I have seen this happen on FreeBSD systems using OSSEC 2.8.3. The issue is usually an inability to write the ar socket, but the error message in the logs/ossec.log file can be any number of things. It is caused by a permission issue with the sockets used for the queues, and shows up in both OSSEC and it's WAZUH counterpart. The way to rectify this is to stop OSSEC and make sure you have the following ownership and permissions for the following directories:
queue - user root, group ossec, chmod 550 queue/alerts - user ossec, group ossec, chmod 777 queue/ossec - user ossec, group ossec, chmod 750 In addition, the sockets found in the ossec/alerts directory should be as follows: ar - user ossecr, group ossec execq - user root, group ossec If the ownership of the sockets is not correct, you can just delete those files (ar and execq) and restart OSSEC and they will be recreated. They should be 660 for permissions, but the permissions get set when the sockets are created. If you delete the sockets, make sure you do this after you have stopped OSSEC and made sure the directory ownership and permissions are set as specified above. FreeBSD has a sockstat command that you can use to see the owner, program, and port that is active on the system. Best, Dave Stoddard Network Alarm Corporation https://networkalarmcorp.com -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.