Purchase Linux CDs / DVDs / Flash Drives at OSDisc.com

Welcome to Our Community

While Linux.org has been around for a while, we recently changed management and had to purge most of the content (including users). If you signed up before April 23rd please sign up again. Thanks!

Regding OSSEC

Discussion in 'General Linux' started by vamsi_k, May 7, 2012.

  1. vamsi_k

    vamsi_k Guest


    Installed OSSEC server version 2.6 in Cent OS 6.2 and agents are web servers

    installed in chroot environment.

    Moreover ossec server and apache (web servers are agents) are installed in separate machines.

    In ossec.conf file, added below configuration in both server and agent.


    Already in decoder.xml and in rules folder apache related configuration is set

    by default.

    Problem : Ossec is not working for apache logs, not even generating

    mails related to Apache errors , rest of the ossec part is working as needed.

    Please guide me what has to be done to solve the issue.

  2. My guess is that Apache is running outside of the chroot environment, so the OSSEC agents can't see the logs. Try running OSSEC in a virtual machine that can still access the system running the Apache server, or if in the chroot environment, treat the root system as a remote system, even if you use localhost as the system address.
  3. vamsi_k

    vamsi_k Guest

    Ossec and apache are installed in separate machines, in such a way that ossec can access apache as needed.

    Note : Only apache is installed in chroot environment.

    Moreover please let me know what has to cross checked to solve this part.
  4. ehansen

    ehansen Guest

    So, is OSSEC in a chroot environment as well, or no? What you said originally contradicts your newer statement. However, this makes a big difference.

    How is OSSEC set up, exactly? You should have an OSSEC server set up on one machine, and a sensor/agent set up on the Apache machine. If this is correct, then the sensor should not be chroot'ed, but should have access rights to Apache's logs.

    Sounds like a permissions issue for Apache's logs myself. What's the output when you run this command:
    It could be that OSSEC just does not have access rights to either /chroot or some subdirectory of that. Espcially if OSSEC is working correctly everywhere else.

Share This Page