Re: [ossec-list] Re: ossec installation problem

Thu, 20 Jan 2011 11:31:52 -0800 

You're still possibly missing the beginning of the error chain. The
first message there says "socket busy," so something bad has happened.
But we don't know what. It might be useful to figure out which
processes are running on the agent when the error messages start. My
guess is that one of them is dying.

Also, see the following link for a note about HPUX support getting
better in a post-2.5.1 snapshot: http://www.ossec.net/dcid/?p=204
You may want to upgrade this agent to the snapshot mentioned in the
post to see if that helps.

On Thu, Jan 20, 2011 at 2:46 AM, Henry <[email protected]> wrote:
> Log message before first ERROR for the agent
>
> 2011/01/15 00:05:25 ossec-syscheckd: socket busy ..
> 2011/01/15 00:05:25 ossec-syscheckd: socketerr (not available).
> 2011/01/15 00:05:25 ossec-syscheckd(1224): ERROR: Error sending
> message to queue.
> 2011/01/15 00:05:32 ossec-logcollector: socket busy ..
> 2011/01/15 00:05:34 ossec-syscheckd: socket busy ..
> 2011/01/15 00:05:42 ossec-logcollector: socket busy ..
> 2011/01/15 00:05:42 ossec-logcollector: socketerr (not available).
> 2011/01/15 00:05:42 ossec-logcollector: DEBUG: File inode changed. /
> var/adm/syslog/syslog.log
> 2011/01/15 00:05:44 ossec-logcollector: Message not complete. Trying
> again: ''
> 2011/01/15 00:05:44 ossec-logcollector: DEBUG: Reading syslog message:
> 'Jan 15 00:05:09 tumainb syslogd: restart'
> 2011/01/15 00:05:44 ossec-logcollector: socketerr (not available).
> 2011/01/15 00:05:44 ossec-logcollector(1224): ERROR: Error sending
> message to queue.
> 2011/01/15 00:05:44 ossec-logcollector: INFO: (unix_domain) Maximum
> send buffer set to: '32768'.
> 2011/01/15 00:05:44 ossec-logcollector: DEBUG: Reading syslog message:
> 'Jan 15 00:05:29 tumainb su: + 7 henryt-informix'
> 2011/01/15 00:05:44 ossec-syscheckd: socket busy ..
> 2011/01/15 00:05:44 ossec-syscheckd: socketerr (not available).
> 2011/01/15 00:05:44 ossec-syscheckd(1224): ERROR: Error sending
> message to queue.
> 2011/01/15 00:05:53 ossec-logcollector: socket busy ..
> 2011/01/15 00:05:53 ossec-syscheckd: socket busy ..
>
> OS version for agent: HP Unix 11.23
>
> OSSEC version: 2.5.1
>
> There are a couple agents installed, but only one agent is brought up.
>
> All ossec processes are restarted on both server and agents.
>

Reply via email to