On Wed, Sep 25, 2013 at 3:20 PM, BP9906 <[email protected]> wrote: > Hello, > I'm seeing this behavior but its repeatable by this 1 host I have. It is > running Redhat 5.8. > 2013/09/25 14:35:49 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2013/09/25 14:35:49 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2013/09/25 15:03:36 ossec-syscheckd: socketerr (not available). > 2013/09/25 15:03:36 ossec-syscheckd(1224): ERROR: Error sending message to > queue. > > Any ideas? I've reinstalled ossec 2.7 from scratch but same error each time. >
What crashed? > On Monday, June 25, 2012 7:30:09 AM UTC-7, Oliver wrote: >> >> >> >> Am Freitag, 22. Juni 2012 14:00:36 UTC+2 schrieb dan (ddpbsd): >>> >>> On Fri, Jun 22, 2012 at 3:16 AM, Oliver wrote: >>>> >>>> > >>> >>> > >>> > On Thursday, June 21, 2012 12:42:22 PM UTC+2, dan (ddpbsd) wrote: >>> >> >>> >> On Thu, Jun 21, 2012 at 3:55 AM, Oliver wrote: >>> >> > Hi folks, >>> >> > >>> >> > I know my problem was posted several times. After reading a lot of >>> >> > the >>> >> > old >>> >> > and also newer posts, I can't see them matching my problem or any >>> >> > useful >>> >> > solution. >>> >> > >>> >> > My Setup: >>> >> > OSSEC-Manager & OSSEC-Agent => Version ossec-hids-2.6 >>> >> > >>> >> > Configuration is pretty much default, I just added a directory to >>> >> > monitor >>> >> > for testing realtime monitoring. This was all working fine during >>> >> > the >>> >> > night >>> >> > happened something and now I'm having all two minutes the entry >>> >> > "ossec-logcollector: socketerr (not available). >>> >> > >>> >> > This are the log entries in ossec.log on the agent when the error >>> >> > first >>> >> > occurred(RED), the same error for ossec-syscheckd occurred only once >>> >> > and >>> >> > never again(BLUE): >>> >> > 2012/06/21 01:35:36 ossec-syscheckd: INFO: Starting syscheck scan. >>> >> > 2012/06/21 01:35:58 ossec-syscheckd: INFO: Ending syscheck scan. >>> >> > 2012/06/21 01:50:58 ossec-syscheckd: INFO: Starting syscheck scan. >>> >> > 2012/06/21 01:51:20 ossec-syscheckd: INFO: Ending syscheck scan. >>> >> > 2012/06/21 02:03:17 ossec-logcollector: socketerr (not available). >>> >> > 2012/06/21 02:05:27 ossec-logcollector: socketerr (not available). >>> >> > 2012/06/21 02:06:20 ossec-syscheckd: INFO: Starting syscheck scan. >>> >> > 2012/06/21 02:06:20 ossec-syscheckd: socketerr (not available). >>> >> > 2012/06/21 02:06:20 ossec-syscheckd(1224): ERROR: Error sending >>> >> > message >>> >> > to >>> >> > queue. >>> >> > 2012/06/21 02:06:42 ossec-syscheckd: INFO: Ending syscheck scan. >>> >> > 2012/06/21 02:07:38 ossec-logcollector: socketerr (not available). >>> >> > 2012/06/21 02:09:48 ossec-logcollector: socketerr (not available). >>> >> > 2012/06/21 02:11:58 ossec-logcollector: socketerr (not available). >>> >> > 2012/06/21 02:14:08 ossec-logcollector: socketerr (not available). >>> >> > 2012/06/21 02:16:18 ossec-logcollector: socketerr (not available). >>> >> > 2012/06/21 02:16:43 ossec-syscheckd: INFO: Starting syscheck scan. >>> >> > 2012/06/21 02:17:05 ossec-syscheckd: INFO: Ending syscheck scan. >>> >> > 2012/06/21 02:18:28 ossec-logcollector: socketerr (not available). >>> >> > >>> >> >>> >> Are all of the OSSEC processes running? Does it correct itself if you >>> >> remove your changes to the ossec.conf? Try running the processes in >>> >> debug mode. >>> >> >>> > Yes, I did a $OSSEC/bin/ossec-control status and all the processes were >>> > running. How do you mean "correct itself"? If I have a typo? yes. >>> >> >>> >>> I mean, if you remove your changes and restart the OSSEC processes, >>> does everything work? >> >> >> Didn't try that. Actually not really helpful if I would. Since the error >> occurred after the rollover of the logs and after hours I haven't touched >> the system. >>> >>> >>> >> > In the logfile on the OSSEC-Manager for that period is nothing >>> >> > mentioned, >>> >> > the first entry this morning was a restart of the Manager performed >>> >> > by >>> >> > myself. >>> >> > 2012/06/21 00:00:36 ossec-monitord: No previous md5 checksum found: >>> >> > '/logs/archives/2012/Jun/ossec-archive-19.log.sum'. Starting over. >>> >> > 2012/06/21 00:00:36 ossec-monitord: No previous sha1 checksum found: >>> >> > '/logs/archives/2012/Jun/ossec-archive-19.log.sum'. Starting over. >>> >> > 2012/06/21 00:00:36 ossec-monitord: No previous md5 checksum found: >>> >> > '/logs/alerts/2012/Jun/ossec-alerts-19.log.sum'. Starting over. >>> >> > 2012/06/21 00:00:36 ossec-monitord: No previous sha1 checksum found: >>> >> > '/logs/alerts/2012/Jun/ossec-alerts-19.log.sum'. Starting over. >>> >> > 2012/06/21 00:00:36 ossec-monitord: No previous md5 checksum found: >>> >> > '/logs/firewall/2012/Jun/ossec-firewall-19.log.sum'. Starting over. >>> >> > 2012/06/21 00:00:36 ossec-monitord: No previous sha1 checksum found: >>> >> > '/logs/firewall/2012/Jun/ossec-firewall-19.log.sum'. Starting over. >>> >> > 2012/06/21 08:38:27 ossec-monitord(1225): INFO: SIGNAL Received. >>> >> > Exit >>> >> > Cleaning... >>> >> >>> >> Is this where you killed the processes? >>> >> Were all ossec processes running? >>> >> What were the log entries above those errors? >>> >> How long has the OSSEC server been running OSSEC? >>> >> >>> > Yes, this was the stop command on the agent. And the entries above were >>> > the >>> > errors i received. The server wasn't running for longer than 12hrs >>> > since I'm >>> > in a testing envirionment and try to understand ossec deeply before I >>> > deploy >>> > it to my servers. >>> >> >>> >> > 2012/06/21 08:38:27 ossec-logcollector(1225): INFO: SIGNAL Received. >>> >> > Exit >>> >> > Cleaning... >>> >> > 2012/06/21 08:38:27 ossec-remoted(1225): INFO: SIGNAL Received. Exit >>> >> > Cleaning... >>> >> > >>> >> > Anyone an idea what could have happened that this error message is >>> >> > bothering >>> >> > me? >>> >> > Also a restart of both the agent and the manager didn't help. >>> >> > >>> >> > Thnx, >>> >> > Oliver >>> > >>> > >>> > The most crzy thing was, after I posted this yesterday, several hours >>> > the >>> > error disappeared. However I'm still trying to understand what had >>> > happened, >>> > since it's unusual for an application to throw an error after hours of >>> > working and none changing a bit. >>> >>> Which error? The agent or the server? The server's messages were more >>> notification than errors, especially seeing how short of a time this >>> system's been alive. >> >> >> The error was always only on the Agent. I assume the notification on the >> Manager relate to the day change and therefore a log switchover. And that's >> actually where I think could be source of my question. Maybe during the >> rollover something happened and the logcollector failed. Unfortunately I was >> still not able to create that error manually. Over the past days I also >> haven't seen it back. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
