OSSEC Agent Crashing

41 views

Skip to first unread message

Chris Decker

unread,

Jan 11, 2017, 9:52:57 AM1/11/17

to ossec-dev

All,

I have one host where the OSSEC agent software is crashing - ossec-logcollector, ossec-syscheckd and ossec-agentd in particular. I modified the internal_options.conf so that ossec-logcollector was running at a debug level of '1', but I don't get any additional log entries that appear to be helpful:

2017/01/10 13:06:03 ossec-logcollector: socketerr (not available).
2017/01/10 13:06:03 ossec-logcollector(1224): ERROR: Error sending message to queue.
2017/01/10 13:06:06 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2017/01/10 13:06:06 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
2017/01/10 15:33:11 ossec-syscheckd: INFO: Starting syscheck scan.
2017/01/10 15:33:11 ossec-syscheckd: socketerr (not available).
2017/01/10 15:33:11 ossec-syscheckd(1224): ERROR: Error sending message to queue.
2017/01/10 15:33:14 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2017/01/10 15:33:14 ossec-syscheckd(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..

service ossec-hids status

ossec-logcollector: Process 2250 not used by ossec, removing ..
ossec-logcollector not running...
ossec-syscheckd: Process 2254 not used by ossec, removing ..
ossec-syscheckd not running...
ossec-agentd: Process 2246 not used by ossec, removing ..
ossec-agentd not running...
ossec-execd is running...

I just recently enabled debug on ossec-logcollector and ossec-syscheckd, so perhaps I'll get some helpful information from them.

I should also disclose that I'm not running the latest/greatest version of the agent software on this host - it has the Atomic RPM version ossec-hids-2.8.2-49.el6.art.x86_64 installed.

Other than upgrading the agent, does anyone have any other suggestions on what I can look at to fix the issue?

Thanks,

Chris

dan (ddp)

unread,

Jan 11, 2017, 10:12:37 AM1/11/17

to ossec-dev

Try shutting down all of the ossec processes, then starting
ossec-agentd in the foreground (`/var/ossec/bin/ossec-agentd -df`).
Check for errors. If there are none, start the other processes
manually to see what happens.

>
>
>
> Thanks,
> Chris
>
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-dev+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward

0 new messages