> > > > Am Freitag, 22. Juni 2012 14:00:36 UTC+2 schrieb dan (ddpbsd): > > On Fri, Jun 22, 2012 at 3:16 AM, Oliver <[email protected]> wrote: > > > > > > On Thursday, June 21, 2012 12:42:22 PM UTC+2, dan (ddpbsd) wrote: > >> > >> On Thu, Jun 21, 2012 at 3:55 AM, Oliver wrote: > >> > Hi folks, > >> > > >> > I know my problem was posted several times. After reading a lot of > the > >> > old > >> > and also newer posts, I can't see them matching my problem or any > useful > >> > solution. > >> > > >> > My Setup: > >> > OSSEC-Manager & OSSEC-Agent => Version ossec-hids-2.6 > >> > > >> > Configuration is pretty much default, I just added a directory to > >> > monitor > >> > for testing realtime monitoring. This was all working fine during the > >> > night > >> > happened something and now I'm having all two minutes the entry > >> > "ossec-logcollector: socketerr (not available). > >> > > >> > This are the log entries in ossec.log on the agent when the error > first > >> > occurred(RED), the same error for ossec-syscheckd occurred only once > and > >> > never again(BLUE): > >> > 2012/06/21 01:35:36 ossec-syscheckd: INFO: Starting syscheck scan. > >> > 2012/06/21 01:35:58 ossec-syscheckd: INFO: Ending syscheck scan. > >> > 2012/06/21 01:50:58 ossec-syscheckd: INFO: Starting syscheck scan. > >> > 2012/06/21 01:51:20 ossec-syscheckd: INFO: Ending syscheck scan. > >> > 2012/06/21 02:03:17 ossec-logcollector: socketerr (not available). > >> > 2012/06/21 02:05:27 ossec-logcollector: socketerr (not available). > >> > 2012/06/21 02:06:20 ossec-syscheckd: INFO: Starting syscheck scan. > >> > 2012/06/21 02:06:20 ossec-syscheckd: socketerr (not available). > >> > 2012/06/21 02:06:20 ossec-syscheckd(1224): ERROR: Error sending > message > >> > to > >> > queue. > >> > 2012/06/21 02:06:42 ossec-syscheckd: INFO: Ending syscheck scan. > >> > 2012/06/21 02:07:38 ossec-logcollector: socketerr (not available). > >> > 2012/06/21 02:09:48 ossec-logcollector: socketerr (not available). > >> > 2012/06/21 02:11:58 ossec-logcollector: socketerr (not available). > >> > 2012/06/21 02:14:08 ossec-logcollector: socketerr (not available). > >> > 2012/06/21 02:16:18 ossec-logcollector: socketerr (not available). > >> > 2012/06/21 02:16:43 ossec-syscheckd: INFO: Starting syscheck scan. > >> > 2012/06/21 02:17:05 ossec-syscheckd: INFO: Ending syscheck scan. > >> > 2012/06/21 02:18:28 ossec-logcollector: socketerr (not available). > >> > > >> > >> Are all of the OSSEC processes running? Does it correct itself if you > >> remove your changes to the ossec.conf? Try running the processes in > >> debug mode. > >> > > Yes, I did a $OSSEC/bin/ossec-control status and all the processes were > > running. How do you mean "correct itself"? If I have a typo? yes. > >> > > I mean, if you remove your changes and restart the OSSEC processes, > does everything work? > > Didn't try that. Actually not really helpful if I would. Since the error occurred after the rollover of the logs and after hours I haven't touched the system.
> >> > In the logfile on the OSSEC-Manager for that period is nothing > >> > mentioned, > >> > the first entry this morning was a restart of the Manager performed > by > >> > myself. > >> > 2012/06/21 00:00:36 ossec-monitord: No previous md5 checksum found: > >> > '/logs/archives/2012/Jun/ossec-archive-19.log.sum'. Starting over. > >> > 2012/06/21 00:00:36 ossec-monitord: No previous sha1 checksum found: > >> > '/logs/archives/2012/Jun/ossec-archive-19.log.sum'. Starting over. > >> > 2012/06/21 00:00:36 ossec-monitord: No previous md5 checksum found: > >> > '/logs/alerts/2012/Jun/ossec-alerts-19.log.sum'. Starting over. > >> > 2012/06/21 00:00:36 ossec-monitord: No previous sha1 checksum found: > >> > '/logs/alerts/2012/Jun/ossec-alerts-19.log.sum'. Starting over. > >> > 2012/06/21 00:00:36 ossec-monitord: No previous md5 checksum found: > >> > '/logs/firewall/2012/Jun/ossec-firewall-19.log.sum'. Starting over. > >> > 2012/06/21 00:00:36 ossec-monitord: No previous sha1 checksum found: > >> > '/logs/firewall/2012/Jun/ossec-firewall-19.log.sum'. Starting over. > >> > 2012/06/21 08:38:27 ossec-monitord(1225): INFO: SIGNAL Received. Exit > >> > Cleaning... > >> > >> Is this where you killed the processes? > >> Were all ossec processes running? > >> What were the log entries above those errors? > >> How long has the OSSEC server been running OSSEC? > >> > > Yes, this was the stop command on the agent. And the entries above were > the > > errors i received. The server wasn't running for longer than 12hrs since > I'm > > in a testing envirionment and try to understand ossec deeply before I > deploy > > it to my servers. > >> > >> > 2012/06/21 08:38:27 ossec-logcollector(1225): INFO: SIGNAL Received. > >> > Exit > >> > Cleaning... > >> > 2012/06/21 08:38:27 ossec-remoted(1225): INFO: SIGNAL Received. Exit > >> > Cleaning... > >> > > >> > Anyone an idea what could have happened that this error message is > >> > bothering > >> > me? > >> > Also a restart of both the agent and the manager didn't help. > >> > > >> > Thnx, > >> > Oliver > > > > > > The most crzy thing was, after I posted this yesterday, several hours > the > > error disappeared. However I'm still trying to understand what had > happened, > > since it's unusual for an application to throw an error after hours of > > working and none changing a bit. > > Which error? The agent or the server? The server's messages were more > notification than errors, especially seeing how short of a time this > system's been alive. > The error was always only on the Agent. I assume the notification on the Manager relate to the day change and therefore a log switchover. And that's actually where I think could be source of my question. Maybe during the rollover something happened and the logcollector failed. Unfortunately I was still not able to create that error manually. Over the past days I also haven't seen it back.
