This happened again! Jan 1st. On Tuesday, December 1, 2015 at 11:28:23 AM UTC-5, Dan Burns wrote: > > Hello, > > I'm running OSSEC (cloned from Git mid-September) with the ELK on an > Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-33-generic x86_64) virtual machine. > > November and December first, I found OSSEC crashed, with the following > output from service ossec status: > > root@pd-vsl-log-01:/var/ossec/logs/alerts# service ossec status > ossec-monitord is running... > ossec-logcollector: Process 1006 not used by ossec, removing .. > ossec-logcollector not running... > ossec-remoted: Process 1011 not used by ossec, removing .. > ossec-remoted: Process 1012 not used by ossec, removing .. > ossec-remoted not running... > ossec-syscheckd: Process 1016 not used by ossec, removing .. > ossec-syscheckd not running... > ossec-analysisd: Process 1000 not used by ossec, removing .. > ossec-analysisd not running... > ossec-maild is running... > ossec-execd not running... > root@pd-vsl-log-01:/var/ossec/logs/alerts# service ossec status > ossec-monitord is running... > ossec-logcollector not running... > ossec-remoted not running... > ossec-syscheckd not running... > ossec-analysisd not running... > ossec-maild is running... > ossec-execd not running... > > > Logstash is simply not running, but oddly enough in both cases it seemed > Logstash failed a few days before OSSEC, so I don't know for sure if it's > related. > > Looking at the alerts.log and archive.log, the time-stamps show 23:59, so > it failed right at midnight, on the last day of the month, two months in a > row: > > root@pd-vsl-log-01:/var/ossec/logs/archives# ls -l > total 406844 > drwxr-x--- 5 ossec ossec 4096 Nov 5 15:50 2015 > -rw-r----- 1 ossec ossec 416600064 Nov 30 23:59 archives.log > > > The tail of ossec.log shows the following right at midnight: > > 2015/12/01 00:00:04 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' > not accessible: 'Connection refused'. > 2015/12/01 00:00:04 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' > not accessible: 'Connection refused'. > 2015/12/01 00:00:04 ossec-remoted(1211): ERROR: Unable to access queue: > '/queue/ossec/queue'. Giving up.. > 2015/12/01 00:00:04 ossec-remoted(1211): ERROR: Unable to access queue: > '/queue/ossec/queue'. Giving up.. > 2015/12/01 00:00:12 ossec-logcollector: socketerr (not available). > 2015/12/01 00:02:22 ossec-logcollector: socketerr (not available). > 2015/12/01 00:02:22 ossec-logcollector(1224): ERROR: Error sending > message to queue. > 2015/12/01 00:02:25 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2015/12/01 00:02:25 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > 2015/12/01 00:25:13 ossec-monitord: socketerr (not available). > 2015/12/01 00:25:13 ossec-monitord(1224): ERROR: Error sending message to > queue. > 2015/12/01 00:25:13 ossec-monitord: socketerr (not available). > 2015/12/01 00:25:13 ossec-monitord(1224): ERROR: Error sending message to > queue. > ...
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
