Sorry I didn't provide sooner. Below is my ossec.log file. Let me know if there are any other files or logs that would help.
1012/07/10 06:02:04 ossec-execd: INFO: Started (pid: 30728). 1012/07/10 06:02:04 ossec-agentd (1410): INFO: Reading authentication keys file. 1012/07/10 06:02:04 ossec-agentd: INFO: Started (pid: 30732). 1012/07/10 06:02:04 ossec-agentd: INFO: Server IP Address: xxx.xxx.xxx.xxx 1012/07/10 06:02:04 ossec-agentd: INFO: Trying to connect to server (xxx.xxx.xxx.xxx:1514). 1012/07/10 06:02:08 ossec-syscheckd: INFO: Started (pid: 30740). 1012/07/10 06:02:08 ossec-rootcheck: INFO: Started (pid: 30740). 1012/07/10 06:02:08 ossec-syscheckd: INFO: Monitoring directory: '/etc'. 1012/07/10 06:02:08 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'. 1012/07/10 06:02:08 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'. 1012/07/10 06:02:08 ossec-syscheckd: INFO: Monitoring directory: '/bin'. 1012/07/10 06:02:08 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. 1012/07/10 06:02:08 ossec-syscheckd: INFO: Monitoring directory: '/opt/splunkforwarder/etc'. 1012/07/10 06:02:08 ossec-syscheckd: INFO: Monitoring directory: '/opt/ossec/etc'. 1012/07/10 06:02:08 ossec-syscheckd: INFO: Monitoring directory: '/usr/local/Nagios/etc'. 1012/07/10 06:02:08 ossec-syscheckd: INFO: Directory set for real time monitoring: '/etc'. 1012/07/10 06:02:08 ossec-syscheckd: INFO: Directory set for real time monitoring: '/usr/bin'. 1012/07/10 06:02:08 ossec-syscheckd: INFO: Directory set for real time monitoring: '/usr/sbin'. 1012/07/10 06:02:08 ossec-syscheckd: INFO: Directory set for real time monitoring: '/bin'. 1012/07/10 06:02:08 ossec-syscheckd: INFO: Directory set for real time monitoring: '/sbin'. 1012/07/10 06:02:08 ossec-syscheckd: INFO: Directory set for real time monitoring: '/opt/splunkforwarder/etc'. 1012/07/10 06:02:08 ossec-syscheckd: INFO: Directory set for real time monitoring: '/opt/ossec/etc'. 1012/07/10 06:02:08 ossec-syscheckd: INFO: Directory set for real time monitoring: '/usr/local/Nagios/etc'. 1012/07/10 06:02:10 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'. 1012/07/10 06:02:10 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'. 1012/07/10 06:02:10 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'. 1012/07/10 06:02:10 ossec-logcollector(1950): INFO: Started (pid: 30736). 1012/07/10 06:02:25 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'xxx.xxx.xxx.xxx:1514'. 1012/07/10 06:02:27 ossec-agentd: INFO: Trying to connect to server (xxx.xxx.xxx.xxx:1514). 1012/07/10 06:02:42 ossec-logcollector: WARN: Process locked. Waiting for permission... 1012/07/10 06:02:48 ossec-logcollector: WARN: Waiting for server reply (not started). Tried: 'xxx.xxx.xxx.xxx:1514'. 1012/07/10 06:03:08 ossec-agentd: INFO: Trying to connect to server (xxx.xxx.xxx.xxx:1514). 1012/07/10 06:03:10 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 1012/07/10 06:03:10 ossec-syscheckd: WARN: Process locked. Waiting on permission... 1012/07/10 06:03:29 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'xxx.xxx.xxx.xxx:1514'. 1012/07/10 06:04:07 ossec-agentd: INFO: Trying to connect to server (xxx.xxx.xxx.xxx:1514). 1012/07/10 06:04:28 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'xxx.xxx.xxx.xxx:1514'. 1012/07/10 06:05:24 ossec-agentd: INFO: Trying to connect to server (xxx.xxx.xxx.xxx:1514). 1012/07/10 06:05:25 ossec-agentd(4102): INFO: Connected to the server (xxx.xxx.xxx.xxx:1514). 1012/07/10 06:05:25 ossec-syscheckd: INFO: Lock free. Continuing... 1012/07/10 06:05:25 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 1012/07/10 06:05:25 ossec-syscheckd: INFO: Initializing real time file monitoring (not started). 1012/07/10 06:05:27 ossec-logcollector: INFO: Lock free. Continuing... 1012/07/10 06:06:04 ossec-logcollector(1225): INFO: SIGNAL Received. Exit Cleaning... 1012/07/10 06:06:04 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit Cleaning... 1012/07/10 06:06:04 ossec-agentd(1225): INFO: SIGNAL Received. Exit Cleaning... 1012/07/10 06:06:04 ossec-execd(1314): INFO: Shutdown received. Deleting responses. 1012/07/10 06:06:04 ossec-execd(1225): INFO: SIGNAL Received. Exit Cleaning... Scott Allen The Van Dyke Technology Group [email protected] (703) 477-0128 (C) (571) 480-7910 (W) -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Friday, July 06, 2012 11:03 AM To: [email protected] Subject: Re: [ossec-list] OSSEC Clients stopping On Fri, Jul 6, 2012 at 10:54 AM, william allen <[email protected]> wrote: > > > Scott Allen > The Van Dyke Technology Group > [email protected] > (703) 477-0128 (C) > (571) 480-7910 (W) > > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of dan (ddp) > Sent: Friday, July 06, 2012 10:45 AM > To: [email protected] > Subject: Re: [ossec-list] OSSEC Clients stopping > > On Fri, Jul 6, 2012 at 10:36 AM, william allen > <[email protected]> > wrote: >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] >> On Behalf Of dan (ddp) >> Sent: Friday, July 06, 2012 10:03 AM >> To: [email protected] >> Subject: Re: [ossec-list] OSSEC Clients stopping >> >> On Fri, Jul 6, 2012 at 9:52 AM, william allen >> <[email protected]> >> wrote: >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] >>> On Behalf Of dan (ddp) >>> Sent: Friday, July 06, 2012 9:39 AM >>> To: [email protected] >>> Subject: Re: [ossec-list] OSSEC Clients stopping >>> >>> On Fri, Jul 6, 2012 at 9:25 AM, william allen >>> <[email protected]> >>> wrote: >>>> I know this is a normal occurrence with OSSEC. But when it does >>>> the shutdown it does not come back up. >>>> >>>> >>>> >>>> 2017/07/05 10:42:01 ossec-logcollector(1225): INFO: SIGNAL Received. >>>> Exit >>>> >>>> Cleaning.. >>>> >>>> 2017/07/05 10:42:01 ossec-logcollector(1225): INFO: SIGNAL Received. >>>> Exit Cleaning. >>>> >>>> 2017/07/05 10:42:01 ossec-agentd(1225): INFO: SIGNAL Received. >>>> Exit Cleaning. >>>> >>>> 2017/07/05 10:42:01 ossec-execd(1314: INFO: Shutdown received. >>>> Deleting responses. >>>> >>>> 2017/07/05 10:42:01 ossec-execd(1225): INFO: SIGNAL Received. Exit >>>> Cleaning. >>>> >>>> >>>> >>>> I do not get the following startup PID command? >>>> >>>> >>>> >>>> 2012/06/29 11:42:51 ossec-execd: INFO: Started (pid: 13571). >>>> >>>> >>>> >>>> Thanks, >>>> >>>> Scott Allen >>>> >>>> >>>> >>>> >>> >>> You want all of the daemons to output the "Started (pid: xxxxx)" message? >>> >>>> >>>> >>>> >>> Not really important. Maybe I didn't explain very well. I am just >>> wondering why on a few of my boxes the client stops with the above >>> cleaning items and doesn't restart after completion. >>> >> >> I guess I have to ask: Why did it stop in the first place? >> >>>I don't know. I have done numerous installs and this is the first >>>time I >> have seen this happen. I just did an new install on about 7 boxes. >> When I >>>started 4 of the boxes I got the above where it stopped and didn't >>>start >> backup. I don't know why they didn't startup or why the stopped. Is >> there >>>another log to look at besides the OSSEC.LOG? >> >>>Thanks for the assistance.... > > Nope, ossec.log is pretty much it. If you start ossec manually > (`/var/ossec/bin/ossec-control start`) does it start properly? > >>Yes. Since there weren't any logs you wanted to post, you haven't provided any information for anyone to try and reproduce the problem, and everything seems to work out in the end there isn't much I can do. No idea why the processes didn't start after you did something.
smime.p7s
Description: S/MIME cryptographic signature
