Re: [ossec-list] socketerr messages after restarting ossec, errors occur after the starting the rootcheck scan

dan (ddp) Tue, 21 Aug 2012 09:19:58 -0700

On Tue, Aug 21, 2012 at 11:19 AM, Shaka Lewis <[email protected]> wrote:
> I ran the debug and here is the outupt
>
> 2012/08/20 17:06:18 ossec-rootcheck: INFO: Ending rootcheck scan.
> 2012/08/20 18:56:28 ossec-logcollector: socketerr (not available).
> 2012/08/20 18:56:28 ossec-logcollector(1224): ERROR: Error sending
> message to queue.
> 2012/08/20 18:56:29 ossec-logcollector: socketerr (not available).
> 2012/08/20 18:56:29 ossec-logcollector(1224): ERROR: Error sending
> message to queue.
> 2012/08/20 18:56:31 ossec-logcollector(1210): ERROR: Queue
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2012/08/20 18:56:31 ossec-logcollector(1211): ERROR: Unable to access
> queue: '/var/ossec/queue/ossec/queue'. Giving up..
> 2012/08/20 18:56:32 ossec-logcollector(1210): ERROR: Queue
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2012/08/20 18:56:32 ossec-logcollector(1211): ERROR: Unable to access
> queue: '/var/ossec/queue/ossec/queue'. Giving up..
> 2012/08/20 18:57:18 ossec-monitord: socketerr (not available).
> 2012/08/20 18:57:18 ossec-monitord(1224): ERROR: Error sending message to 
> queue.
> 2012/08/20 19:19:19 ossec-monitord: socketerr (not available).
> 2012/08/20 19:19:19 ossec-monitord(1224): ERROR: Error sending message to 
> queue.
> 2012/08/20 19:19:19 ossec-monitord: socketerr (not available).
>


And what OSSEC processes are running at this point?
Did you run analysisd in gdb? Did it crash? Is there a backtrace?

I'll throw in some more questions, because I need some more to not be
answered. Is this a server or a standalone installation? Has it ever
worked? Did you change anything?

>
> On Mon, Aug 20, 2012 at 9:40 AM, dan (ddp) <[email protected]> wrote:
>> On Mon, Aug 20, 2012 at 9:38 AM, Shaka Lewis <[email protected]> wrote:
>>> This is the error log in the ossec.log file when i restarted this morning
>>>
>>>  ossec-logcollector(1950): INFO: Analyzing file:
>>> '/var/ossec/logs/alerts/alerts.log'.
>>> 2012/08/20 09:29:30 ossec-logcollector: INFO: Started (pid: 10978).
>>> 2012/08/20 09:29:50 ossec-logcollector: socketerr (not available).
>>> 2012/08/20 09:29:50 ossec-logcollector(1224): ERROR: Error sending
>>> message to queue.
>>> 2012/08/20 09:29:53 ossec-logcollector(1210): ERROR: Queue
>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>>> 2012/08/20 09:29:53 ossec-logcollector(1211): ERROR: Unable to access
>>> queue: '/var/ossec/queue/ossec/queue'. Giving up..
>>> 2012/08/20 09:30:31 ossec-syscheckd: INFO: Starting syscheck scan
>>> (forwarding database).
>>> 2012/08/20 09:30:31 ossec-syscheckd: socketerr (not available).
>>> 2012/08/20 09:30:31 ossec-syscheckd(1224): ERROR: Error sending
>>> message to queue.
>>> 2012/08/20 09:30:34 ossec-syscheckd(1210): ERROR: Queue
>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>>> 2012/08/20 09:30:34 ossec-syscheckd(1211): ERROR: Unable to access
>>> queue: '/var/ossec/queue/ossec/queue'. Giving up..
>>>
>>>
>>> This was in /var/log/messages
>>>
>>> kernel: ossec-analysisd[10974]: segfault at 0 ip (null) sp
>>> 00007fffe5ada2b8 error 14 in ossec-analysisd[400000+62000]
>>>
>>
>> Try running ossec-analysisd in gdb to see if you can get more
>> information from the crash.
>>
>> gdb ossec-analysisd
>> set follow-fork-mode child
>> run -d
>> CRASH
>> bt
>>
>> For a start
>>
>>>
>>> On Mon, Aug 20, 2012 at 7:54 AM, dan (ddp) <[email protected]> wrote:
>>>> On Fri, Aug 17, 2012 at 5:29 PM, Shaka Lewis <[email protected]> wrote:
>>>>> I get the below errors after restarting ossec.  This is version 2.6
>>>>> running on a Linux machine
>>>>>
>>>>> 2012/08/17 16:55:21 ossec-logcollector: socketerr (not available).
>>>>> 2012/08/17 16:55:21 ossec-logcollector(1224): ERROR: Error sending
>>>>> message to queue.
>>>>> 2012/08/17 16:55:24 ossec-logcollector(1210): ERROR: Queue
>>>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>>>>> 2012/08/17 16:55:24 ossec-logcollector(1211): ERROR: Unable to access
>>>>> queue: '/var/ossec/queue/ossec/queue'. Giving up..
>>>>> 2012/08/17 17:09:21 ossec-syscheckd: socketerr (not available).
>>>>> 2012/08/17 17:09:21 ossec-rootcheck(1224): ERROR: Error sending
>>>>> message to queue.
>>>>> 2012/08/17 17:09:24 ossec-syscheckd(1210): ERROR: Queue
>>>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>>>>> 2012/08/17 17:09:24 ossec-rootcheck(1211): ERROR: Unable to access
>>>>> queue: '/var/ossec/queue/ossec/queue'. Giving up..
>>>>> 2012/08/17 17:10:41 ossec-monitord: socketerr (not available).
>>>>> 2012/08/17 17:10:41 ossec-monitord(1224): ERROR: Error sending message to 
>>>>> queue.
>>>>> 2012/08/17 17:16:41 ossec-monitord: socketerr (not available).
>>>>> 2012/08/17 17:16:41 ossec-monitord(1224): ERROR: Error sending message to 
>>>>> queue.
>>>>> 2012/08/17 17:18:41 ossec-monitord: socketerr (not available).
>>>>> 2012/08/17 17:18:41 ossec-monitord(1224): ERROR: Error sending message to 
>>>>> queue.
>>>>> 2012/08/17 17:18:41 ossec-monitord: socketerr (not available).
>>>>
>>>> These types of errors usually means something was changed incorrectly.
>>>> Did you make any changes before restarting? What log messages are
>>>> there before the first socketerr? What OSSEC processes are running
>>>> when this happens?

Re: [ossec-list] socketerr messages after restarting ossec, errors occur after the starting the rootcheck scan

Reply via email to