hab die lösung im web gefunden.
das ganze muss so aussehen
---
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type='manifest' name='ossec'>
<service
name='site/ossec'
type='service'
version='1'>
<single_instance />
<dependency name='fs-local'
grouping='require_all'
restart_on='none'
type='service'>
<service_fmri
value='svc:/system/filesystem/local' />
</dependency>
<dependency name='fs-autofs'
grouping='optional_all'
restart_on='none'
type='service'>
<service_fmri value='svc:/system/filesystem/autofs' />
</dependency>
<dependency name='net-loopback'
grouping='require_all'
restart_on='none'
type='service'>
<service_fmri value='svc:/network/loopback' />
</dependency>
<dependency name='net-physical'
grouping='require_all'
restart_on='none'
type='service'>
<service_fmri value='svc:/network/physical' />
</dependency>
<dependency name='cryptosvc'
grouping='require_all'
restart_on='none'
type='service'>
<service_fmri value='svc:/system/cryptosvc' />
</dependency>
<dependency name='utmp'
grouping='require_all'
restart_on='none'
type='service'>
<service_fmri value='svc:/system/utmp' />
</dependency>
<dependency name='main-file'
grouping='require_all'
restart_on='restart'
type='path'>
<service_fmri value='file://localhost/var/ossec/etc/ossec.conf' />
</dependency>
<dependent
name='ossec_multi-user-server'
grouping='optional_all'
restart_on='none'>
<service_fmri
value='svc:/milestone/multi-user-server' />
</dependent>
<property_group name='startd'
type='framework'>
<!-- sub-process core dumps shouldn't restart session -->
<propval name='ignore_error'
type='astring' value='core,signal' />
</property_group>
<!--
ossec-execd
-->
<instance name='execd' enabled='true' >
<exec_method
type='method'
name='start'
exec='/var/ossec/bin/ossec-execd'
timeout_seconds='60'/>
<exec_method
type='method'
name='stop'
exec=':kill'
timeout_seconds='60' />
</instance>
<!--
ossec-agentd
-->
<instance name='agentd' enabled='true' >
<exec_method
type='method'
name='start'
exec='/var/ossec/bin/ossec-agentd'
timeout_seconds='60'/>
<exec_method
type='method'
name='stop'
exec=':kill'
timeout_seconds='60' />
</instance>
<!--
ossec-logcollector
-->
<instance name='logcollector' enabled='true' >
<exec_method
type='method'
name='start'
exec='/var/ossec/bin/ossec-logcollector'
timeout_seconds='60'/>
<exec_method
type='method'
name='stop'
exec=':kill'
timeout_seconds='60' />
</instance>
<!--
ossec-syscheckd
-->
<instance name='syscheckd' enabled='true' >
<exec_method
type='method'
name='start'
exec='/var/ossec/bin/ossec-syscheckd'
timeout_seconds='60'/>
<exec_method
type='method'
name='stop'
exec=':kill'
timeout_seconds='60' />
</instance>
<stability value='Unstable' />
<template>
<common_name>
<loctext xml:lang='C'>
OSSEC server
</loctext>
</common_name>
<documentation>
<doc_link name='ossec.net'
uri='
http://www.ossec.net/en/manual.html' />
</documentation>
</template>
</service>
</service_bundle>
---
ein paar weitere Abhängigkeiten und er ruft nicht das ossec-control auf, sondern die daemons einzeln. Da hätte ich auch mal drauf kommen können
danke für eure Hilfe