'Re: [ossec-dev] OSSEC Agent Crashing'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-dev
Subject:    Re: [ossec-dev] OSSEC Agent Crashing
From:       "dan (ddp)" <ddpbsd () gmail ! com>
Date:       2017-01-11 15:12:33
Message-ID: CAMyQvMqv+C2o5YjAFNx8ibLF_uiNMuTiSJ03KHkUJmRWR3R7NQ () mail ! gmail ! com
[Download RAW message or body]

On Wed, Jan 11, 2017 at 9:46 AM, Chris Decker <chris@chris-decker.com> wrote:
> All,
> 
> I have one host where the OSSEC agent software is crashing -
> ossec-logcollector, ossec-syscheckd and ossec-agentd in particular.  I
> modified the internal_options.conf so that ossec-logcollector was running at
> a debug level of '1', but I don't get any additional log entries that appear
> to be helpful:
> > 
> > 2017/01/10 13:06:03 ossec-logcollector: socketerr (not available).
> > 2017/01/10 13:06:03 ossec-logcollector(1224): ERROR: Error sending message
> > to queue.
> > 2017/01/10 13:06:06 ossec-logcollector(1210): ERROR: Queue
> > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> > 2017/01/10 13:06:06 ossec-logcollector(1211): ERROR: Unable to access
> > queue: '/var/ossec/queue/ossec/queue'. Giving up..
> > 2017/01/10 15:33:11 ossec-syscheckd: INFO: Starting syscheck scan.
> > 2017/01/10 15:33:11 ossec-syscheckd: socketerr (not available).
> > 2017/01/10 15:33:11 ossec-syscheckd(1224): ERROR: Error sending message to
> > queue.
> > 2017/01/10 15:33:14 ossec-syscheckd(1210): ERROR: Queue
> > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> > 2017/01/10 15:33:14 ossec-syscheckd(1211): ERROR: Unable to access queue:
> > '/var/ossec/queue/ossec/queue'. Giving up..
> 
> 
> service ossec-hids status
> > 
> > ossec-logcollector: Process 2250 not used by ossec, removing ..
> > ossec-logcollector not running...
> > ossec-syscheckd: Process 2254 not used by ossec, removing ..
> > ossec-syscheckd not running...
> > ossec-agentd: Process 2246 not used by ossec, removing ..
> > ossec-agentd not running...
> > ossec-execd is running...
> 
> 
> 
> I just recently enabled debug on ossec-logcollector and ossec-syscheckd, so
> perhaps I'll get some helpful information from them.
> 
> I should also disclose that I'm not running the latest/greatest version of
> the agent software on this host - it has the Atomic RPM version
> ossec-hids-2.8.2-49.el6.art.x86_64 installed.
> 
> 
> Other than upgrading the agent, does anyone have any other suggestions on
> what I can look at to fix the issue?
> 

Try shutting down all of the ossec processes, then starting
ossec-agentd in the foreground (`/var/ossec/bin/ossec-agentd -df`).
Check for errors. If there are none, start the other processes
manually to see what happens.

> 
> 
> 
> Thanks,
> Chris
> 
> 
> 
> 
> 
> --
> 
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-dev+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups "ossec-dev" \
group. To unsubscribe from this group and stop receiving emails from it, send an \
email to ossec-dev+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic