Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
2,180 views
Skip to first unread message
Kernel Panic
Oct 11, 2016, 2:22:03 PM10/11/16
to ossec-list
Hi guys,
Yes, I've been reading the error on the list, lots of cases and I got it too but I run out of idea.
The log:
2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
The queue
srw-rw----. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
Also read the local_rules may have issues, tested with -t and no errors displayed also with xmllint
xmllint local_rules.xml
<?xml version="1.0"?>
--SNIP-
</group>
<!-- SYSLOG,LOCAL -->
<!-- EOF -->
There is a file also under /var/ossec/etc/decoder.xml that seems not good , is that correct?
xmllint decoder.xml
decoder.xml:52: parser error : Extra content at the end of the document
<decoder name="pam">
^
And found this:
xmllint ossec.conf
ossec.conf:74: parser error : Comment not terminated
<!-- Frequency that syscheck is executed
<!-- Frequency that syscheck is executed -- default every 20 hours -->
Line 74, what's missing here?
<syscheck>
<!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>72000</frequency>
ossec-hids-2.8.3-53.el6.art.x86_64
ossec-hids-server-2.8.3-53.el6.art.x86_64
ossec-wui-0.8-4.el6.art.noarch
Thanks for your time and support
Regards
Yes, I've been reading the error on the list, lots of cases and I got it too but I run out of idea.
The log:
2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
The queue
srw-rw----. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
Also read the local_rules may have issues, tested with -t and no errors displayed also with xmllint
xmllint local_rules.xml
<?xml version="1.0"?>
--SNIP-
</group>
<!-- SYSLOG,LOCAL -->
<!-- EOF -->
There is a file also under /var/ossec/etc/decoder.xml that seems not good , is that correct?
xmllint decoder.xml
decoder.xml:52: parser error : Extra content at the end of the document
<decoder name="pam">
^
And found this:
xmllint ossec.conf
ossec.conf:74: parser error : Comment not terminated
<!-- Frequency that syscheck is executed
<!-- Frequency that syscheck is executed -- default every 20 hours -->
Line 74, what's missing here?
<syscheck>
<!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>72000</frequency>
ossec-hids-2.8.3-53.el6.art.x86_64
ossec-hids-server-2.8.3-53.el6.art.x86_64
ossec-wui-0.8-4.el6.art.noarch
Thanks for your time and support
Regards
dan (ddp)
Oct 11, 2016, 9:16:49 PM10/11/16
to ossec...@googlegroups.com
On Oct 11, 2016 2:22 PM, "Kernel Panic" <netwar...@gmail.com> wrote:
>
> Hi guys,
> Yes, I've been reading the error on the list, lots of cases and I got it too but I run out of idea.
>
> The log:
>
Are there any errors befoew these messages?
Maybe try starting the daemons manually one at a time (with -df) to see which fails.
> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
>
> The queue
> srw-rw----. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
>
> Also read the local_rules may have issues, tested with -t and no errors displayed also with xmllint
>
> xmllint local_rules.xml
> <?xml version="1.0"?>
> --SNIP-
> </group>
> <!-- SYSLOG,LOCAL -->
> <!-- EOF -->
>
> There is a file also under /var/ossec/etc/decoder.xml that seems not good , is that correct?
> xmllint decoder.xml
> decoder.xml:52: parser error : Extra content at the end of the document
> <decoder name="pam">
> ^
>
Did you modify this file?
Does `ossec-logtest -t` complain about it?
> And found this:
>
> xmllint ossec.conf
> ossec.conf:74: parser error : Comment not terminated
> <!-- Frequency that syscheck is executed
> <!-- Frequency that syscheck is executed -- default every 20 hours -->
>
> Line 74, what's missing here?
>
I see the "-->" there. Right after "hours." xmllint doesn't apply to ossec.
> <syscheck>
> <!-- Frequency that syscheck is executed -- default every 20 hours -->
> <frequency>72000</frequency>
>
>
>
>
>
> ossec-hids-2.8.3-53.el6.art.x86_64
> ossec-hids-server-2.8.3-53.el6.art.x86_64
> ossec-wui-0.8-4.el6.art.noarch
>
> Thanks for your time and support
> Regards
>
>
>
>
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Kernel Panic
Oct 12, 2016, 8:59:23 AM10/12/16
to ossec-list
Hi
Did not modify that file, I I realized some of them were in xml format just wanted to check
This is what I've get running the services manually with -df
2016/10/12 07:31:20 ossec-syscheckd: DEBUG: Starting ...
2016/10/12 07:31:20 ossec-rootcheck: DEBUG: Starting ...
2016/10/12 07:31:20 ossec-rootcheck: Starting queue ...
2016/10/12 07:31:23 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:31:23 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:31:31 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:31:31 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:31:44 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:31:44 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
2016/10/12 07:34:23 ossec-monitord: DEBUG: Starting ...
2016/10/12 07:34:23 ossec-monitord: INFO: Chrooted to directory: /var/ossec, using user: ossec
2016/10/12 07:34:23 ossec-monitord: INFO: Started (pid: 12499).
2016/10/12 07:34:36 ossec-monitord(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:34:36 ossec-monitord(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up..
2016/10/12 07:46:50 ossec-analysisd: DEBUG: FTSInit completed.
2016/10/12 07:46:56 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' not accessible: 'Connection refused'.
2016/10/12 07:46:56 ossec-analysisd(1301): ERROR: Unable to connect to active response queue.
2016/10/12 07:46:59 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/execq' not accessible: 'Connection refused'.
2016/10/12 07:46:59 ossec-analysisd(1301): ERROR: Unable to connect to active response queue.
2016/10/12 07:46:59 ossec-analysisd: DEBUG: Active response Init completed.
2016/10/12 07:46:59 alerts: Error opening logfile: '/logs/alerts/2016/Oct/ossec-alerts-12.log'
var/ossec/queue/alerts# ls -la
srwxrwxrwx. 1 apache ossec 0 Oct 12 07:52 ar
srw-rw----. 1 apache ossec 0 Oct 11 15:55 execq
ls -la logs/archives/2016/Oct/ossec-archive-12.log
-rw-r-----. 2 apache ossec 0 Oct 12 07:43 logs/archives/2016/Oct/ossec-archive-12.log
ossec-remoted: Error accessing file '/etc/shared/system_audit_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/win_audit_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/rootkit_trojans.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/rootkit_files.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/cis_rhel5_linux_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/win_malware_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/cis_debian_linux_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/cis_rhel_linux_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/win_applications_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/system_audit_ssh.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/cis_rhel6_linux_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/cis_rhel7_linux_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: DEBUG: Running manager_init
2016/10/12 07:58:32 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:58:32 ossec-remoted(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up..
/var/ossec/etc/shared# ls -la
total 204
drwxrwxr-x. 2 ossec ossec 4096 Oct 11 09:23 .
drwxrwxr-x. 6 apache ossec 4096 Oct 11 15:47 ..
-rw-rw----. 1 ossec ossec 2949 Apr 8 2016 agent.conf
-rw-rw----. 1 ossec ossec 153 Oct 12 07:53 ar.conf
-rw-rw----. 1 ossec root 11136 Apr 8 2016 cis_debian_linux_rcl.txt
-rw-rw----. 1 ossec root 31813 Apr 8 2016 cis_rhel5_linux_rcl.txt
-rw-rw----. 1 ossec root 30004 Apr 8 2016 cis_rhel6_linux_rcl.txt
-rw-rw----. 1 ossec root 32808 Apr 8 2016 cis_rhel7_linux_rcl.txt
-rw-rw----. 1 ossec root 15845 Apr 8 2016 cis_rhel_linux_rcl.txt
-rw-rw----. 1 ossec ossec 3132 Oct 12 07:58 merged.mg
-rw-rw----. 1 ossec root 15942 Apr 8 2016 rootkit_files.txt
-rw-rw----. 1 ossec root 5301 Apr 8 2016 rootkit_trojans.txt
-rw-rw----. 1 ossec root 4958 Apr 8 2016 system_audit_rcl.txt
-rw-rw----. 1 ossec root 1774 Apr 8 2016 system_audit_ssh.txt
-rw-rw----. 1 ossec root 4829 Apr 8 2016 win_applications_rcl.txt
-rw-rw----. 1 ossec root 3944 Apr 8 2016 win_audit_rcl.txt
-rw-rw----. 1 ossec root 5005 Apr 8 2016 win_malware_rcl.txt
Thanks in advance.
Did not modify that file, I I realized some of them were in xml format just wanted to check
This is what I've get running the services manually with -df
2016/10/12 07:31:20 ossec-syscheckd: DEBUG: Starting ...
2016/10/12 07:31:20 ossec-rootcheck: DEBUG: Starting ...
2016/10/12 07:31:20 ossec-rootcheck: Starting queue ...
2016/10/12 07:31:23 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:31:23 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:31:31 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:31:31 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:31:44 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:31:44 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
2016/10/12 07:34:23 ossec-monitord: DEBUG: Starting ...
2016/10/12 07:34:23 ossec-monitord: INFO: Chrooted to directory: /var/ossec, using user: ossec
2016/10/12 07:34:23 ossec-monitord: INFO: Started (pid: 12499).
2016/10/12 07:34:36 ossec-monitord(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:34:36 ossec-monitord(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up..
2016/10/12 07:46:50 ossec-analysisd: DEBUG: FTSInit completed.
2016/10/12 07:46:56 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' not accessible: 'Connection refused'.
2016/10/12 07:46:56 ossec-analysisd(1301): ERROR: Unable to connect to active response queue.
2016/10/12 07:46:59 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/execq' not accessible: 'Connection refused'.
2016/10/12 07:46:59 ossec-analysisd(1301): ERROR: Unable to connect to active response queue.
2016/10/12 07:46:59 ossec-analysisd: DEBUG: Active response Init completed.
2016/10/12 07:46:59 alerts: Error opening logfile: '/logs/alerts/2016/Oct/ossec-alerts-12.log'
var/ossec/queue/alerts# ls -la
srwxrwxrwx. 1 apache ossec 0 Oct 12 07:52 ar
srw-rw----. 1 apache ossec 0 Oct 11 15:55 execq
ls -la logs/archives/2016/Oct/ossec-archive-12.log
-rw-r-----. 2 apache ossec 0 Oct 12 07:43 logs/archives/2016/Oct/ossec-archive-12.log
ossec-remoted: Error accessing file '/etc/shared/system_audit_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/win_audit_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/rootkit_trojans.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/rootkit_files.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/cis_rhel5_linux_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/win_malware_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/cis_debian_linux_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/cis_rhel_linux_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/win_applications_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/system_audit_ssh.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/cis_rhel6_linux_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: Error accessing file '/etc/shared/cis_rhel7_linux_rcl.txt'
2016/10/12 07:58:29 ossec-remoted: DEBUG: Running manager_init
2016/10/12 07:58:32 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 07:58:32 ossec-remoted(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up..
/var/ossec/etc/shared# ls -la
total 204
drwxrwxr-x. 2 ossec ossec 4096 Oct 11 09:23 .
drwxrwxr-x. 6 apache ossec 4096 Oct 11 15:47 ..
-rw-rw----. 1 ossec ossec 2949 Apr 8 2016 agent.conf
-rw-rw----. 1 ossec ossec 153 Oct 12 07:53 ar.conf
-rw-rw----. 1 ossec root 11136 Apr 8 2016 cis_debian_linux_rcl.txt
-rw-rw----. 1 ossec root 31813 Apr 8 2016 cis_rhel5_linux_rcl.txt
-rw-rw----. 1 ossec root 30004 Apr 8 2016 cis_rhel6_linux_rcl.txt
-rw-rw----. 1 ossec root 32808 Apr 8 2016 cis_rhel7_linux_rcl.txt
-rw-rw----. 1 ossec root 15845 Apr 8 2016 cis_rhel_linux_rcl.txt
-rw-rw----. 1 ossec ossec 3132 Oct 12 07:58 merged.mg
-rw-rw----. 1 ossec root 15942 Apr 8 2016 rootkit_files.txt
-rw-rw----. 1 ossec root 5301 Apr 8 2016 rootkit_trojans.txt
-rw-rw----. 1 ossec root 4958 Apr 8 2016 system_audit_rcl.txt
-rw-rw----. 1 ossec root 1774 Apr 8 2016 system_audit_ssh.txt
-rw-rw----. 1 ossec root 4829 Apr 8 2016 win_applications_rcl.txt
-rw-rw----. 1 ossec root 3944 Apr 8 2016 win_audit_rcl.txt
-rw-rw----. 1 ossec root 5005 Apr 8 2016 win_malware_rcl.txt
Thanks in advance.
Kernel Panic
Oct 12, 2016, 9:08:12 AM10/12/16
to ossec-list
After correcting some permission I've got some upgrades but still some preocess complain about the queue.
/var/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted: Process 15564 not used by ossec, removing ..
ossec-remoted not running...
ossec-syscheckd is running...
ossec-analysisd: Process 15555 not used by ossec, removing ..
ossec-analysisd not running...
ossec-maild is running...
ossec-execd is running...
tail -f ossec.log
2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.
