After correcting some permission I've got some upgrades but still some 
preocess complain about the queue.

/var/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted: Process 15564 not used by ossec, removing ..
ossec-remoted not running...
ossec-syscheckd is running...
ossec-analysisd: Process 15555 not used by ossec, removing ..
ossec-analysisd not running...
ossec-maild is running...
ossec-execd is running...

tail -f ossec.log
2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: 
'/usr/sbin'.
2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2016/10/12 08:05:08 ossec-syscheckd: Setting SCHED_BATCH returned: 0
2016/10/12 08:06:48 ossec-syscheckd: INFO: Starting syscheck scan 
(forwarding database).
2016/10/12 08:06:48 ossec-syscheckd: socketerr (not available).
2016/10/12 08:06:48 ossec-syscheckd(1224): ERROR: Error sending message to 
queue.
2016/10/12 08:06:51 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 08:06:51 ossec-syscheckd(1211): ERROR: Unable to access queue: 
'/var/ossec/queue/ossec/queue'. Giving up..

2016/10/12 08:07:03 ossec-logcollector: socketerr (not available).
2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, 
ignoring it: '/var/log/authlog'.
2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, 
ignoring it: '/var/log/xferlog'.
2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, 
ignoring it: '/var/www/logs/access_log'.
2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, 
ignoring it: '/var/www/logs/error_log'.





El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió:
>
> Hi guys,
> Yes, I've been reading the error on the list, lots of cases and I got it 
> too but I run out of idea.
>
> The log:
>
> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access 
> queue: '/var/ossec/queue/ossec/queue'. Giving up..
> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: 
> '/var/ossec/queue/ossec/queue'. Giving up..
>
> The queue
> srw-rw----. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
>
> Also read the local_rules may have issues, tested with -t and no errors 
> displayed also with xmllint
>
> xmllint local_rules.xml
> <?xml version="1.0"?>
> --SNIP-
> </group>
> <!-- SYSLOG,LOCAL -->
> <!-- EOF -->
>
> There is a file also under /var/ossec/etc/decoder.xml that seems not good 
> , is that correct?
> xmllint decoder.xml
> decoder.xml:52: parser error : Extra content at the end of the document
> <decoder name="pam">
> ^
>
> And found this:
>
> xmllint  ossec.conf
> ossec.conf:74: parser error : Comment not terminated
> <!-- Frequency that syscheck is executed
>     <!-- Frequency that syscheck is executed -- default every 20 hours -->
>
> Line 74, what's missing here?
>
>  <syscheck>
>     <!-- Frequency that syscheck is executed -- default every 20 hours -->
>     <frequency>72000</frequency>
>
>
>
>
>
> ossec-hids-2.8.3-53.el6.art.x86_64
> ossec-hids-server-2.8.3-53.el6.art.x86_64
> ossec-wui-0.8-4.el6.art.noarch
>
> Thanks for your time and support
> Regards
>
>
>
>
>
>
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to