Issue
The ossec-hids service status may contain events from logrotate that look as per:
uid:root(0)/root(0) cwd:/var/ossec/bin filename:/bin/grep]: grep ossec
uid:root(0)/root(0) cwd:/var/ossec/bin filename:/bin/ps]: ps -p 13142
These can be seen from logrotate directly as well:
logrotate -vf /etc/logrotate.d/ossec-hids
Environment
- Ubuntu 18
- Imunify360 6.7
- OSSEC
- LogRotate
Solution
It is a known issue, and it will be fixed globally in the Imunify360 6.9 release.
As a workaround, it is needed to remove if section after postrotate and place one string instead in the configuration file /etc/logrotate.d/ossec-hids as per:
postrotate
/var/ossec/bin/ossec-control restart > /dev/null 2>/dev/null
endscript
}
This usage of binaries directly in a System-V style causes more issues with systemd is not aware of the service status.
Cause
The issue is due to the configuration file include:
postrotate
if service ossec-hids status &> /dev/null ; then \
service ossec-hids restart &> /dev/null; \
fi;
Comments
0 comments
Please sign in to leave a comment.