On Fri, Jun 22, 2012 at 3:16 AM, Oliver <[email protected]> wrote: > > > On Thursday, June 21, 2012 12:42:22 PM UTC+2, dan (ddpbsd) wrote: >> >> On Thu, Jun 21, 2012 at 3:55 AM, OliverĀ wrote: >> > Hi folks, >> > >> > I know my problem was posted several times. After reading a lot of the >> > old >> > and also newer posts, I can't see them matching my problem or any useful >> > solution. >> > >> > My Setup: >> > OSSEC-Manager & OSSEC-Agent => Version ossec-hids-2.6 >> > >> > Configuration is pretty much default, I just added a directory to >> > monitor >> > for testing realtime monitoring. This was all working fine during the >> > night >> > happened something and now I'm having all two minutes the entry >> > "ossec-logcollector: socketerr (not available). >> > >> > This are the log entries in ossec.log on the agent when the error first >> > occurred(RED), the same error for ossec-syscheckd occurred only once and >> > never again(BLUE): >> > 2012/06/21 01:35:36 ossec-syscheckd: INFO: Starting syscheck scan. >> > 2012/06/21 01:35:58 ossec-syscheckd: INFO: Ending syscheck scan. >> > 2012/06/21 01:50:58 ossec-syscheckd: INFO: Starting syscheck scan. >> > 2012/06/21 01:51:20 ossec-syscheckd: INFO: Ending syscheck scan. >> > 2012/06/21 02:03:17 ossec-logcollector: socketerr (not available). >> > 2012/06/21 02:05:27 ossec-logcollector: socketerr (not available). >> > 2012/06/21 02:06:20 ossec-syscheckd: INFO: Starting syscheck scan. >> > 2012/06/21 02:06:20 ossec-syscheckd: socketerr (not available). >> > 2012/06/21 02:06:20 ossec-syscheckd(1224): ERROR: Error sending message >> > to >> > queue. >> > 2012/06/21 02:06:42 ossec-syscheckd: INFO: Ending syscheck scan. >> > 2012/06/21 02:07:38 ossec-logcollector: socketerr (not available). >> > 2012/06/21 02:09:48 ossec-logcollector: socketerr (not available). >> > 2012/06/21 02:11:58 ossec-logcollector: socketerr (not available). >> > 2012/06/21 02:14:08 ossec-logcollector: socketerr (not available). >> > 2012/06/21 02:16:18 ossec-logcollector: socketerr (not available). >> > 2012/06/21 02:16:43 ossec-syscheckd: INFO: Starting syscheck scan. >> > 2012/06/21 02:17:05 ossec-syscheckd: INFO: Ending syscheck scan. >> > 2012/06/21 02:18:28 ossec-logcollector: socketerr (not available). >> > >> >> Are all of the OSSEC processes running? Does it correct itself if you >> remove your changes to the ossec.conf? Try running the processes in >> debug mode. >> > Yes, I did a $OSSEC/bin/ossec-control status and all the processes were > running. How do you mean "correct itself"? If I have a typo? yes. >>
I mean, if you remove your changes and restart the OSSEC processes, does everything work? >> > In the logfile on the OSSEC-Manager for that period is nothing >> > mentioned, >> > the first entry this morning was a restart of the Manager performed by >> > myself. >> > 2012/06/21 00:00:36 ossec-monitord: No previous md5 checksum found: >> > '/logs/archives/2012/Jun/ossec-archive-19.log.sum'. Starting over. >> > 2012/06/21 00:00:36 ossec-monitord: No previous sha1 checksum found: >> > '/logs/archives/2012/Jun/ossec-archive-19.log.sum'. Starting over. >> > 2012/06/21 00:00:36 ossec-monitord: No previous md5 checksum found: >> > '/logs/alerts/2012/Jun/ossec-alerts-19.log.sum'. Starting over. >> > 2012/06/21 00:00:36 ossec-monitord: No previous sha1 checksum found: >> > '/logs/alerts/2012/Jun/ossec-alerts-19.log.sum'. Starting over. >> > 2012/06/21 00:00:36 ossec-monitord: No previous md5 checksum found: >> > '/logs/firewall/2012/Jun/ossec-firewall-19.log.sum'. Starting over. >> > 2012/06/21 00:00:36 ossec-monitord: No previous sha1 checksum found: >> > '/logs/firewall/2012/Jun/ossec-firewall-19.log.sum'. Starting over. >> > 2012/06/21 08:38:27 ossec-monitord(1225): INFO: SIGNAL Received. Exit >> > Cleaning... >> >> Is this where you killed the processes? >> Were all ossec processes running? >> What were the log entries above those errors? >> How long has the OSSEC server been running OSSEC? >> > Yes, this was the stop command on the agent. And the entries above were the > errors i received. The server wasn't running for longer than 12hrs since I'm > in a testing envirionment and try to understand ossec deeply before I deploy > it to my servers. >> >> > 2012/06/21 08:38:27 ossec-logcollector(1225): INFO: SIGNAL Received. >> > Exit >> > Cleaning... >> > 2012/06/21 08:38:27 ossec-remoted(1225): INFO: SIGNAL Received. Exit >> > Cleaning... >> > >> > Anyone an idea what could have happened that this error message is >> > bothering >> > me? >> > Also a restart of both the agent and the manager didn't help. >> > >> > Thnx, >> > Oliver > > > The most crzy thingĀ was, after I posted this yesterday, several hours the > error disappeared. However I'm still trying to understand what had happened, > since it's unusual for an application to throw an error after hours of > working and none changing a bit. Which error? The agent or the server? The server's messages were more notification than errors, especially seeing how short of a time this system's been alive.
