On Mon, Nov 28, 2011 at 10:50 AM, Toby <[email protected]> wrote: > Hi, > > Have just done a fresh install of Ossec on Ubuntu 10.4 but when ever > the service is started I get the following errors: > > > Starting OSSEC HIDS v2.6 (by Trend Micro Inc.)... > Started ossec-maild... > Started ossec-execd... > Started ossec-analysisd... > Started ossec-logcollector... > Started ossec-remoted... > 2011/11/28 18:40:54 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/ > queue/ossec/queue' not accessible: 'Connection refused'. > 2011/11/28 18:40:54 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/ > queue/ossec/queue' not accessible: 'Connection refused'. > 2011/11/28 18:41:02 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/ > queue/ossec/queue' not accessible: 'Connection refused'. > 2011/11/28 18:41:02 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/ > queue/ossec/queue' not accessible: 'Connection refused'. > 2011/11/28 18:41:15 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/ > queue/ossec/queue' not accessible: 'Connection refused'. > 2011/11/28 18:41:15 ossec-rootcheck(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > > Only the first two processes are showing in the process list. > I have checked the permissions on the file and its owner is ossec. > > It doesn't appear the agent (windows) is connecting either, which i'm > guessing is because of the issue above. There are no other clues in > the log file other then the errors above. > > No firewall setup to block anything on this server. > > Had a good look around and cannot find a resolution for this, but if > i'm being totally blind feel free to point it out. > > Any help would be appreciated. > > Thanks in advance >
There's either a misconfiguration or a permissions issue. If you made any changes to the OSSEC configuration, undo them and try again. You can also run the processes in debug mode (`cd /var/ossec/bin && ./ossec-control enable debug && ./ossec-control restart`) to see if that pulls up any error messages. A firewall won't cause this problem. This FAQ entry may help: http://www.ossec.net/doc/faq/unexpected.html#what-does-1210-queue-not-accessible-mean
