ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible
1,343 views
Skip to first unread message
Pachulski, Keith
Dec 15, 2009, 3:51:28 PM12/15/09
to ossec...@ossec.net
If someone could shed some light on this I would appreciate it
Starting OSSEC HIDS v2.3 (by Trend Micro Inc.)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
2009/12/15 15:49:33 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2009/12/15 15:49:33 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2009/12/15 15:49:41 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2009/12/15 15:49:41 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2009/12/15 15:49:54 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2009/12/15 15:49:54 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
Starting OSSEC HIDS v2.3 (by Trend Micro Inc.)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
2009/12/15 15:49:33 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2009/12/15 15:49:33 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2009/12/15 15:49:41 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2009/12/15 15:49:41 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2009/12/15 15:49:54 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2009/12/15 15:49:54 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
jplee3
Dec 15, 2009, 4:59:29 PM12/15/09
to ossec-list
Check out /var/ossec/logs/ossec.log - that may shed some light as to
what's going on. You may have a typo or bad syntax in your ossec.conf
or one of the rulesets.
what's going on. You may have a typo or bad syntax in your ossec.conf
or one of the rulesets.
Peter M. Abraham
Dec 15, 2009, 5:06:02 PM12/15/09
to ossec-list
Greetings Keith:
I received this error after upgrading to ossec 2.3.
While Daniel and other developers have not answered the why, for me it
came down to a custom rule in /var/ossec/rules/local_rules.xml
What I recommend doing is backing up /var/ossec/rules/local_rules.xml
and putting in an empty one, then restart. If it works ok, then
slowly start adding rules back in (or deleting out -- that's what I
did, copy the backup file over the empty one, then delete out and then
add back in) until you find the rule or rules choking ossec.
Thank you.
I received this error after upgrading to ossec 2.3.
While Daniel and other developers have not answered the why, for me it
came down to a custom rule in /var/ossec/rules/local_rules.xml
What I recommend doing is backing up /var/ossec/rules/local_rules.xml
and putting in an empty one, then restart. If it works ok, then
slowly start adding rules back in (or deleting out -- that's what I
did, copy the backup file over the empty one, then delete out and then
add back in) until you find the rule or rules choking ossec.
Thank you.
Tate Hansen
Dec 15, 2009, 5:30:03 PM12/15/09
to ossec...@googlegroups.com, ossec...@ossec.net
I had this happen yesterday; in my log file was the following:
2009/12/15 02:05:50 ossec-analysisd: Overwrite rule '30114' not found.
2009/12/15 02:05:50 ossec-analysisd(1220): ERROR: Error loading the rules:
'local_rules.xml'.
2009/12/15 02:05:53 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue'
error. I removed my offending rule with id 30114 and it worked on
subsequent restart.
2009/12/15 02:05:50 ossec-analysisd: Overwrite rule '30114' not found.
2009/12/15 02:05:50 ossec-analysisd(1220): ERROR: Error loading the rules:
'local_rules.xml'.
2009/12/15 02:05:53 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue'
not accessible: 'Connection refused'.
Check your ossec.log file and see if you can discover the cause of the
error. I removed my offending rule with id 30114 and it worked on
subsequent restart.
Spransy, Derek
Dec 15, 2009, 10:18:41 PM12/15/09
to ossec...@googlegroups.com
I actually had this issue today as well. I was creating a custom rule to ignore a particularly noisy host, and after I restarted the OSSEC service I received this same error. As it turned out that I had simply typed the rule incorrectly. Rather than <rule id="100040" level="0">, I had written <rule_id="100040" level="0">. After removing the errant _ the service started up like a charm. However, nothing useful was logged to ossec.log to tell me what had gone wrong.
-Derek
________________________________________
From: ossec...@googlegroups.com [ossec...@googlegroups.com] On Behalf Of Peter M. Abraham [peter....@dynamicnet.net]
Sent: Tuesday, December 15, 2009 5:06 PM
To: ossec-list
Subject: [ossec-list] Re: ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible
This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.
If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).
-Derek
________________________________________
From: ossec...@googlegroups.com [ossec...@googlegroups.com] On Behalf Of Peter M. Abraham [peter....@dynamicnet.net]
Sent: Tuesday, December 15, 2009 5:06 PM
To: ossec-list
Subject: [ossec-list] Re: ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.
If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).
Pachulski, Keith
Dec 16, 2009, 7:21:15 AM12/16/09
to ossec...@googlegroups.com, ossec...@ossec.net
Yea, after doing some digging I found a reference to this from an ossec-dev page. Turned out while I was editing the local-rules file via vi, I hit I to insert and there was an extra I in the file. It would be awesome if the errors were a bit more useful such as "hey moron you have an error in file X on line 23, check it because I`m not doing jack till you fix it"; other than " ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'." =)
Thanks everyone for the responses...
Thanks everyone for the responses...
dan (ddp)
Dec 16, 2009, 8:44:52 AM12/16/09
to ossec...@googlegroups.com
The ossec-logtest application gives better errors. After inserting an
error in my local_rules file and running ossec-logtest I get the
following:
# ../bin/ossec-logtest
2009/12/16 13:42:58 ossec-analysisd(1226): ERROR: Error reading XML
file 'rules//local_rules.xml': XML ERR: Element not closed:
rule_id="110143" (line 1655).
2009/12/16 13:42:58 ossec-testrule(1220): ERROR: Error loading the
rules: 'local_rules.xml'.
Not perfect, but might be useful.
Dan
error in my local_rules file and running ossec-logtest I get the
following:
# ../bin/ossec-logtest
2009/12/16 13:42:58 ossec-analysisd(1226): ERROR: Error reading XML
file 'rules//local_rules.xml': XML ERR: Element not closed:
rule_id="110143" (line 1655).
2009/12/16 13:42:58 ossec-testrule(1220): ERROR: Error loading the
rules: 'local_rules.xml'.
Not perfect, but might be useful.
Dan
Reply all
Reply to author
Forward
0 new messages