ERROR: Unable to Bind port '1514'

1,428 views
Skip to first unread message

Carlos Islas

unread,
Aug 24, 2017, 5:19:57 PM8/24/17
to ossec-list
Hello,

I am having this issue when i execute the command ./ossec-remoted

ossec.log:

2017/08/24 16:16:22 ossec-remoted: INFO: Started (pid: 19350).
2017/08/24 16:16:22 ossec-remoted(1206): ERROR: Unable to Bind port '1514'

Somebody could help me to examine that error?

Regards...

dan (ddp)

unread,
Aug 24, 2017, 5:39:53 PM8/24/17
to ossec...@googlegroups.com
Is remoted running? 
Is something else listening on 1514? `netstat -an |grep 1514`


Regards...

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Carlos Islas

unread,
Aug 24, 2017, 6:28:39 PM8/24/17
to ossec-list
Hello dan,

Yes is remoted. Here is the result for netstat

root@vknxsegfim:/var/ossec/logs# netstat -an | grep 1514
udp        0      0 0.0.0.0:1514            0.0.0.0:*
root@vknxsegfim:/var/ossec/logs#

Regarads

El jueves, 24 de agosto de 2017, 16:39:53 (UTC-5), dan (ddpbsd) escribió:


On Aug 24, 2017 5:20 PM, "Carlos Islas" <sparks....@gmail.com> wrote:
Hello,

I am having this issue when i execute the command ./ossec-remoted

ossec.log:

2017/08/24 16:16:22 ossec-remoted: INFO: Started (pid: 19350).
2017/08/24 16:16:22 ossec-remoted(1206): ERROR: Unable to Bind port '1514'

Somebody could help me to examine that error?

Is remoted running? 
Is something else listening on 1514? `netstat -an |grep 1514`


Regards...

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

dan (ddp)

unread,
Aug 24, 2017, 7:51:44 PM8/24/17
to ossec...@googlegroups.com


On Aug 24, 2017 6:28 PM, "Carlos Islas" <sparks....@gmail.com> wrote:
Hello dan,

Yes is remoted. Here is the result for netstat

root@vknxsegfim:/var/ossec/logs# netstat -an | grep 1514
udp        0      0 0.0.0.0:1514            0.0.0.0:*
root@vknxsegfim:/var/ossec/logs#

Ok, so only 1 copy of remoted can bind to that port at a time. Kill the first instance, and the second should run.


Regarads

El jueves, 24 de agosto de 2017, 16:39:53 (UTC-5), dan (ddpbsd) escribió:


On Aug 24, 2017 5:20 PM, "Carlos Islas" <sparks....@gmail.com> wrote:
Hello,

I am having this issue when i execute the command ./ossec-remoted

ossec.log:

2017/08/24 16:16:22 ossec-remoted: INFO: Started (pid: 19350).
2017/08/24 16:16:22 ossec-remoted(1206): ERROR: Unable to Bind port '1514'

Somebody could help me to examine that error?

Is remoted running? 
Is something else listening on 1514? `netstat -an |grep 1514`


Regards...

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

Carlos Islas

unread,
Aug 25, 2017, 11:31:48 AM8/25/17
to ossec-list
Hi dan,

Sorry, im newbie in that kind of commands. How can i kill the instance?

Regards...

dan (ddp)

unread,
Aug 25, 2017, 12:01:25 PM8/25/17
to ossec...@googlegroups.com


On Aug 25, 2017 11:32 AM, "Carlos Islas" <sparks....@gmail.com> wrote:
Hi dan,

Sorry, im newbie in that kind of commands. How can i kill the instance?

I usually use `pkill ossec-remoted`
You can also use `ps` to get the pid (or look for the pid in /var/ossec somewhere) and kill it that way.


Regards...



El jueves, 24 de agosto de 2017, 16:19:57 (UTC-5), Carlos Islas escribió:
Hello,

I am having this issue when i execute the command ./ossec-remoted

ossec.log:

2017/08/24 16:16:22 ossec-remoted: INFO: Started (pid: 19350).
2017/08/24 16:16:22 ossec-remoted(1206): ERROR: Unable to Bind port '1514'

Somebody could help me to examine that error?

Regards...

Dave Stoddard

unread,
Aug 25, 2017, 12:07:44 PM8/25/17
to ossec-list
I have seen this happen on FreeBSD systems using OSSEC 2.8.3. The issue is usually an inability to write the ar socket, but the error message in the logs/ossec.log file can be any number of things.  It is caused by a permission issue with the sockets used for the queues, and shows up in both OSSEC and it's WAZUH counterpart. The way to rectify this is to stop OSSEC and make sure you have the following ownership and permissions for the following directories:

queue - user root, group ossec, chmod 550
queue/alerts - user ossec, group ossec, chmod 777
queue/ossec - user ossec, group ossec, chmod 750

In addition, the sockets found in the ossec/alerts directory should be as follows:

ar - user ossecr, group ossec
execq - user root, group ossec

If the ownership of the sockets is not correct, you can just delete those files (ar and execq) and restart OSSEC and they will be recreated. They should be 660 for permissions, but the permissions get set when the sockets are created.  If you delete the sockets, make sure you do this after you have stopped OSSEC and made sure the directory ownership and permissions are set as specified above.  FreeBSD has a sockstat command that you can use to see the owner, program, and port that is active on the system.  Best,

Dave Stoddard
Network Alarm Corporation

Carlos Islas

unread,
Aug 28, 2017, 5:26:30 PM8/28/17
to ossec-list
Hello Dave

I had checked the permissions and the sockets and appears in the same way that you told me and the error still happend. Attach the image.

Regards.
capture.JPG

Carlos Islas

unread,
Aug 28, 2017, 5:30:48 PM8/28/17
to ossec-list
Hello dan,

I killed the instance but anything happend, i had that start the process manualy because de services get down. =S

Regards...
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

Julia Vitoria Cardoso

unread,
Nov 22, 2017, 9:09:21 AM11/22/17
to ossec-list
Hi Carlos, i have been fighting with the same issue, and i finally got it. In this article: https://github.com/ossec/ossec-hids/issues/1061

I configured support to IPV6 configuring the /etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0

After run sysctl -p, and restart network service and ossec

service restart network 
service restart ossec

jkell...@gmail.com

unread,
Jun 17, 2018, 9:08:23 AM6/17/18
to ossec-list
This worked for me. Thanks.
Reply all
Reply to author
Forward
0 new messages