[ossec-list] OSSEC server not starting after upgrade

Mon, 25 Jan 2010 18:50:54 -0800 

Hello all


I have a problem after upgrading my OSSEC Server from V2.2 to 2.3.
Once i issued the initscript i got the following error:

/etc/init.d/ossec start


Starting OSSEC HIDS v2.3 (by Trend Micro Inc.)...
Deleting PID file '/var/ossec/var/run/ossec-logcollector-5133.pid' not
used...
Deleting PID file '/var/ossec/var/run/ossec-remoted-5138.pid' not
used...
Deleting PID file '/var/ossec/var/run/ossec-remoted-5140.pid' not
used...
ossec-maild already running...
ossec-execd already running...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
2010/01/25 15:09:12 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/
queue/ossec/queue' not accessible: 'Connection refused'.
2010/01/25 15:09:12 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/
queue/ossec/queue' not accessible: 'Connection refused'.
2010/01/25 15:09:20 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/
queue/ossec/queue' not accessible: 'Connection refused'.
2010/01/25 15:09:20 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/
queue/ossec/queue' not accessible: 'Connection refused'.
2010/01/25 15:09:33 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/
queue/ossec/queue' not accessible: 'Connection refused'.
2010/01/25 15:09:33 ossec-rootcheck(1211): ERROR: Unable to access
queue: '/var/ossec/queue/ossec/queue'. Giving up..


My log output looks like the following:

2010/01/25 14:17:35 ossec-maild(1225): INFO: SIGNAL Received. Exit
Cleaning...
2010/01/25 14:17:35 ossec-execd(1314): INFO: Shutdown received.
Deleting responses.
2010/01/25 14:17:35 ossec-execd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2010/01/25 14:17:35 rules_list: Signature ID '30114' not found.
Invalid 'if_sid'.
2010/01/25 14:17:35 ossec-maild: INFO: Started (pid: 5120).
2010/01/25 14:17:35 ossec-execd: INFO: Started (pid: 5125).
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading local decoder file.
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'rules_config.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'pam_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'sshd_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'telnetd_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'syslog_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'arpwatch_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'symantec-av_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'symantec-ws_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'pix_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'named_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'smbd_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'vsftpd_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file: 'pure-
ftpd_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'proftpd_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'ms_ftpd_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'ftpd_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'hordeimp_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'roundcube_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'wordpress_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'vpopmail_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'vmpop3d_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'courier_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'web_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'apache_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'nginx_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'php_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'mysql_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'postgresql_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'ids_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'squid_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'firewall_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file: 'cisco-
ios_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'netscreenfw_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'sonicwall_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'postfix_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'sendmail_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'imapd_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'mailscanner_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'dovecot_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file: 'ms-
exchange_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'racoon_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'vpn_concentrator_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'spamd_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'msauth_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'mcafee_av_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file: 'trend-
osce_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'zeus_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'solaris_bsm_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'vmware_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'ms_dhcp_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'asterisk_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'ossec_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'attack_rules.xml'
2010/01/25 14:17:35 ossec-analysisd: INFO: Reading rules file:
'local_rules.xml'
2010/01/25 14:17:35 rules_list: Signature ID '30114' not found.
Invalid 'if_sid'.
2010/01/25 14:17:35 ossec-remoted: INFO: Started (pid: 5137).
2010/01/25 14:17:35 ossec-remoted: Remote syslog allowed from:
'xxx.xxx.xxx.xxx/16'
2010/01/25 14:17:35 ossec-remoted: INFO: Started (pid: 5138).
2010/01/25 14:17:35 ossec-remoted: INFO: Started (pid: 5140).
2010/01/25 14:17:35 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2010/01/25 14:17:35 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2010/01/25 14:17:35 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2010/01/25 14:17:35 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2010/01/25 14:17:35 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2010/01/25 14:17:35 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2010/01/25 14:17:35 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2010/01/25 14:17:35 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2010/01/25 14:17:35 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2010/01/25 14:17:35 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2010/01/25 14:17:35 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2010/01/25 14:17:35 ossec-rootcheck: System audit file not configured.
2010/01/25 14:17:38 ossec-remoted(1210): ERROR: Queue '/queue/ossec/
queue' not accessible: 'Connection refused'.
2010/01/25 14:17:38 ossec-remoted(1211): ERROR: Unable to access
queue: '/queue/ossec/queue'. Giving up..
2010/01/25 14:17:38 ossec-remoted(1210): ERROR: Queue '/queue/ossec/
queue' not accessible: 'Connection refused'.
2010/01/25 14:17:38 ossec-remoted(1211): ERROR: Unable to access
queue: '/queue/ossec/queue'. Giving up..
2010/01/25 14:17:38 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/
queue/ossec/queue' not accessible: 'Connection refused'.
2010/01/25 14:17:38 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/
queue/ossec/queue' not accessible: 'Connection refused'.
2010/01/25 14:17:44 ossec-logcollector(1210): ERROR: Queue '/var/ossec/
queue/ossec/queue' not accessible: 'Connection refused'.
2010/01/25 14:17:44 ossec-logcollector(1211): ERROR: Unable to access
queue: '/var/ossec/queue/ossec/queue'. Giving up..
2010/01/25 14:17:46 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/
queue/ossec/queue' not accessible: 'Connection refused'.
2010/01/25 14:17:46 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/
queue/ossec/queue' not accessible: 'Connection refused'.
2010/01/25 14:17:59 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/
queue/ossec/queue' not accessible: 'Connection refused'.
2010/01/25 14:17:59 ossec-rootcheck(1211): ERROR: Unable to access
queue: '/var/ossec/queue/ossec/queue'. Giving up..

The users ossec, ossecr and ossecm are  still available on the system
i have checked that. What can cause this issue and how can i fix this?

Greets Thomas

Reply via email to