Hello, I'm running OSSEC (cloned from Git mid-September) with the ELK on an Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-33-generic x86_64) virtual machine.
November and December first, I found OSSEC crashed, with the following output from service ossec status: root@pd-vsl-log-01:/var/ossec/logs/alerts# service ossec status ossec-monitord is running... ossec-logcollector: Process 1006 not used by ossec, removing .. ossec-logcollector not running... ossec-remoted: Process 1011 not used by ossec, removing .. ossec-remoted: Process 1012 not used by ossec, removing .. ossec-remoted not running... ossec-syscheckd: Process 1016 not used by ossec, removing .. ossec-syscheckd not running... ossec-analysisd: Process 1000 not used by ossec, removing .. ossec-analysisd not running... ossec-maild is running... ossec-execd not running... root@pd-vsl-log-01:/var/ossec/logs/alerts# service ossec status ossec-monitord is running... ossec-logcollector not running... ossec-remoted not running... ossec-syscheckd not running... ossec-analysisd not running... ossec-maild is running... ossec-execd not running... Logstash is simply not running, but oddly enough in both cases it seemed Logstash failed a few days before OSSEC, so I don't know for sure if it's related. Looking at the alerts.log and archive.log, the time-stamps show 23:59, so it failed right at midnight, on the last day of the month, two months in a row: root@pd-vsl-log-01:/var/ossec/logs/archives# ls -l total 406844 drwxr-x--- 5 ossec ossec 4096 Nov 5 15:50 2015 -rw-r----- 1 ossec ossec 416600064 Nov 30 23:59 archives.log The tail of ossec.log shows the following right at midnight: 2015/12/01 00:00:04 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'. 2015/12/01 00:00:04 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'. 2015/12/01 00:00:04 ossec-remoted(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up.. 2015/12/01 00:00:04 ossec-remoted(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up.. 2015/12/01 00:00:12 ossec-logcollector: socketerr (not available). 2015/12/01 00:02:22 ossec-logcollector: socketerr (not available). 2015/12/01 00:02:22 ossec-logcollector(1224): ERROR: Error sending message to queue. 2015/12/01 00:02:25 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2015/12/01 00:02:25 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2015/12/01 00:25:13 ossec-monitord: socketerr (not available). 2015/12/01 00:25:13 ossec-monitord(1224): ERROR: Error sending message to queue. 2015/12/01 00:25:13 ossec-monitord: socketerr (not available). 2015/12/01 00:25:13 ossec-monitord(1224): ERROR: Error sending message to queue. 2015/12/01 00:25:13 ossec-monitord: socketerr (not available). 2015/12/01 00:25:13 ossec-monitord(1224): ERROR: Error sending message to queue. 2015/12/01 00:25:13 ossec-monitord: socketerr (not available). 2015/12/01 00:25:13 ossec-monitord(1224): ERROR: Error sending message to queue. 2015/12/01 00:27:13 ossec-monitord: socketerr (not available). 2015/12/01 00:27:13 ossec-monitord(1224): ERROR: Error sending message to queue. 2015/12/01 00:27:13 ossec-monitord: socketerr (not available). 2015/12/01 00:27:13 ossec-monitord(1224): ERROR: Error sending message to queue. 2015/12/01 00:27:13 ossec-monitord: socketerr (not available). 2015/12/01 00:27:13 ossec-monitord(1224): ERROR: Error sending message to queue. 2015/12/01 00:27:13 ossec-monitord: socketerr (not available). 2015/12/01 00:27:13 ossec-monitord(1224): ERROR: Error sending message to queue. 2015/12/01 00:27:13 ossec-monitord: socketerr (not available). 2015/12/01 00:27:13 ossec-monitord(1224): ERROR: Error sending message to queue. 2015/12/01 00:27:13 ossec-monitord: socketerr (not available). 2015/12/01 00:27:13 ossec-monitord(1224): ERROR: Error sending message to queue. 2015/12/01 00:27:13 ossec-monitord: socketerr (not available). 2015/12/01 00:27:13 ossec-monitord(1224): ERROR: Error sending message to queue. 2015/12/01 00:29:13 ossec-monitord: socketerr (not available). 2015/12/01 00:29:13 ossec-monitord(1224): ERROR: Error sending message to queue. 2015/12/01 00:29:13 ossec-monitord: socketerr (not available). 2015/12/01 00:29:13 ossec-monitord(1224): ERROR: Error sending message to queue. 2015/12/01 00:29:13 ossec-monitord: socketerr (not available). 2015/12/01 00:29:13 ossec-monitord(1224): ERROR: Error sending message to queue. 2015/12/01 00:29:13 ossec-monitord: socketerr (not available). 2015/12/01 00:29:13 ossec-monitord(1224): ERROR: Error sending message to queue. 2015/12/01 00:29:13 ossec-monitord: socketerr (not available). 2015/12/01 00:29:13 ossec-monitord(1224): ERROR: Error sending message to queue. 2015/12/01 00:31:13 ossec-monitord: socketerr (not available). 2015/12/01 00:31:13 ossec-monitord(1224): ERROR: Error sending message to queue. 2015/12/01 01:31:49 ossec-syscheckd: socketerr (not available). 2015/12/01 01:31:49 rootcheck(1224): ERROR: Error sending message to queue. 2015/12/01 01:31:52 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2015/12/01 01:31:52 rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. Any input would be greatly appreciated! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