2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2016/10/12 08:05:08 ossec-syscheckd: Setting SCHED_BATCH returned: 0
2016/10/12 08:06:48 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2016/10/12 08:06:48 ossec-syscheckd: socketerr (not available).
2016/10/12 08:06:48 ossec-syscheckd(1224): ERROR: Error sending message to queue.
2016/10/12 08:06:51 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 08:06:51 ossec-syscheckd(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
2016/10/12 08:07:03 ossec-logcollector: socketerr (not available).
2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/log/authlog'.
2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/log/xferlog'.
2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/www/logs/access_log'.
2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/www/logs/error_log'.
/var/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted: Process 15564 not used by ossec, removing ..
ossec-remoted not running...
ossec-syscheckd is running...
ossec-analysisd: Process 15555 not used by ossec, removing ..
ossec-analysisd not running...
ossec-maild is running...
ossec-execd is running...
tail -f ossec.log
2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.
2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2016/10/12 08:04:54 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2016/10/12 08:05:08 ossec-syscheckd: Setting SCHED_BATCH returned: 0
2016/10/12 08:06:48 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2016/10/12 08:06:48 ossec-syscheckd: socketerr (not available).
2016/10/12 08:06:48 ossec-syscheckd(1224): ERROR: Error sending message to queue.
2016/10/12 08:06:51 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 08:06:51 ossec-syscheckd(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
2016/10/12 08:07:03 ossec-logcollector: socketerr (not available).
2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/log/authlog'.
2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/log/xferlog'.
2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/www/logs/access_log'.
2016/10/12 08:07:03 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/www/logs/error_log'.
El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió:
Kernel Panic
Oct 12, 2016, 9:09:29 AM10/12/16
to ossec-list
chmod 777 /var/ossec/queue/ossec/queue
z77s-tpuppetm01:/var/ossec/logs# /var/ossec/bin/ossec-syscheckd -df
2016/10/12 08:09:05 ossec-syscheckd: DEBUG: Starting ...
2016/10/12 08:09:05 ossec-rootcheck: DEBUG: Starting ...
2016/10/12 08:09:05 ossec-rootcheck: Starting queue ...
2016/10/12 08:09:08 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/12 08:09:08 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió:
dan (ddp)
Oct 12, 2016, 9:38:57 AM10/12/16
to ossec...@googlegroups.com
On Wed, Oct 12, 2016 at 9:09 AM, Kernel Panic <netwar...@gmail.com> wrote:
>
> chmod 777 /var/ossec/queue/ossec/queue
> z77s-tpuppetm01:/var/ossec/logs# /var/ossec/bin/ossec-syscheckd -df
> 2016/10/12 08:09:05 ossec-syscheckd: DEBUG: Starting ...
> 2016/10/12 08:09:05 ossec-rootcheck: DEBUG: Starting ...
> 2016/10/12 08:09:05 ossec-rootcheck: Starting queue ...
> 2016/10/12 08:09:08 ossec-syscheckd(1210): ERROR: Queue
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/12 08:09:08 ossec-rootcheck(1210): ERROR: Queue
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>
Make sure you're starting these in the correct order. Based on an
>
> chmod 777 /var/ossec/queue/ossec/queue
> z77s-tpuppetm01:/var/ossec/logs# /var/ossec/bin/ossec-syscheckd -df
> 2016/10/12 08:09:05 ossec-syscheckd: DEBUG: Starting ...
> 2016/10/12 08:09:05 ossec-rootcheck: DEBUG: Starting ...
> 2016/10/12 08:09:05 ossec-rootcheck: Starting queue ...
> 2016/10/12 08:09:08 ossec-syscheckd(1210): ERROR: Queue
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/12 08:09:08 ossec-rootcheck(1210): ERROR: Queue
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>
`ossec-control start` I get the following order:
ossec-maild
ossec-execd
ossec-analysisd
ossec-logcollector
ossec-remoted
ossec-syscheckd
ossec-monitord
Kernel Panic
Oct 12, 2016, 9:56:06 AM10/12/16
to ossec-list
Hi guys
Well, after fixing lots of permission it seems it's working now:
Well, after fixing lots of permission it seems it's working now:
/var/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted not running...
ossec-syscheckd is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...
Now, which is the port that should be listening for agent connections?
From the client:
Trying to connect to server (x.x.x.x:1514)
On the server:
lsof -i:1514 ( nothing)
Thanks in advance.
Regards
From the client:
Trying to connect to server (x.x.x.x:1514)
On the server:
lsof -i:1514 ( nothing)
Thanks in advance.
Regards
El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió:
Kernel Panic
Oct 12, 2016, 10:06:04 AM10/12/16
to ossec-list
These are my udp ports:
udp 0 0 0.0.0.0:161 0.0.0.0:*
udp 0 0 0.0.0.0:8231 0.0.0.0:*
udp 0 0 127.0.0.1:703 0.0.0.0:*
udp 0 0 0.0.0.0:51797 0.0.0.0:*
udp 0 0 127.0.0.1:3030 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 0.0.0.0:627 0.0.0.0:*
udp 0 0 10.77.1.147:123 0.0.0.0:*
udp 0 0 127.0.0.1:123 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*
udp 0 0 :::41574 :::*
udp 0 0 :::111 :::*
udp 0 0 :::627 :::*
udp 0 0 fe80::250:56ff:fe88:2b2b:123 :::*
udp 0 0 ::1:123 :::*
udp 0 0 :::123 :::*
On the remote section I've got the following ( the documentation says it will take default values )
<remote>
<connection>secure</connection>
</remote>
Thank you for your time and support
Regards
udp 0 0 0.0.0.0:161 0.0.0.0:*
udp 0 0 0.0.0.0:8231 0.0.0.0:*
udp 0 0 127.0.0.1:703 0.0.0.0:*
udp 0 0 0.0.0.0:51797 0.0.0.0:*
udp 0 0 127.0.0.1:3030 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 0.0.0.0:627 0.0.0.0:*
udp 0 0 10.77.1.147:123 0.0.0.0:*
udp 0 0 127.0.0.1:123 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*
udp 0 0 :::41574 :::*
udp 0 0 :::111 :::*
udp 0 0 :::627 :::*
udp 0 0 fe80::250:56ff:fe88:2b2b:123 :::*
udp 0 0 ::1:123 :::*
udp 0 0 :::123 :::*
On the remote section I've got the following ( the documentation says it will take default values )
<remote>
<connection>secure</connection>
</remote>
Thank you for your time and support
Regards
El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió:
Kernel Panic
Oct 12, 2016, 10:30:47 AM10/12/16
to ossec-list
Hi guys
The remote service was not starting, now it up and running, and have to say that this was pure pain!!
netstat -antuwp | grep ossec
udp 0 0 0.0.0.0:1514 0.0.0.0:* 21908/ossec-remoted
Thank you very much!
The remote service was not starting, now it up and running, and have to say that this was pure pain!!
/var/ossec/bin/ossec-remoted -df
2016/10/12 09:08:05 ossec-remoted: DEBUG: Starting ...
2016/10/12 09:08:05 ossec-remoted: INFO: Started (pid: 21609).
2016/10/12 09:08:05 ossec-remoted: DEBUG: Forking remoted: '0'.
z77s-tpuppetm01:/var/ossec/etc# 2016/10/12 09:08:05 ossec-remoted: INFO: Started (pid: 21610).
2016/10/12 09:08:05 ossec-remoted: DEBUG: Running manager_init
2016/10/12 09:08:05 ossec-remoted: INFO: (unix_domain) Maximum send buffer set to: '4194304'.
2016/10/12 09:08:05 ossec-remoted(4111): INFO: Maximum number of agents allowed: '16384'.
2016/10/12 09:08:05 ossec-remoted(1410): INFO: Reading authentication keys file.
2016/10/12 09:08:05 ossec-remoted: DEBUG: OS_StartCounter.
2016/10/12 09:08:05 ossec-remoted: OS_StartCounter: keysize: 1
2016/10/12 09:08:05 ossec-remoted: Unable to open agent file. errno: 13
2016/10/12 09:08:05 ossec-remoted(1103): ERROR: Unable to open file '/queue/rids/001'.
netstat -antuwp | grep ossec
udp 0 0 0.0.0.0:1514 0.0.0.0:* 21908/ossec-remoted
Thank you very much!
Regards
El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió:
dan (ddp)
Oct 12, 2016, 10:50:26 AM10/12/16
to ossec...@googlegroups.com
On Wed, Oct 12, 2016 at 10:30 AM, Kernel Panic <netwar...@gmail.com> wrote:
> Hi guys
> The remote service was not starting, now it up and running, and have to say
> that this was pure pain!!
>
It would be interesting to find out what happened to your setup to
> Hi guys
> The remote service was not starting, now it up and running, and have to say
> that this was pure pain!!
>
give you such troubles.
Kernel Panic
Oct 12, 2016, 10:58:02 AM10/12/16
to ossec-list
Really do not know, just installed it from repo and tried to start the service.
Thanks
Thanks
Regards
El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió:
Anoop Perayil
Apr 10, 2017, 2:12:31 PM4/10/17
to ossec-list, netwar...@gmail.com
I am getting the exact same error -
2017/04/10 18:03:02 ossec-remoted: Unable to open agent file. errno: 13
2017/04/10 18:03:02 ossec-remoted(1103): ERROR: Unable to open file '/queue/rids/1024'.
how did you manage to get ossec-remoted back up and running?
2017/04/10 18:03:02 ossec-remoted: Unable to open agent file. errno: 13
2017/04/10 18:03:02 ossec-remoted(1103): ERROR: Unable to open file '/queue/rids/1024'.
how did you manage to get ossec-remoted back up and running?
Joshua Gimer
Apr 10, 2017, 2:22:07 PM4/10/17
to ossec...@googlegroups.com
Do you have SELinux running in an enforcing mode? What is the output of sestatus?
Josh
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
Thanks,
Joshua Gimer
---------------------------
http://www.linkedin.com/in/jgimer
http://twitter.com/jgimer
Joshua Gimer
---------------------------
http://www.linkedin.com/in/jgimer
http://twitter.com/jgimer
Felix Martel
Apr 10, 2017, 2:34:46 PM4/10/17
to ossec-list, netwar...@gmail.com
Perhaps this is way off base, but have you added an agent for localhost ? In my context of a new install, a ton of issues went away after I added an agent for the localhost (name=localhost, IP=127.0.0.1). Didn't export the key or anything. Once I did that, my queue errors went away and my agents started reporting.
If I have one rant regarding OSSEC HIDS, it's the structure and quality of documentation: Sketchy at best... Doing a lot of poking in the dark to solve issues.
Anoop Perayil
Apr 10, 2017, 2:46:08 PM4/10/17
to ossec-list
I am running OSSEC on a Security Onion build Ubuntu 14.04.5 LTS.
The issue started after I added in more disk since I ran out of space in /
The issue started after I added in more disk since I ran out of space in /
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
Anoop Perayil
Apr 10, 2017, 2:48:20 PM4/10/17
to ossec-list, netwar...@gmail.com
Yeap, I have an agent on the localhost; actually now that is the only active one. Rest all are disconnected since
ossec-remoted is not running
ossec-remoted is not running
dan (ddp)
Apr 13, 2017, 6:00:59 PM4/13/17
to ossec...@googlegroups.com
On Mon, Apr 10, 2017 at 2:34 PM, Felix Martel <martel...@gmail.com> wrote:
> Perhaps this is way off base, but have you added an agent for localhost ? In
> my context of a new install, a ton of issues went away after I added an
> agent for the localhost (name=localhost, IP=127.0.0.1). Didn't export the
> key or anything. Once I did that, my queue errors went away and my agents
> started reporting.
>
You shouldn't have to add an agent for the localhost, it's
> Perhaps this is way off base, but have you added an agent for localhost ? In
> my context of a new install, a ton of issues went away after I added an
> agent for the localhost (name=localhost, IP=127.0.0.1). Didn't export the
> key or anything. Once I did that, my queue errors went away and my agents
> started reporting.
>
automatically considered agent 000.
> If I have one rant regarding OSSEC HIDS, it's the structure and quality of
> documentation: Sketchy at best... Doing a lot of poking in the dark to solve
> issues.
>
dan (ddp)
Apr 13, 2017, 6:01:47 PM4/13/17
to ossec...@googlegroups.com
On Mon, Apr 10, 2017 at 2:46 PM, Anoop Perayil <urdud...@gmail.com> wrote:
> I am running OSSEC on a Security Onion build Ubuntu 14.04.5 LTS.
> The issue started after I added in more disk since I ran out of space in /
>
I really wish SO would partition their system properly. Big /, nothing
> I am running OSSEC on a Security Onion build Ubuntu 14.04.5 LTS.
> The issue started after I added in more disk since I ran out of space in /
>
else is very annoying.
Check permissions. Maybe things didn't copy over properly?
Reply all
Reply to author
Forward
0 new messages