I ran the debug and here is the outupt 2012/08/20 17:06:18 ossec-rootcheck: INFO: Ending rootcheck scan. 2012/08/20 18:56:28 ossec-logcollector: socketerr (not available). 2012/08/20 18:56:28 ossec-logcollector(1224): ERROR: Error sending message to queue. 2012/08/20 18:56:29 ossec-logcollector: socketerr (not available). 2012/08/20 18:56:29 ossec-logcollector(1224): ERROR: Error sending message to queue. 2012/08/20 18:56:31 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/08/20 18:56:31 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2012/08/20 18:56:32 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/08/20 18:56:32 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2012/08/20 18:57:18 ossec-monitord: socketerr (not available). 2012/08/20 18:57:18 ossec-monitord(1224): ERROR: Error sending message to queue. 2012/08/20 19:19:19 ossec-monitord: socketerr (not available). 2012/08/20 19:19:19 ossec-monitord(1224): ERROR: Error sending message to queue. 2012/08/20 19:19:19 ossec-monitord: socketerr (not available).
On Mon, Aug 20, 2012 at 9:40 AM, dan (ddp) <[email protected]> wrote: > On Mon, Aug 20, 2012 at 9:38 AM, Shaka Lewis <[email protected]> wrote: >> This is the error log in the ossec.log file when i restarted this morning >> >> ossec-logcollector(1950): INFO: Analyzing file: >> '/var/ossec/logs/alerts/alerts.log'. >> 2012/08/20 09:29:30 ossec-logcollector: INFO: Started (pid: 10978). >> 2012/08/20 09:29:50 ossec-logcollector: socketerr (not available). >> 2012/08/20 09:29:50 ossec-logcollector(1224): ERROR: Error sending >> message to queue. >> 2012/08/20 09:29:53 ossec-logcollector(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2012/08/20 09:29:53 ossec-logcollector(1211): ERROR: Unable to access >> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >> 2012/08/20 09:30:31 ossec-syscheckd: INFO: Starting syscheck scan >> (forwarding database). >> 2012/08/20 09:30:31 ossec-syscheckd: socketerr (not available). >> 2012/08/20 09:30:31 ossec-syscheckd(1224): ERROR: Error sending >> message to queue. >> 2012/08/20 09:30:34 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2012/08/20 09:30:34 ossec-syscheckd(1211): ERROR: Unable to access >> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >> >> >> This was in /var/log/messages >> >> kernel: ossec-analysisd[10974]: segfault at 0 ip (null) sp >> 00007fffe5ada2b8 error 14 in ossec-analysisd[400000+62000] >> > > Try running ossec-analysisd in gdb to see if you can get more > information from the crash. > > gdb ossec-analysisd > set follow-fork-mode child > run -d > CRASH > bt > > For a start > >> >> On Mon, Aug 20, 2012 at 7:54 AM, dan (ddp) <[email protected]> wrote: >>> On Fri, Aug 17, 2012 at 5:29 PM, Shaka Lewis <[email protected]> wrote: >>>> I get the below errors after restarting ossec. This is version 2.6 >>>> running on a Linux machine >>>> >>>> 2012/08/17 16:55:21 ossec-logcollector: socketerr (not available). >>>> 2012/08/17 16:55:21 ossec-logcollector(1224): ERROR: Error sending >>>> message to queue. >>>> 2012/08/17 16:55:24 ossec-logcollector(1210): ERROR: Queue >>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>> 2012/08/17 16:55:24 ossec-logcollector(1211): ERROR: Unable to access >>>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>>> 2012/08/17 17:09:21 ossec-syscheckd: socketerr (not available). >>>> 2012/08/17 17:09:21 ossec-rootcheck(1224): ERROR: Error sending >>>> message to queue. >>>> 2012/08/17 17:09:24 ossec-syscheckd(1210): ERROR: Queue >>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>> 2012/08/17 17:09:24 ossec-rootcheck(1211): ERROR: Unable to access >>>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>>> 2012/08/17 17:10:41 ossec-monitord: socketerr (not available). >>>> 2012/08/17 17:10:41 ossec-monitord(1224): ERROR: Error sending message to >>>> queue. >>>> 2012/08/17 17:16:41 ossec-monitord: socketerr (not available). >>>> 2012/08/17 17:16:41 ossec-monitord(1224): ERROR: Error sending message to >>>> queue. >>>> 2012/08/17 17:18:41 ossec-monitord: socketerr (not available). >>>> 2012/08/17 17:18:41 ossec-monitord(1224): ERROR: Error sending message to >>>> queue. >>>> 2012/08/17 17:18:41 ossec-monitord: socketerr (not available). >>> >>> These types of errors usually means something was changed incorrectly. >>> Did you make any changes before restarting? What log messages are >>> there before the first socketerr? What OSSEC processes are running >>> when this happens?
