Hello, I'm seeing this behavior but its repeatable by this 1 host I have. It is running Redhat 5.8. 2013/09/25 14:35:49 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2013/09/25 14:35:49 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2013/09/25 15:03:36 ossec-syscheckd: socketerr (not available). 2013/09/25 15:03:36 ossec-syscheckd(1224): ERROR: Error sending message to queue.
Any ideas? I've reinstalled ossec 2.7 from scratch but same error each time. On Monday, June 25, 2012 7:30:09 AM UTC-7, Oliver wrote: > > > > Am Freitag, 22. Juni 2012 14:00:36 UTC+2 schrieb dan (ddpbsd): >> >> On Fri, Jun 22, 2012 at 3:16 AM, Oliver wrote: >> >>> > >>> >> > >> > On Thursday, June 21, 2012 12:42:22 PM UTC+2, dan (ddpbsd) wrote: >> >> >> >> On Thu, Jun 21, 2012 at 3:55 AM, Oliver wrote: >> >> > Hi folks, >> >> > >> >> > I know my problem was posted several times. After reading a lot of >> the >> >> > old >> >> > and also newer posts, I can't see them matching my problem or any >> useful >> >> > solution. >> >> > >> >> > My Setup: >> >> > OSSEC-Manager & OSSEC-Agent => Version ossec-hids-2.6 >> >> > >> >> > Configuration is pretty much default, I just added a directory to >> >> > monitor >> >> > for testing realtime monitoring. This was all working fine during >> the >> >> > night >> >> > happened something and now I'm having all two minutes the entry >> >> > "ossec-logcollector: socketerr (not available). >> >> > >> >> > This are the log entries in ossec.log on the agent when the error >> first >> >> > occurred(RED), the same error for ossec-syscheckd occurred only once >> and >> >> > never again(BLUE): >> >> > 2012/06/21 01:35:36 ossec-syscheckd: INFO: Starting syscheck scan. >> >> > 2012/06/21 01:35:58 ossec-syscheckd: INFO: Ending syscheck scan. >> >> > 2012/06/21 01:50:58 ossec-syscheckd: INFO: Starting syscheck scan. >> >> > 2012/06/21 01:51:20 ossec-syscheckd: INFO: Ending syscheck scan. >> >> > 2012/06/21 02:03:17 ossec-logcollector: socketerr (not available). >> >> > 2012/06/21 02:05:27 ossec-logcollector: socketerr (not available). >> >> > 2012/06/21 02:06:20 ossec-syscheckd: INFO: Starting syscheck scan. >> >> > 2012/06/21 02:06:20 ossec-syscheckd: socketerr (not available). >> >> > 2012/06/21 02:06:20 ossec-syscheckd(1224): ERROR: Error sending >> message >> >> > to >> >> > queue. >> >> > 2012/06/21 02:06:42 ossec-syscheckd: INFO: Ending syscheck scan. >> >> > 2012/06/21 02:07:38 ossec-logcollector: socketerr (not available). >> >> > 2012/06/21 02:09:48 ossec-logcollector: socketerr (not available). >> >> > 2012/06/21 02:11:58 ossec-logcollector: socketerr (not available). >> >> > 2012/06/21 02:14:08 ossec-logcollector: socketerr (not available). >> >> > 2012/06/21 02:16:18 ossec-logcollector: socketerr (not available). >> >> > 2012/06/21 02:16:43 ossec-syscheckd: INFO: Starting syscheck scan. >> >> > 2012/06/21 02:17:05 ossec-syscheckd: INFO: Ending syscheck scan. >> >> > 2012/06/21 02:18:28 ossec-logcollector: socketerr (not available). >> >> > >> >> >> >> Are all of the OSSEC processes running? Does it correct itself if you >> >> remove your changes to the ossec.conf? Try running the processes in >> >> debug mode. >> >> >> > Yes, I did a $OSSEC/bin/ossec-control status and all the processes were >> > running. How do you mean "correct itself"? If I have a typo? yes. >> >> >> >> I mean, if you remove your changes and restart the OSSEC processes, >> does everything work? >> > > Didn't try that. Actually not really helpful if I would. Since the error > occurred after the rollover of the logs and after hours I haven't touched > the system. > >> >> >> > In the logfile on the OSSEC-Manager for that period is nothing >> >> > mentioned, >> >> > the first entry this morning was a restart of the Manager performed >> by >> >> > myself. >> >> > 2012/06/21 00:00:36 ossec-monitord: No previous md5 checksum found: >> >> > '/logs/archives/2012/Jun/ossec-archive-19.log.sum'. Starting over. >> >> > 2012/06/21 00:00:36 ossec-monitord: No previous sha1 checksum found: >> >> > '/logs/archives/2012/Jun/ossec-archive-19.log.sum'. Starting over. >> >> > 2012/06/21 00:00:36 ossec-monitord: No previous md5 checksum found: >> >> > '/logs/alerts/2012/Jun/ossec-alerts-19.log.sum'. Starting over. >> >> > 2012/06/21 00:00:36 ossec-monitord: No previous sha1 checksum found: >> >> > '/logs/alerts/2012/Jun/ossec-alerts-19.log.sum'. Starting over. >> >> > 2012/06/21 00:00:36 ossec-monitord: No previous md5 checksum found: >> >> > '/logs/firewall/2012/Jun/ossec-firewall-19.log.sum'. Starting over. >> >> > 2012/06/21 00:00:36 ossec-monitord: No previous sha1 checksum found: >> >> > '/logs/firewall/2012/Jun/ossec-firewall-19.log.sum'. Starting over. >> >> > 2012/06/21 08:38:27 ossec-monitord(1225): INFO: SIGNAL Received. >> Exit >> >> > Cleaning... >> >> >> >> Is this where you killed the processes? >> >> Were all ossec processes running? >> >> What were the log entries above those errors? >> >> How long has the OSSEC server been running OSSEC? >> >> >> > Yes, this was the stop command on the agent. And the entries above were >> the >> > errors i received. The server wasn't running for longer than 12hrs >> since I'm >> > in a testing envirionment and try to understand ossec deeply before I >> deploy >> > it to my servers. >> >> >> >> > 2012/06/21 08:38:27 ossec-logcollector(1225): INFO: SIGNAL Received. >> >> > Exit >> >> > Cleaning... >> >> > 2012/06/21 08:38:27 ossec-remoted(1225): INFO: SIGNAL Received. Exit >> >> > Cleaning... >> >> > >> >> > Anyone an idea what could have happened that this error message is >> >> > bothering >> >> > me? >> >> > Also a restart of both the agent and the manager didn't help. >> >> > >> >> > Thnx, >> >> > Oliver >> > >> > >> > The most crzy thing was, after I posted this yesterday, several hours >> the >> > error disappeared. However I'm still trying to understand what had >> happened, >> > since it's unusual for an application to throw an error after hours of >> > working and none changing a bit. >> >> Which error? The agent or the server? The server's messages were more >> notification than errors, especially seeing how short of a time this >> system's been alive. >> > > The error was always only on the Agent. I assume the notification on the > Manager relate to the day change and therefore a log switchover. And that's > actually where I think could be source of my question. Maybe during the > rollover something happened and the logcollector failed. Unfortunately I > was still not able to create that error manually. Over the past days I also > haven't seen it back. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
