On Fri, Dec 3, 2010 at 1:27 PM, Nicholas Ritter <[email protected]> wrote: > I started getting queue and connection errors on my ossec 2.5.1 server that > I can't seem to resolved. I tried a solution on the FAQ, but that only temp. > fixed the error. Here is a sample of the ossec.log file: > > 2010/12/03 12:17:34 ossec-logcollector: INFO: (unix_domain) Maximum send > buffer set to: '110592'. > 2010/12/03 12:17:34 ossec-logcollector: DEBUG: Entering LogCollectorStart(). > 2010/12/03 12:17:34 ossec-logcollector: INFO: Started (pid: 4583). > 2010/12/03 12:18:24 ossec-remoted: socketerr (not available). > 2010/12/03 12:18:24 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' > not accessible: 'Connection refused'. > 2010/12/03 12:18:27 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' > not accessible: 'Connection refused'. > 2010/12/03 12:18:27 ossec-remoted(1211): ERROR: Unable to access queue: > '/queue/ossec/queue'. Giving up.. > 2010/12/03 12:18:34 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2010/12/03 12:18:34 ossec-syscheckd: socketerr (not available). > 2010/12/03 12:18:34 ossec-syscheckd(1224): ERROR: Error sending message to > queue. > 2010/12/03 12:18:37 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2010/12/03 12:18:37 ossec-syscheckd(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > 2010/12/03 12:19:49 ossec-logcollector: socketerr (not available). > 2010/12/03 12:22:05 ossec-logcollector: socketerr (not available). > 2010/12/03 12:24:21 ossec-logcollector: socketerr (not available). > > The ossec server was working fine, the only change made to it recently was I > adding some rules to the local rules xml file that changed thresholding, > etc. During those rule edits, I had some issues that popped up with the > rules themselves do to syntax errors (which reported during ossec service > restart) > > I am running OSSEC 2.5.1 on CentOS 5.5. The log above is with debugging set > to 2. The only thing I have tried so far is doing an ossec server restart > and checking to make sure there were no stale pid files. > > Any suggestions? > > >
Remove the changes you made to the local_rules.xml file and try again. If that works, you have an issue with your rules. You can comment them all out, and uncomment them one by one (restarting in between) to figure out which one is giving you issues.
