Hi Barry, the AR queue is managed by process *ossec-remoted*. Please confirm that it's up with:
/var/ossec/bin/ossec-control status And take a look for the ossec.log file: grep ossec-remoted /var/ossec/logs/ossec.log | tail -n 20 The *ossec-remoted* process dies if file */var/ossec/etc/client.keys* is empty. Please check that you have registered one agent at less. Hope it help. Best regards. On Monday, March 6, 2017 at 10:17:41 AM UTC-8, Barry Kaplan wrote: > > The ec2 instance that was running the ossec server died. I rebuilt the > instance, remounted the disk that had the ossec data files. The server is > up, and 'bin/agent_control -l' shows all the agents. But agents cannot > connect. > > I have tried restarting agents. I have also updated the client.key. And I > have manually unregistered the client and tried to reregister. This last > bit failed with > > ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection > refused'. > > I'm not sure which queue that is refering to, the one on the agent or the > server. > > But when I start the server I do get these errors > > 2017/03/06 17:51:21 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' > not accessible: 'Connectio > 2017/03/06 17:51:21 ossec-analysisd(1301): ERROR: Unable to connect to > active response queue. > 2017/03/06 17:51:21 ossec-analysisd: INFO: Connected to > '/queue/alerts/execq' (exec queue) > > Not sure why this is. Could it be file ownership > > srw-rw---- 1 ossecr ossec 0 Mar 6 17:51 ar= > srw-rw---- 1 root ossec 0 Mar 6 17:51 execq= > > Should all the queues be owned by ossec? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
