"WARN: Process locked. Waiting for permission" At Server When Trying To Start Server
6,925 views
Skip to first unread message
MDACC-Luckie
Sep 13, 2013, 10:08:35 AM9/13/13
to ossec...@googlegroups.com
I have dealt with issues with agents not connecting to the server with a "WARN: Process locked. Waiting for permission" message in the log but not at the server. When starting OSSEC on the primary OSSEC server, I am getting that message in the OSSEC log file. No agents appear to be able to connect to the server now. Any suggestions or thoughts on what to look at on the server to fix this?
dan (ddp)
Sep 13, 2013, 10:16:22 AM9/13/13
to ossec...@googlegroups.com
/var/ossec/queue/ossec/.wait
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
Ford,Luckie J
Sep 13, 2013, 11:06:15 AM9/13/13
to ossec...@googlegroups.com
Thanks Dan. That fixed that issue but now looking at others. Appears someone has changed ownership of files in the ossec directory structure and there are still issues which are causing problems with the app including errors like:
2013/09/13 09:30:22 ossec-analysisd: Rules in an inconsistent state. Exiting.
-and-
2013/09/13 09:30:30 ossec-logcollector(1224): ERROR: Error sending message to queue.
2013/09/13 09:30:33 ossec-logcollector(1210): ERROR: Queue '/opt/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2013/09/13 09:30:33 ossec-logcollector(1211): ERROR: Unable to access queue: '/opt/ossec/queue/ossec/queue'. Giving up..
2013/09/13 09:31:18 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2013/09/13 09:31:18 ossec-syscheckd: socketerr (not available).
2013/09/13 09:31:18 ossec-syscheckd(1224): ERROR: Error sending message to queue.
Why always on a Friday??? ;-)
2013/09/13 09:30:22 ossec-analysisd: Rules in an inconsistent state. Exiting.
-and-
2013/09/13 09:30:30 ossec-logcollector(1224): ERROR: Error sending message to queue.
2013/09/13 09:30:33 ossec-logcollector(1210): ERROR: Queue '/opt/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2013/09/13 09:30:33 ossec-logcollector(1211): ERROR: Unable to access queue: '/opt/ossec/queue/ossec/queue'. Giving up..
2013/09/13 09:31:18 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2013/09/13 09:31:18 ossec-syscheckd: socketerr (not available).
2013/09/13 09:31:18 ossec-syscheckd(1224): ERROR: Error sending message to queue.
Why always on a Friday??? ;-)
Roy Feintuch
Sep 13, 2013, 1:36:10 PM9/13/13
to ossec...@googlegroups.com
Dan or anyone else - I see from time to time people reporting issues cause by wrong permissions.
Is there any script somewhere to fix/rebuild all OSSEC related files permissions?
dan (ddp)
Sep 13, 2013, 1:37:40 PM9/13/13
to ossec...@googlegroups.com
On Fri, Sep 13, 2013 at 1:36 PM, Roy Feintuch <r...@dome9.com> wrote:
> Dan or anyone else - I see from time to time people reporting issues cause
> by wrong permissions.
> Is there any script somewhere to fix/rebuild all OSSEC related files
> permissions?
>
Not that I know of. If you let us know which files you keep changing
> Dan or anyone else - I see from time to time people reporting issues cause
> by wrong permissions.
> Is there any script somewhere to fix/rebuild all OSSEC related files
> permissions?
>
the permissions on, we can probably create something.
Ford,Luckie J
Sep 13, 2013, 1:42:40 PM9/13/13
to ossec...@googlegroups.com
If Roy is in a situation like me, I have no clue which files had permissions/ownership changed on them so am having to back into everything step by step. I now know who and when they were changed but at the moment, that and a couple of bucks will only get me a cup of coffee..lol (trying to make myself smile through it all).
Roy Feintuch
Sep 13, 2013, 2:28:10 PM9/13/13
to ossec...@googlegroups.com
I'm not talking about solving someones specific issues. If people knew which file permission were changed - then they had no issue in the first place - they would have just fix it.
I'm talking about an idiot proof script that goes over *all* relevant ossec folders/ files and chown'ing them to the relevant ossec user (ossec,ossecr ,?).
Then whenever we see someone talking about 'ossec process does not start' (or similar) the first question would be -
'did you tried the 'fix-most-ossec-issues-script.sh' ?
just my $0.02. Cheers
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/gjFg0WRdorg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.
Roy Feintuch,
CTO & Co-founder
Dome9 Security
(e) » r...@dome9.com
(web) » http://dome9.com
(m) » +1-415-3423543
(Skype) » froyke
CTO & Co-founder
Dome9 Security
(e) » r...@dome9.com
(web) » http://dome9.com
(m) » +1-415-3423543
(Skype) » froyke
dan (ddp)
Sep 13, 2013, 2:41:25 PM9/13/13
to ossec...@googlegroups.com
On Fri, Sep 13, 2013 at 2:28 PM, Roy Feintuch <r...@dome9.com> wrote:
> I'm not talking about solving someones specific issues. If people knew which
> file permission were changed - then they had no issue in the first place -
> they would have just fix it.
> I'm talking about an idiot proof script that goes over *all* relevant ossec
> folders/ files and chown'ing them to the relevant ossec user (ossec,ossecr
> ,?).
>
> Then whenever we see someone talking about 'ossec process does not start'
> (or similar) the first question would be -
> 'did you tried the 'fix-most-ossec-issues-script.sh' ?
>
> just my $0.02. Cheers
>
We used to do better permissions/ownership on install/upgrades, but it
> I'm not talking about solving someones specific issues. If people knew which
> file permission were changed - then they had no issue in the first place -
> they would have just fix it.
> I'm talking about an idiot proof script that goes over *all* relevant ossec
> folders/ files and chown'ing them to the relevant ossec user (ossec,ossecr
> ,?).
>
> Then whenever we see someone talking about 'ossec process does not start'
> (or similar) the first question would be -
> 'did you tried the 'fix-most-ossec-issues-script.sh' ?
>
> just my $0.02. Cheers
>
took too long on some systems. It probably wouldn't be quick, and it
seems like it would hide the real problem (the permissions being
modified).
If you come up with something before anyone else, please feel free to
pass it along to the list. :)
Michael Starks
Sep 13, 2013, 3:21:29 PM9/13/13
to ossec...@googlegroups.com
On 13.09.2013 13:28, Roy Feintuch wrote:
> Im not talking about solving someones specific issues. If people knew
> ossec folders/ files and chowning them to the relevant ossec user
> (ossec,ossecr ,?).
The installation script sets the permissions so running it again should
fix then. Or just look at what the script does and do that manually.
> Im not talking about solving someones specific issues. If people knew
> which file permission were changed - then they had no issue in the
> first place - they would have just fix it.
>
> Im talking about an idiot proof script that goes over *all* relevant
> first place - they would have just fix it.
>
> ossec folders/ files and chowning them to the relevant ossec user
> (ossec,ossecr ,?).
The installation script sets the permissions so running it again should
fix then. Or just look at what the script does and do that manually.
Roy Feintuch
Sep 13, 2013, 3:27:14 PM9/13/13
to ossec...@googlegroups.com
Thanks Michael. was about to start writing this script...
--
--- You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/gjFg0WRdorg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages