This is the error log in the ossec.log file when i restarted this morning ossec-logcollector(1950): INFO: Analyzing file: '/var/ossec/logs/alerts/alerts.log'. 2012/08/20 09:29:30 ossec-logcollector: INFO: Started (pid: 10978). 2012/08/20 09:29:50 ossec-logcollector: socketerr (not available). 2012/08/20 09:29:50 ossec-logcollector(1224): ERROR: Error sending message to queue. 2012/08/20 09:29:53 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/08/20 09:29:53 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2012/08/20 09:30:31 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2012/08/20 09:30:31 ossec-syscheckd: socketerr (not available). 2012/08/20 09:30:31 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2012/08/20 09:30:34 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/08/20 09:30:34 ossec-syscheckd(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
This was in /var/log/messages kernel: ossec-analysisd[10974]: segfault at 0 ip (null) sp 00007fffe5ada2b8 error 14 in ossec-analysisd[400000+62000] On Mon, Aug 20, 2012 at 7:54 AM, dan (ddp) <[email protected]> wrote: > On Fri, Aug 17, 2012 at 5:29 PM, Shaka Lewis <[email protected]> wrote: >> I get the below errors after restarting ossec. This is version 2.6 >> running on a Linux machine >> >> 2012/08/17 16:55:21 ossec-logcollector: socketerr (not available). >> 2012/08/17 16:55:21 ossec-logcollector(1224): ERROR: Error sending >> message to queue. >> 2012/08/17 16:55:24 ossec-logcollector(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2012/08/17 16:55:24 ossec-logcollector(1211): ERROR: Unable to access >> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >> 2012/08/17 17:09:21 ossec-syscheckd: socketerr (not available). >> 2012/08/17 17:09:21 ossec-rootcheck(1224): ERROR: Error sending >> message to queue. >> 2012/08/17 17:09:24 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2012/08/17 17:09:24 ossec-rootcheck(1211): ERROR: Unable to access >> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >> 2012/08/17 17:10:41 ossec-monitord: socketerr (not available). >> 2012/08/17 17:10:41 ossec-monitord(1224): ERROR: Error sending message to >> queue. >> 2012/08/17 17:16:41 ossec-monitord: socketerr (not available). >> 2012/08/17 17:16:41 ossec-monitord(1224): ERROR: Error sending message to >> queue. >> 2012/08/17 17:18:41 ossec-monitord: socketerr (not available). >> 2012/08/17 17:18:41 ossec-monitord(1224): ERROR: Error sending message to >> queue. >> 2012/08/17 17:18:41 ossec-monitord: socketerr (not available). > > These types of errors usually means something was changed incorrectly. > Did you make any changes before restarting? What log messages are > there before the first socketerr? What OSSEC processes are running > when this happens?
