On Thursday, June 21, 2012 12:42:22 PM UTC+2, dan (ddpbsd) wrote:
>
> On Thu, Jun 21, 2012 at 3:55 AM, Oliver wrote:
> > Hi folks,
> >
> > I know my problem was posted several times. After reading a lot of the
> old
> > and also newer posts, I can't see them matching my problem or any useful
> > solution.
> >
> > My Setup:
> > OSSEC-Manager & OSSEC-Agent => Version ossec-hids-2.6
> >
> > Configuration is pretty much default, I just added a directory to
> monitor
> > for testing realtime monitoring. This was all working fine during the
> night
> > happened something and now I'm having all two minutes the entry
> > "ossec-logcollector: socketerr (not available).
> >
> > This are the log entries in ossec.log on the agent when the error first
> > occurred(RED), the same error for ossec-syscheckd occurred only once and
> > never again(BLUE):
> > 2012/06/21 01:35:36 ossec-syscheckd: INFO: Starting syscheck scan.
> > 2012/06/21 01:35:58 ossec-syscheckd: INFO: Ending syscheck scan.
> > 2012/06/21 01:50:58 ossec-syscheckd: INFO: Starting syscheck scan.
> > 2012/06/21 01:51:20 ossec-syscheckd: INFO: Ending syscheck scan.
> > 2012/06/21 02:03:17 ossec-logcollector: socketerr (not available).
> > 2012/06/21 02:05:27 ossec-logcollector: socketerr (not available).
> > 2012/06/21 02:06:20 ossec-syscheckd: INFO: Starting syscheck scan.
> > 2012/06/21 02:06:20 ossec-syscheckd: socketerr (not available).
> > 2012/06/21 02:06:20 ossec-syscheckd(1224): ERROR: Error sending message
> to
> > queue.
> > 2012/06/21 02:06:42 ossec-syscheckd: INFO: Ending syscheck scan.
> > 2012/06/21 02:07:38 ossec-logcollector: socketerr (not available).
> > 2012/06/21 02:09:48 ossec-logcollector: socketerr (not available).
> > 2012/06/21 02:11:58 ossec-logcollector: socketerr (not available).
> > 2012/06/21 02:14:08 ossec-logcollector: socketerr (not available).
> > 2012/06/21 02:16:18 ossec-logcollector: socketerr (not available).
> > 2012/06/21 02:16:43 ossec-syscheckd: INFO: Starting syscheck scan.
> > 2012/06/21 02:17:05 ossec-syscheckd: INFO: Ending syscheck scan.
> > 2012/06/21 02:18:28 ossec-logcollector: socketerr (not available).
> >
>
> Are all of the OSSEC processes running? Does it correct itself if you
> remove your changes to the ossec.conf? Try running the processes in
> debug mode.
>
> Yes, I did a $OSSEC/bin/ossec-control status and all the processes were
running. How do you mean "correct itself"? If I have a typo? yes.
> In the logfile on the OSSEC-Manager for that period is nothing mentioned,
> > the first entry this morning was a restart of the Manager performed by
> > myself.
> > 2012/06/21 00:00:36 ossec-monitord: No previous md5 checksum found:
> > '/logs/archives/2012/Jun/ossec-archive-19.log.sum'. Starting over.
> > 2012/06/21 00:00:36 ossec-monitord: No previous sha1 checksum found:
> > '/logs/archives/2012/Jun/ossec-archive-19.log.sum'. Starting over.
> > 2012/06/21 00:00:36 ossec-monitord: No previous md5 checksum found:
> > '/logs/alerts/2012/Jun/ossec-alerts-19.log.sum'. Starting over.
> > 2012/06/21 00:00:36 ossec-monitord: No previous sha1 checksum found:
> > '/logs/alerts/2012/Jun/ossec-alerts-19.log.sum'. Starting over.
> > 2012/06/21 00:00:36 ossec-monitord: No previous md5 checksum found:
> > '/logs/firewall/2012/Jun/ossec-firewall-19.log.sum'. Starting over.
> > 2012/06/21 00:00:36 ossec-monitord: No previous sha1 checksum found:
> > '/logs/firewall/2012/Jun/ossec-firewall-19.log.sum'. Starting over.
> > 2012/06/21 08:38:27 ossec-monitord(1225): INFO: SIGNAL Received. Exit
> > Cleaning...
>
> Is this where you killed the processes?
> Were all ossec processes running?
> What were the log entries above those errors?
> How long has the OSSEC server been running OSSEC?
>
> Yes, this was the stop command on the agent. And the entries above were
the errors i received. The server wasn't running for longer than 12hrs
since I'm in a testing envirionment and try to understand ossec deeply
before I deploy it to my servers.
> 2012/06/21 08:38:27 ossec-logcollector(1225): INFO: SIGNAL Received. Exit
> > Cleaning...
> > 2012/06/21 08:38:27 ossec-remoted(1225): INFO: SIGNAL Received. Exit
> > Cleaning...
> >
> > Anyone an idea what could have happened that this error message is
> bothering
> > me?
> > Also a restart of both the agent and the manager didn't help.
> >
> > Thnx,
> > Oliver
>
The most crzy thing was, after I posted this yesterday, several hours the
error disappeared. However I'm still trying to understand what had
happened, since it's unusual for an application to throw an error after
hours of working and none changing a bit.
