I have edited the agent's internal_options.conf and enable the debug mode, the messages that I received is as follows:
The ids server is able to bring up, but it is down within one hour of operation, any suggestions, thanks. 2011/01/10 06:28:05 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:07 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2011/01/10 06:28:07 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2011/01/10 06:28:07 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:09 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:11 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:13 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:15 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:17 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:19 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:21 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:23 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:25 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:28 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:30 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:32 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:34 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:36 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:38 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:40 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:41 ossec-syscheckd: socket busy .. 2011/01/10 06:28:42 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:44 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:46 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:48 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:50 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:51 ossec-syscheckd: socket busy .. 2011/01/10 06:28:51 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2011/01/10 06:28:52 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:54 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:56 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:28:58 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:29:00 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:29:00 ossec-syscheckd: socket busy .. 2011/01/10 06:29:02 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:29:04 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:29:06 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:29:08 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:29:10 ossec-logcollector: Message not complete. Trying again: '' 2011/01/10 06:29:10 ossec-syscheckd: socket busy .. 2011/01/10 06:29:10 ossec-syscheckd: socketerr (not available). 2011/01/10 06:29:10 ossec-syscheckd(1224): ERROR: Error sending message to queue. On Dec 25 2010, 3:43 am, "dan (ddp)" <[email protected]> wrote: > Check the ossec.log on the agents that disconnect and the manager for > information on the agents that disconnect. You can also run the > manager's processes in debug mode (-d) for more verbose messages. > > > > On Thu, Dec 23, 2010 at 4:15 AM, Henry <[email protected]> wrote: > > I have been setting up with a ossec server and a ossec agent > > installed. I can use the syscheck_control -lc command on server side > > to see the agent. But usually after several hours without > > disruptions, the syscheck_control -lc command cannot see the agents. > > The only thing I can do is to restart the ossec agent and then restart > > the ossec server, then I can locate the agent using the > > syscheck_control -lc command. Any help is appreciated.- Hide quoted text - > > - Show quoted text -
