knowledge, I don't have a rules file. Maybe that's the issue?

I also opened UDP ports 514 and 1514 for both inbound and outbound traffic. I didn't know to do this at first, but in reading the documentation I think this is necessary in order to communicate with the OSSEC server.

Any help is greatly appreciated.

Liam
  • 164
  • 2
  • 6
  • I ended up solving this by grabbing ossec from the atomic repo. I had been compiling it from source. Not sure what the difference is, but I got it working. – Liam Nov 15 '14 at 22:20

2 Answers2

1

It seems that during the installation process, the directory was chosen incorrectly. The queue socket is usually located at /var/ossec/queue/ossec/queue (if installed in /var).

Another possibility is, that the ossec-analysisd is not running and therefore the socket is not created properly.

Sources: http://ossec-docs.readthedocs.org/en/latest/faq/unexpected.html#what-does-1210-queue-not-accessible-mean

kubanczyk
  • 13,502
  • 5
  • 40
  • 55
Lars
  • 484
  • 5
  • 19
0

  • By default, we can enable the host-deny and the firewall-drop responses. The first one will add a host to the /etc/hosts.deny and the second one will block the host on iptables (if linux) or on ipfilter (if Solaris, FreeBSD or NetBSD).

    • They can be used to stop SSHD brute force scans, portscans and some other forms of attacks. You can also add them to block on snort events, for example.

    • Do you want to enable the firewall-drop response? (y/n) [y]:

When this dialog appears type n . Enabling firewall is the root cause of this error. Removed the old installation with rm -rf /var/ossec from both server and agents & reinstall.

Hope it helps somebody

SaGeSpidy
  • 1
  • 1