On Thu, Jun 21, 2012 at 3:55 AM, Oliver <[email protected]> wrote: > Hi folks, > > I know my problem was posted several times. After reading a lot of the old > and also newer posts, I can't see them matching my problem or any useful > solution. > > My Setup: > OSSEC-Manager & OSSEC-Agent => Version ossec-hids-2.6 > > Configuration is pretty much default, I just added a directory to monitor > for testing realtime monitoring. This was all working fine during the night > happened something and now I'm having all two minutes the entry > "ossec-logcollector: socketerr (not available). > > This are the log entries in ossec.log on the agent when the error first > occurred(RED), the same error for ossec-syscheckd occurred only once and > never again(BLUE): > 2012/06/21 01:35:36 ossec-syscheckd: INFO: Starting syscheck scan. > 2012/06/21 01:35:58 ossec-syscheckd: INFO: Ending syscheck scan. > 2012/06/21 01:50:58 ossec-syscheckd: INFO: Starting syscheck scan. > 2012/06/21 01:51:20 ossec-syscheckd: INFO: Ending syscheck scan. > 2012/06/21 02:03:17 ossec-logcollector: socketerr (not available). > 2012/06/21 02:05:27 ossec-logcollector: socketerr (not available). > 2012/06/21 02:06:20 ossec-syscheckd: INFO: Starting syscheck scan. > 2012/06/21 02:06:20 ossec-syscheckd: socketerr (not available). > 2012/06/21 02:06:20 ossec-syscheckd(1224): ERROR: Error sending message to > queue. > 2012/06/21 02:06:42 ossec-syscheckd: INFO: Ending syscheck scan. > 2012/06/21 02:07:38 ossec-logcollector: socketerr (not available). > 2012/06/21 02:09:48 ossec-logcollector: socketerr (not available). > 2012/06/21 02:11:58 ossec-logcollector: socketerr (not available). > 2012/06/21 02:14:08 ossec-logcollector: socketerr (not available). > 2012/06/21 02:16:18 ossec-logcollector: socketerr (not available). > 2012/06/21 02:16:43 ossec-syscheckd: INFO: Starting syscheck scan. > 2012/06/21 02:17:05 ossec-syscheckd: INFO: Ending syscheck scan. > 2012/06/21 02:18:28 ossec-logcollector: socketerr (not available). >
Are all of the OSSEC processes running? Does it correct itself if you remove your changes to the ossec.conf? Try running the processes in debug mode. > In the logfile on the OSSEC-Manager for that period is nothing mentioned, > the first entry this morning was a restart of the Manager performed by > myself. > 2012/06/21 00:00:36 ossec-monitord: No previous md5 checksum found: > '/logs/archives/2012/Jun/ossec-archive-19.log.sum'. Starting over. > 2012/06/21 00:00:36 ossec-monitord: No previous sha1 checksum found: > '/logs/archives/2012/Jun/ossec-archive-19.log.sum'. Starting over. > 2012/06/21 00:00:36 ossec-monitord: No previous md5 checksum found: > '/logs/alerts/2012/Jun/ossec-alerts-19.log.sum'. Starting over. > 2012/06/21 00:00:36 ossec-monitord: No previous sha1 checksum found: > '/logs/alerts/2012/Jun/ossec-alerts-19.log.sum'. Starting over. > 2012/06/21 00:00:36 ossec-monitord: No previous md5 checksum found: > '/logs/firewall/2012/Jun/ossec-firewall-19.log.sum'. Starting over. > 2012/06/21 00:00:36 ossec-monitord: No previous sha1 checksum found: > '/logs/firewall/2012/Jun/ossec-firewall-19.log.sum'. Starting over. > 2012/06/21 08:38:27 ossec-monitord(1225): INFO: SIGNAL Received. Exit > Cleaning... Is this where you killed the processes? Were all ossec processes running? What were the log entries above those errors? How long has the OSSEC server been running OSSEC? > 2012/06/21 08:38:27 ossec-logcollector(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2012/06/21 08:38:27 ossec-remoted(1225): INFO: SIGNAL Received. Exit > Cleaning... > > Anyone an idea what could have happened that this error message is bothering > me? > Also a restart of both the agent and the manager didn't help. > > Thnx, > Oliver
