I have a problem regarding running OSSEC agent (v.2.1.1) on HP-UX (11.23, ia64). The agent itself installed and started ok, no visible problems. The agent start/connection event is visible on OSSEC management server (also v.2.1.1). However after the startup, the agent fails to send anything to the server, the daemons remain functional, it just doesn't seem to be able to send the collected data. Here is the relevant part from the agent's ossec.log: ------------------ 2009/08/17 13:13:50 ossec-agentd(1410): INFO: Reading authentication keys file. 2009/08/17 13:13:50 ossec-agentd: INFO: Started (pid: 2007). 2009/08/17 13:13:50 ossec-agentd: INFO: Server IP Address: xx.xx.xx.xx 2009/08/17 13:13:50 ossec-agentd: INFO: Trying to connect to server (xx.xx.xx.xx:1514). 2009/08/17 13:13:54 ossec-syscheckd: INFO: Started (pid: 2015). 2009/08/17 13:13:54 ossec-rootcheck: INFO: Started (pid: 2015). 2009/08/17 13:13:54 ossec-syscheckd: INFO: Monitoring directory: '/etc'. 2009/08/17 13:13:54 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'. 2009/08/17 13:13:54 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'. 2009/08/17 13:13:54 ossec-syscheckd: INFO: Monitoring directory: '/bin'. 2009/08/17 13:13:54 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. 2009/08/17 13:13:56 ossec-logcollector(1950): INFO: Analyzing file: '/var/adm/syslog'. 2009/08/17 13:13:56 ossec-logcollector(1950): INFO: Analyzing file: '/var/adm/syslog/syslog.log'. 2009/08/17 13:13:56 ossec-logcollector: INFO: Started (pid: 2011). 2009/08/17 13:13:56 ossec-agentd(1210): ERROR: Queue '/queue/alerts/execq' not accessible: 'Queue not found'. 2009/08/17 13:14:11 ossec-agentd: INFO: Unable to connect to the active response queue (disabled). 2009/08/17 13:14:11 ossec-agentd(4102): INFO: Connected to the server (xx.xx.xx.xx:1514). 2009/08/17 13:14:26 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2009/08/17 13:18:43 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). 2009/08/17 13:20:43 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2009/08/17 13:21:10 ossec-syscheckd: socket busy .. 2009/08/17 13:21:20 ossec-syscheckd: socket busy .. 2009/08/17 13:21:20 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2009/08/17 13:21:29 ossec-syscheckd: socket busy .. 2009/08/17 13:21:39 ossec-syscheckd: socket busy .. 2009/08/17 13:21:39 ossec-syscheckd: socketerr (not available). 2009/08/17 13:21:39 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2009/08/17 13:21:48 ossec-syscheckd: socket busy .. 2009/08/17 13:21:58 ossec-syscheckd: socket busy .. --------snipity-snip---------- 2009/08/17 13:32:10 ossec-logcollector: socketerr (not available). 2009/08/17 13:32:10 ossec-logcollector(1224): ERROR: Error sending message to queue. 2009/08/17 13:32:29 ossec-logcollector: socket busy .. --------snipity-snip----------
..and so on it repeats with no end in sight. Nothing is visible on the server side (both the webUI and logs), except after a while it just says that "Ossec agent disconnected.". There are other agents (albeit those are Linux and Windows) running with the same management server without any problems. Both servers can communicate otherwise (ICMP, SSH etc.), there is no significant load on the servers or network between them. I fruitlessly tried to search in the mailing list and other places, but nobody seems to have had similar problems or nobody answered those who did. Is this a bug of some sort or something extra needs to be tweaked/configured for OSSEC agent to work properly on HP-UX?
