here is all I have from the latest debug: 2012/08/21 17:43:35 ossec-rootcheck: DEBUG: Going into check_rc_dev 2012/08/21 17:43:35 ossec-rootcheck: DEBUG: Starting on check_rc_dev 2012/08/21 17:43:36 ossec-rootcheck: DEBUG: Going into check_rc_sys 2012/08/21 17:43:36 ossec-rootcheck: DEBUG: Starting on check_rc_sys 2012/08/21 17:43:36 ossec-rootcheck: DEBUG: Going into check_rc_pids 2012/08/21 18:16:40 ossec-rootcheck: DEBUG: Going into check_rc_ports 2012/08/21 18:16:41 ossec-rootcheck: DEBUG: Going into check_open_ports 2012/08/21 18:16:41 ossec-rootcheck: DEBUG: Going into check_rc_if 2012/08/21 18:16:41 ossec-rootcheck: DEBUG: Completed with all checks. 2012/08/21 18:16:46 ossec-rootcheck: INFO: Ending rootcheck scan. 2012/08/21 18:16:46 ossec-rootcheck: DEBUG: Leaving run_rk_check 2012/08/21 19:22:09 ossec-logcollector: socketerr (not available). 2012/08/21 19:22:09 ossec-logcollector(1224): ERROR: Error sending message to queue. 2012/08/21 19:22:12 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/08/21 19:22:12 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2012/08/21 19:31:30 ossec-monitord: socketerr (not available).
On Wed, Aug 22, 2012 at 7:45 AM, dan (ddp) <[email protected]> wrote: > On Tue, Aug 21, 2012 at 2:13 PM, Shaka Lewis <[email protected]> wrote: >> The ossec processes running at this point are execd, logcollector, and >> monitord. >> >> >> AnalysisD crashed and here is the output: >> >> Program received signal SIGSEGV, Segmentation fault. >> [Switching to process 26814] >> 0x0000000000000000 in ?? () >> Missing separate debuginfos, use: debuginfo-install >> glibc-2.12-1.47.el6_2.12.x86_64 >> (This version of glibc is already installed on the system) >> >> > > You couldn't get a backtrace or anything on this? > >> This is a server install and stopped working after migrating to new hardware. >> > > > Have you tried reinstalling/upgrading? > >> On Tue, Aug 21, 2012 at 12:19 PM, dan (ddp) <[email protected]> wrote: >>> On Tue, Aug 21, 2012 at 11:19 AM, Shaka Lewis <[email protected]> wrote: >>>> I ran the debug and here is the outupt >>>> >>>> 2012/08/20 17:06:18 ossec-rootcheck: INFO: Ending rootcheck scan. >>>> 2012/08/20 18:56:28 ossec-logcollector: socketerr (not available). >>>> 2012/08/20 18:56:28 ossec-logcollector(1224): ERROR: Error sending >>>> message to queue. >>>> 2012/08/20 18:56:29 ossec-logcollector: socketerr (not available). >>>> 2012/08/20 18:56:29 ossec-logcollector(1224): ERROR: Error sending >>>> message to queue. >>>> 2012/08/20 18:56:31 ossec-logcollector(1210): ERROR: Queue >>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>> 2012/08/20 18:56:31 ossec-logcollector(1211): ERROR: Unable to access >>>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>>> 2012/08/20 18:56:32 ossec-logcollector(1210): ERROR: Queue >>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>> 2012/08/20 18:56:32 ossec-logcollector(1211): ERROR: Unable to access >>>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>>> 2012/08/20 18:57:18 ossec-monitord: socketerr (not available). >>>> 2012/08/20 18:57:18 ossec-monitord(1224): ERROR: Error sending message to >>>> queue. >>>> 2012/08/20 19:19:19 ossec-monitord: socketerr (not available). >>>> 2012/08/20 19:19:19 ossec-monitord(1224): ERROR: Error sending message to >>>> queue. >>>> 2012/08/20 19:19:19 ossec-monitord: socketerr (not available). >>>> >>> >>> And what OSSEC processes are running at this point? >>> Did you run analysisd in gdb? Did it crash? Is there a backtrace? >>> >>> I'll throw in some more questions, because I need some more to not be >>> answered. Is this a server or a standalone installation? Has it ever >>> worked? Did you change anything? >>> >>>> >>>> On Mon, Aug 20, 2012 at 9:40 AM, dan (ddp) <[email protected]> wrote: >>>>> On Mon, Aug 20, 2012 at 9:38 AM, Shaka Lewis <[email protected]> >>>>> wrote: >>>>>> This is the error log in the ossec.log file when i restarted this morning >>>>>> >>>>>> ossec-logcollector(1950): INFO: Analyzing file: >>>>>> '/var/ossec/logs/alerts/alerts.log'. >>>>>> 2012/08/20 09:29:30 ossec-logcollector: INFO: Started (pid: 10978). >>>>>> 2012/08/20 09:29:50 ossec-logcollector: socketerr (not available). >>>>>> 2012/08/20 09:29:50 ossec-logcollector(1224): ERROR: Error sending >>>>>> message to queue. >>>>>> 2012/08/20 09:29:53 ossec-logcollector(1210): ERROR: Queue >>>>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>>>> 2012/08/20 09:29:53 ossec-logcollector(1211): ERROR: Unable to access >>>>>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>>>>> 2012/08/20 09:30:31 ossec-syscheckd: INFO: Starting syscheck scan >>>>>> (forwarding database). >>>>>> 2012/08/20 09:30:31 ossec-syscheckd: socketerr (not available). >>>>>> 2012/08/20 09:30:31 ossec-syscheckd(1224): ERROR: Error sending >>>>>> message to queue. >>>>>> 2012/08/20 09:30:34 ossec-syscheckd(1210): ERROR: Queue >>>>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>>>> 2012/08/20 09:30:34 ossec-syscheckd(1211): ERROR: Unable to access >>>>>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>>>>> >>>>>> >>>>>> This was in /var/log/messages >>>>>> >>>>>> kernel: ossec-analysisd[10974]: segfault at 0 ip (null) sp >>>>>> 00007fffe5ada2b8 error 14 in ossec-analysisd[400000+62000] >>>>>> >>>>> >>>>> Try running ossec-analysisd in gdb to see if you can get more >>>>> information from the crash. >>>>> >>>>> gdb ossec-analysisd >>>>> set follow-fork-mode child >>>>> run -d >>>>> CRASH >>>>> bt >>>>> >>>>> For a start >>>>> >>>>>> >>>>>> On Mon, Aug 20, 2012 at 7:54 AM, dan (ddp) <[email protected]> wrote: >>>>>>> On Fri, Aug 17, 2012 at 5:29 PM, Shaka Lewis <[email protected]> >>>>>>> wrote: >>>>>>>> I get the below errors after restarting ossec. This is version 2.6 >>>>>>>> running on a Linux machine >>>>>>>> >>>>>>>> 2012/08/17 16:55:21 ossec-logcollector: socketerr (not available). >>>>>>>> 2012/08/17 16:55:21 ossec-logcollector(1224): ERROR: Error sending >>>>>>>> message to queue. >>>>>>>> 2012/08/17 16:55:24 ossec-logcollector(1210): ERROR: Queue >>>>>>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>>>>>> 2012/08/17 16:55:24 ossec-logcollector(1211): ERROR: Unable to access >>>>>>>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>>>>>>> 2012/08/17 17:09:21 ossec-syscheckd: socketerr (not available). >>>>>>>> 2012/08/17 17:09:21 ossec-rootcheck(1224): ERROR: Error sending >>>>>>>> message to queue. >>>>>>>> 2012/08/17 17:09:24 ossec-syscheckd(1210): ERROR: Queue >>>>>>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>>>>>> 2012/08/17 17:09:24 ossec-rootcheck(1211): ERROR: Unable to access >>>>>>>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>>>>>>> 2012/08/17 17:10:41 ossec-monitord: socketerr (not available). >>>>>>>> 2012/08/17 17:10:41 ossec-monitord(1224): ERROR: Error sending message >>>>>>>> to queue. >>>>>>>> 2012/08/17 17:16:41 ossec-monitord: socketerr (not available). >>>>>>>> 2012/08/17 17:16:41 ossec-monitord(1224): ERROR: Error sending message >>>>>>>> to queue. >>>>>>>> 2012/08/17 17:18:41 ossec-monitord: socketerr (not available). >>>>>>>> 2012/08/17 17:18:41 ossec-monitord(1224): ERROR: Error sending message >>>>>>>> to queue. >>>>>>>> 2012/08/17 17:18:41 ossec-monitord: socketerr (not available). >>>>>>> >>>>>>> These types of errors usually means something was changed incorrectly. >>>>>>> Did you make any changes before restarting? What log messages are >>>>>>> there before the first socketerr? What OSSEC processes are running >>>>>>> when this happens?
