On Tue, Oct 23, 2012 at 1:54 AM, C. L. Martinez <[email protected]> wrote: > Hi all, > > I have a strange problem with one of my ossec servers. After 48 hours > working, some ossec processes stops. Active process at this moment: > > 24346 ? S 0:07 /data/ossec/bin/ossec-csyslogd > 24350 ? S 0:05 /data/ossec/bin/ossec-maild > 24354 ? S 0:00 /data/ossec/bin/ossec-execd > 24377 ? S 12:32 /data/ossec/bin/ossec-monitord > > And ossec.log shows me: > > 2012/10/20 17:51:55 ossec-logcollector: socketerr (not available). > 2012/10/20 17:51:55 ossec-logcollector(1224): ERROR: Error sending > message to queue. > 2012/10/20 17:51:58 ossec-logcollector(1210): ERROR: Queue > '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2012/10/20 17:51:58 ossec-logcollector(1211): ERROR: Unable to access > queue: '/data/ossec/queue/ossec/queue'. Giving up.. > 2012/10/20 17:51:58 ossec-remoted: socketerr (not available). > 2012/10/20 17:51:58 ossec-remoted(1210): ERROR: Queue > '/queue/ossec/queue' not accessible: 'Connection refused'. > 2012/10/20 17:52:01 ossec-remoted(1210): ERROR: Queue > '/queue/ossec/queue' not accessible: 'Connection refused'. > 2012/10/20 17:52:01 ossec-remoted(1211): ERROR: Unable to access > queue: '/queue/ossec/queue'. Giving up.. > 2012/10/20 18:22:07 ossec-monitord: socketerr (not available). > 2012/10/20 18:22:07 ossec-monitord(1224): ERROR: Error sending message to > queue. > 2012/10/21 03:49:27 ossec-syscheckd: socketerr (not available). > 2012/10/21 03:49:27 ossec-rootcheck(1224): ERROR: Error sending > message to queue. > 2012/10/21 03:49:30 ossec-syscheckd(1210): ERROR: Queue > '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2012/10/21 03:49:30 ossec-rootcheck(1211): ERROR: Unable to access > queue: '/data/ossec/queue/ossec/queue'. Giving up.. > > Ossec is 2.6 release and host is CentOS 6.3 x86_64.... > > Any idea??
Run ossec-analysisd in gdb, get us some data. Or upgrade to 2.7 and see if that fixes it.
