[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-dev
Subject: Re: [ossec-dev] OSSEC Agent Crashing
From: "dan (ddp)" <ddpbsd () gmail ! com>
Date: 2017-01-11 15:12:33
Message-ID: CAMyQvMqv+C2o5YjAFNx8ibLF_uiNMuTiSJ03KHkUJmRWR3R7NQ () mail ! gmail ! com
[Download RAW message or body]
On Wed, Jan 11, 2017 at 9:46 AM, Chris Decker <chris@chris-decker.com> wrote:
> All,
>
> I have one host where the OSSEC agent software is crashing -
> ossec-logcollector, ossec-syscheckd and ossec-agentd in particular. I
> modified the internal_options.conf so that ossec-logcollector was running at
> a debug level of '1', but I don't get any additional log entries that appear
> to be helpful:
> >
> > 2017/01/10 13:06:03 ossec-logcollector: socketerr (not available).
> > 2017/01/10 13:06:03 ossec-logcollector(1224): ERROR: Error sending message
> > to queue.
> > 2017/01/10 13:06:06 ossec-logcollector(1210): ERROR: Queue
> > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> > 2017/01/10 13:06:06 ossec-logcollector(1211): ERROR: Unable to access
> > queue: '/var/ossec/queue/ossec/queue'. Giving up..
> > 2017/01/10 15:33:11 ossec-syscheckd: INFO: Starting syscheck scan.
> > 2017/01/10 15:33:11 ossec-syscheckd: socketerr (not available).
> > 2017/01/10 15:33:11 ossec-syscheckd(1224): ERROR: Error sending message to
> > queue.
> > 2017/01/10 15:33:14 ossec-syscheckd(1210): ERROR: Queue
> > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> > 2017/01/10 15:33:14 ossec-syscheckd(1211): ERROR: Unable to access queue:
> > '/var/ossec/queue/ossec/queue'. Giving up..
>
>
> service ossec-hids status
> >
> > ossec-logcollector: Process 2250 not used by ossec, removing ..
> > ossec-logcollector not running...
> > ossec-syscheckd: Process 2254 not used by ossec, removing ..
> > ossec-syscheckd not running...
> > ossec-agentd: Process 2246 not used by ossec, removing ..
> > ossec-agentd not running...
> > ossec-execd is running...
>
>
>
> I just recently enabled debug on ossec-logcollector and ossec-syscheckd, so
> perhaps I'll get some helpful information from them.
>
> I should also disclose that I'm not running the latest/greatest version of
> the agent software on this host - it has the Atomic RPM version
> ossec-hids-2.8.2-49.el6.art.x86_64 installed.
>
>
> Other than upgrading the agent, does anyone have any other suggestions on
> what I can look at to fix the issue?
>
Try shutting down all of the ossec processes, then starting
ossec-agentd in the foreground (`/var/ossec/bin/ossec-agentd -df`).
Check for errors. If there are none, start the other processes
manually to see what happens.
>
>
>
> Thanks,
> Chris
>
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-dev+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-dev" \
group. To unsubscribe from this group and stop receiving emails from it, send an \
email to ossec-dev+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic