Hi Dan, Sorry for the late response. I had gone on to other things and somehow missed that you had replied.
ossec-agentd is running when the error occurs. Not recieving anything from the agent on the manager, other than aknowledgment that the agent is connected. OSSEC HIDS agent_control. List of available agents: ID: 000, Name: saint (server), IP: 127.0.0.1, Active/Local ID: 001, Name: db00, IP: 10.99.254.245, Active ID: 002, Name: T002_2-10.99.254.55, IP: 10.99.254.55, Active ID: 003, Name: T002-10.99.254.79, IP: 10.99.254.79, Active ID: 005, Name: pcilona, IP: 10.99.254.236, Active pcilona is the HP-UX box: [r...@saint rids]# agent_control -i 005 OSSEC HIDS agent_control. Agent information: Agent ID: 005 Agent Name: pcilona IP address: 10.99.254.236 Status: Active Operating system: HP-UX pcilona B.11.23 U 9000/800 Client version: OSSEC HIDS v2.2 Last keep alive: Thu Nov 26 14:17:25 2009 Syscheck last started at: Unknown Rootcheck last started at: Unknown After I turned followed your instructions I did manage to query the agents syscheck db. I don't know whether that was working before though. [r...@saint rids]# syscheck_control -i 005 Integrity changes for agent 'pcilona (005) - 10.99.254.236': Changes for 2009 Nov 26: 2009 Nov 26 13:50:03,0 - /var/ossec/etc/internal_options.conf 2009 Nov 26 14:04:54,0 - /var/ossec/etc/internal_options.conf Here is the output you asked for: # ../bin/ossec-control stop ossec-logcollector not running .. ossec-syscheckd not running .. ossec-agentd not running .. ossec-execd not running .. OSSEC HIDS v2.2 Stopped # ps -ef | grep ossec # ls ossec.log # rm ossec.log # ls # /var/ossec/bin/ossec-agentd -d -d 2009/11/26 14:29:07 ossec-agentd: DEBUG: Starting ... # /var/ossec/bin/ossec-logcollector # /var/ossec/bin/ossec-syscheckd # tail -f ossec.log 2009/11/26 14:29:11 ossec-syscheckd: INFO: Started (pid: 7201). 2009/11/26 14:29:11 ossec-rootcheck: INFO: Started (pid: 7201). 2009/11/26 14:29:11 ossec-syscheckd: INFO: Monitoring directory: '/ etc'. 2009/11/26 14:29:11 ossec-syscheckd: INFO: Monitoring directory: '/usr/ bin'. 2009/11/26 14:29:11 ossec-syscheckd: INFO: Monitoring directory: '/usr/ sbin'. 2009/11/26 14:29:11 ossec-syscheckd: INFO: Monitoring directory: '/ bin'. 2009/11/26 14:29:11 ossec-syscheckd: INFO: Monitoring directory: '/ sbin'. 2009/11/26 14:29:13 ossec-logcollector(1950): INFO: Analyzing file: '/ var/adm/syslog'. 2009/11/26 14:29:13 ossec-logcollector(1950): INFO: Analyzing file: '/ var/adm/syslog/syslog.log'. 2009/11/26 14:29:13 ossec-logcollector: INFO: Started (pid: 7198). 2009/11/26 14:29:43 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2009/11/26 14:33:48 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). 2009/11/26 14:35:48 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2009/11/26 14:36:15 ossec-syscheckd: socket busy .. 2009/11/26 14:36:25 ossec-syscheckd: socket busy .. 2009/11/26 14:36:25 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2009/11/26 14:36:34 ossec-syscheckd: socket busy .. 2009/11/26 14:36:44 ossec-syscheckd: socket busy .. 2009/11/26 14:36:44 ossec-syscheckd: socketerr (not available). 2009/11/26 14:36:44 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2009/11/26 14:36:53 ossec-syscheckd: socket busy .. 2009/11/26 14:37:03 ossec-syscheckd: socket busy .. 2009/11/26 14:37:03 ossec-syscheckd: socketerr (not available). 2009/11/26 14:37:03 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2009/11/26 14:37:12 ossec-syscheckd: socket busy .. 2009/11/26 14:37:22 ossec-syscheckd: socket busy .. 2009/11/26 14:37:22 ossec-syscheckd: socketerr (not available). 2009/11/26 14:37:22 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2009/11/26 14:37:31 ossec-syscheckd: socket busy .. 2009/11/26 14:37:41 ossec-syscheckd: socket busy .. 2009/11/26 14:37:41 ossec-syscheckd: socketerr (not available). 2009/11/26 14:37:41 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2009/11/26 14:37:50 ossec-syscheckd: socket busy .. 2009/11/26 14:38:00 ossec-syscheckd: socket busy .. 2009/11/26 14:38:00 ossec-syscheckd: socketerr (not available). 2009/11/26 14:38:00 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2009/11/26 14:38:09 ossec-syscheckd: socket busy .. 2009/11/26 14:38:19 ossec-syscheckd: socket busy .. 2009/11/26 14:38:21 ossec-syscheckd: socketerr (not available). 2009/11/26 14:38:21 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2009/11/26 14:38:30 ossec-syscheckd: socket busy .. 2009/11/26 14:38:40 ossec-syscheckd: socket busy .. 2009/11/26 14:38:40 ossec-syscheckd: socketerr (not available). 2009/11/26 14:38:40 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2009/11/26 14:38:49 ossec-syscheckd: socket busy .. 2009/11/26 14:38:59 ossec-syscheckd: socket busy .. 2009/11/26 14:38:59 ossec-syscheckd: socketerr (not available). 2009/11/26 14:38:59 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2009/11/26 14:39:08 ossec-syscheckd: socket busy .. 2009/11/26 14:39:18 ossec-syscheckd: socket busy .. 2009/11/26 14:39:18 ossec-syscheckd: socketerr (not available). 2009/11/26 14:39:18 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2009/11/26 14:39:27 ossec-syscheckd: socket busy .. 2009/11/26 14:39:37 ossec-syscheckd: socket busy .. 2009/11/26 14:39:37 ossec-syscheckd: socketerr (not available). 2009/11/26 14:39:37 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2009/11/26 14:39:46 ossec-syscheckd: socket busy .. 2009/11/26 14:39:56 ossec-syscheckd: socket busy .. 2009/11/26 14:39:56 ossec-syscheckd: socketerr (not available). On Nov 5, 4:09 pm, Daniel Cid <[email protected]> wrote: > Hey, > > It seems that for some reason the agentd queue is getting full (or > being shut down). Can you > check that ossec-agentd is running? > > Plus, are you receiving anything from that agent on the manager? It > might be a good idea to > enable debug to see what is happening... > > To run into debug mode, just stop ossec and do: > > # /var/ossec/bin/ossec-agentd -d -d > # /var/ossec/bin/ossec-logcollector > # /var/ossec/bin/ossec-syscheckd > > So we will see the debug of agentd. > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Mon, Nov 2, 2009 at 5:03 AM, Heyzoos <[email protected]> wrote: > > > Hi Michael, > > > Yes I chose a server install on the manager. # = the agent in this > > case. metis = the manager. > > > Regards, > > Dan > > > On Nov 1, 9:24 pm, Michael Starks <[email protected]> > > wrote: > >> Heyzoos wrote: > >> > # cat /etc/ossec-init.conf > >> > DIRECTORY="/var/ossec" > >> > VERSION="v2.2" > >> > DATE="Thu Oct 29 13:25:52 GMT 2009" > >> > TYPE="agent" > >> > # DIRECTORY="/var/ossec" > >> > # VERSION="v2.2" > >> > # DATE="Thu Oct 29 13:25:52 GMT 2009" > >> > # TYPE="agent" > >> > # # cat /etc/ossec-init.conf > >> > # DIRECTORY="/var/ossec" > >> > # VERSION="v2.2" > >> > # DATE="Thu Oct 29 13:25:52 GMT 2009" > >> > # TYPE="agent" > > >> Did you choose a server install on the OSSEC manager? > > >> > # netstat -a | grep udp > >> > udp 0 0 m87s00.54249 10.99.254.31.1514 > >> > udp 0 0 *.2121 *.* > >> > udp 0 0 *.2148 *.* > >> > udp 0 0 *.135 *.* > >> > udp 0 0 localhost.49166 localhost.49166 > >> > udp 0 0 *.* *.* > > >> Is this on the server or an agent?
