Log message before first ERROR for the agent 2011/01/15 00:05:25 ossec-syscheckd: socket busy .. 2011/01/15 00:05:25 ossec-syscheckd: socketerr (not available). 2011/01/15 00:05:25 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2011/01/15 00:05:32 ossec-logcollector: socket busy .. 2011/01/15 00:05:34 ossec-syscheckd: socket busy .. 2011/01/15 00:05:42 ossec-logcollector: socket busy .. 2011/01/15 00:05:42 ossec-logcollector: socketerr (not available). 2011/01/15 00:05:42 ossec-logcollector: DEBUG: File inode changed. / var/adm/syslog/syslog.log 2011/01/15 00:05:44 ossec-logcollector: Message not complete. Trying again: '' 2011/01/15 00:05:44 ossec-logcollector: DEBUG: Reading syslog message: 'Jan 15 00:05:09 tumainb syslogd: restart' 2011/01/15 00:05:44 ossec-logcollector: socketerr (not available). 2011/01/15 00:05:44 ossec-logcollector(1224): ERROR: Error sending message to queue. 2011/01/15 00:05:44 ossec-logcollector: INFO: (unix_domain) Maximum send buffer set to: '32768'. 2011/01/15 00:05:44 ossec-logcollector: DEBUG: Reading syslog message: 'Jan 15 00:05:29 tumainb su: + 7 henryt-informix' 2011/01/15 00:05:44 ossec-syscheckd: socket busy .. 2011/01/15 00:05:44 ossec-syscheckd: socketerr (not available). 2011/01/15 00:05:44 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2011/01/15 00:05:53 ossec-logcollector: socket busy .. 2011/01/15 00:05:53 ossec-syscheckd: socket busy ..
OS version for agent: HP Unix 11.23 OSSEC version: 2.5.1 There are a couple agents installed, but only one agent is brought up. All ossec processes are restarted on both server and agents. On Jan 20, 3:43 am, "dan (ddp)" <[email protected]> wrote: > Hi Henry, > > > > > > On Wed, Jan 19, 2011 at 3:55 AM, Henry <[email protected]> wrote: > > I have installed the ossec with server and agents, I was able to > > connect the agent with the server, but shortly, it appears on the > > client is down with client log file > > > 2011/01/15 01:02:04 ossec-syscheckd(1224): ERROR: Error sending > > message to queue. > > 2011/01/15 01:02:13 ossec-syscheckd: socket busy .. > > 2011/01/15 01:02:23 ossec-syscheckd: socket busy .. > > 2011/01/15 01:02:23 ossec-syscheckd: INFO: Finished creating syscheck > > database (pre-scan completed). > > 2011/01/15 01:02:35 ossec-syscheckd: INFO: Ending syscheck scan > > (forwarding database). > > 2011/01/15 01:02:35 ossec-syscheckd: socketerr (not available). > > 2011/01/15 01:02:35 ossec-syscheckd(1224): ERROR: Error sending > > message to queue. > > 2011/01/15 01:02:44 ossec-syscheckd: socket busy .. > > 2011/01/15 01:02:54 ossec-syscheckd: socket busy .. > > 2011/01/15 01:03:23 ossec-syscheckd: socket busy .. > > 2011/01/15 01:03:33 ossec-syscheckd: socket busy .. > > 2011/01/15 01:03:33 ossec-rootcheck(1224): ERROR: Error sending > > message to queue. > > 2011/01/15 01:03:42 ossec-syscheckd: socket busy .. > > 2011/01/15 01:03:52 ossec-syscheckd: socket busy .. > > 2011/01/15 01:03:52 ossec-rootcheck(1211): ERROR: Unable to access > > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > > > Any suggestions are welcomed? > > Are there any log messages before the first ERROR you posted here? > What OS/revision? > What version of OSSEC? > Is this the only agent? > Did you restart the manager ossec processes after using manage_agents > to add this agent?- Hide quoted text - > > - Show quoted text -
