On Tue, Oct 23, 2012 at 12:49 PM, dan (ddp) <[email protected]> wrote: > On Tue, Oct 23, 2012 at 1:54 AM, C. L. Martinez <[email protected]> wrote: >> Hi all, >> >> I have a strange problem with one of my ossec servers. After 48 hours >> working, some ossec processes stops. Active process at this moment: >> >> 24346 ? S 0:07 /data/ossec/bin/ossec-csyslogd >> 24350 ? S 0:05 /data/ossec/bin/ossec-maild >> 24354 ? S 0:00 /data/ossec/bin/ossec-execd >> 24377 ? S 12:32 /data/ossec/bin/ossec-monitord >> >> And ossec.log shows me: >> >> 2012/10/20 17:51:55 ossec-logcollector: socketerr (not available). >> 2012/10/20 17:51:55 ossec-logcollector(1224): ERROR: Error sending >> message to queue. >> 2012/10/20 17:51:58 ossec-logcollector(1210): ERROR: Queue >> '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2012/10/20 17:51:58 ossec-logcollector(1211): ERROR: Unable to access >> queue: '/data/ossec/queue/ossec/queue'. Giving up.. >> 2012/10/20 17:51:58 ossec-remoted: socketerr (not available). >> 2012/10/20 17:51:58 ossec-remoted(1210): ERROR: Queue >> '/queue/ossec/queue' not accessible: 'Connection refused'. >> 2012/10/20 17:52:01 ossec-remoted(1210): ERROR: Queue >> '/queue/ossec/queue' not accessible: 'Connection refused'. >> 2012/10/20 17:52:01 ossec-remoted(1211): ERROR: Unable to access >> queue: '/queue/ossec/queue'. Giving up.. >> 2012/10/20 18:22:07 ossec-monitord: socketerr (not available). >> 2012/10/20 18:22:07 ossec-monitord(1224): ERROR: Error sending message to >> queue. >> 2012/10/21 03:49:27 ossec-syscheckd: socketerr (not available). >> 2012/10/21 03:49:27 ossec-rootcheck(1224): ERROR: Error sending >> message to queue. >> 2012/10/21 03:49:30 ossec-syscheckd(1210): ERROR: Queue >> '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2012/10/21 03:49:30 ossec-rootcheck(1211): ERROR: Unable to access >> queue: '/data/ossec/queue/ossec/queue'. Giving up.. >> >> Ossec is 2.6 release and host is CentOS 6.3 x86_64.... >> >> Any idea?? > > Run ossec-analysisd in gdb, get us some data. Or upgrade to 2.7 and > see if that fixes it.
Ok, I will try to use gdb ...
