Hi all, I have a weird problem with ossec-remoted and logcollector daemons. When I start the ossec services as normaly, everyting seems to OK, all services run properly like below and nothing wrong in the logs.
ossec-monitord is running... ossec-logcollector is running... ossec-remoted is running... ossec-syscheckd is running... ossec-analysisd is running... ossec-maild is running... ossec-execd not running... Although all agents seem to connected to server, ossec doesn't work properly, it sometimes generate alerts sometimes doesn't. I tried to test it many times by creating an user or generate a syslog messages with a $badwords (core_dumped etc.) from the agent which should be fire an alert on ossec server. When I enable debug mode to inspect the problem, then remoted and logcollector services don't start properly and I get following error messages: # /var/ossec/bin/ossec-control enable debug # /var/ossec/bin/ossec-control restart ... 2015/03/10 01:53:32 ossec-rootcheck: Starting queue ... 2015/03/10 01:53:35 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2015/03/10 01:53:35 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2015/03/10 01:53:43 ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set to: '65536'. Started ossec-syscheckd... 2015/03/10 01:53:43 ossec-monitord: DEBUG: Starting ... Started ossec-monitord... Completed. ----- ossec-monitord is running... ossec-logcollector not running... ossec-remoted not running... ossec-syscheckd is running... ossec-analysisd is running... ossec-maild is running... But this happens only if debug mode is enabled. When I disable it, all services run aganin normally (at least it seems) and ossec-remoted starts to listen 1514. I've read the throubleshooting section of the document and checked server but I couldn't find any misconfiguration or wrong permissions, so I don't have any idea what's wrong with it... Can you guys please help me ? Thanks. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
