WAZUH worker stops alerts error queue/sockets/queue

[Johny Novent]

Hi everyone

Several days ago I detected that a worker stopped generating alerts with this kind of errors:

2025/11/24 09:54:29 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).
2025/11/24 09:54:34 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).
2025/11/24 09:54:39 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).
2025/11/24 09:54:44 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).
2025/11/24 09:54:49 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).

the worker starts to generating alerts once I restart the wazuh-manager service again

we are working with a cluster with many machines 1 master and others workers

we are using the 4.10.1 version of wazuh in all our cluster

these are ours resources

 total        used        free      shared  buff/cache   available
Mem:            62Gi        26Gi       1.1Gi       1.3Gi        36Gi        35Gi
Swap:           15Gi       833Mi        15Gi

these are a few logs from /var/ossec/logs/ossec.log

2025/11/24 09:51:19 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).

2025/11/24 09:51:24 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).

2025/11/24 09:51:29 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).

2025/11/24 09:51:34 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).

2025/11/24 09:51:39 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).

2025/11/24 09:51:40 wazuh-authd: INFO: New connection from 10.152.65.31

2025/11/24 09:51:40 wazuh-authd: INFO: Received request for a new agent (ITHVHWIVRSNMU01) from: 10.152.65.31

2025/11/24 09:51:40 wazuh-authd: INFO: Dispatching request to master node

2025/11/24 09:51:40 wazuh-authd: WARNING: 9008: Duplicate name

2025/11/24 09:51:44 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).

2025/11/24 09:51:49 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).

2025/11/24 09:51:54 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).

2025/11/24 09:51:59 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).

2025/11/24 09:52:02 wazuh-authd: INFO: New connection from 10.152.65.39

2025/11/24 09:52:02 wazuh-authd: INFO: Received request for a new agent (ITHVHWIVRSBDI01) from: 10.152.65.39

2025/11/24 09:52:02 wazuh-authd: INFO: Dispatching request to master node

2025/11/24 09:52:02 wazuh-authd: WARNING: 9008: Duplicate name

2025/11/24 09:52:02 wazuh-authd: INFO: New connection from 10.150.5.10

2025/11/24 09:52:02 wazuh-authd: INFO: Received request for a new agent (QAWEB02) from: 10.150.5.10

2025/11/24 09:52:02 wazuh-authd: INFO: Dispatching request to master node

2025/11/24 09:52:02 wazuh-authd: WARNING: 9008: Duplicate name

2025/11/24 09:52:04 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).

2025/11/24 09:52:04 wazuh-authd: INFO: New connection from 10.150.5.77

2025/11/24 09:52:04 wazuh-authd: INFO: Received request for a new agent (QAAPP02) from: 10.150.5.77

2025/11/24 09:52:04 wazuh-authd: INFO: Dispatching request to master node

2025/11/24 09:52:04 wazuh-authd: WARNING: 9008: Duplicate name

2025/11/24 09:52:05 wazuh-authd: INFO: New connection from 10.150.5.78

2025/11/24 09:52:05 wazuh-authd: INFO: Received request for a new agent (QAAPP03) from: 10.150.5.78

2025/11/24 09:52:05 wazuh-authd: INFO: Dispatching request to master node

2025/11/24 09:52:05 wazuh-authd: WARNING: 9008: Duplicate name

2025/11/24 09:52:09 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).

2025/11/24 09:52:10 wazuh-authd: INFO: New connection from 10.37.137.18

2025/11/24 09:52:10 wazuh-authd: INFO: Received request for a new agent (TEPFHWOCSSWR01) from: 10.37.137.18

2025/11/24 09:52:10 wazuh-authd: INFO: Dispatching request to master node

2025/11/24 09:52:10 wazuh-authd: WARNING: 9008: Duplicate name

2025/11/24 09:52:11 wazuh-authd: INFO: New connection from 10.152.65.45

2025/11/24 09:52:11 wazuh-authd: INFO: Received request for a new agent (ITHVHWIVRSBD01) from: 10.152.65.45

When I restart the worker I saw these logs :

2025/11/24 09:59:11 wazuh-authd: INFO: Dispatching request to master node
2025/11/24 09:59:11 wazuh-authd: WARNING: Could not connect to socket 'queue/cluster/c-internal.sock': Connection refused (111).
2025/11/24 09:59:12 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses.
2025/11/24 09:59:12 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/11/24 09:59:12 wazuh-db: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/11/24 09:59:12 wazuh-authd: WARNING: Could not connect to socket 'queue/cluster/c-internal.sock': Connection refused (111).
2025/11/24 09:59:13 wazuh-db: INFO: Graceful process shutdown.
2025/11/24 09:59:13 wazuh-authd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/11/24 09:59:13 wazuh-authd: WARNING: Could not connect to socket 'queue/cluster/c-internal.sock': Connection refused (111).
2025/11/24 09:59:14 wazuh-authd: WARNING: Could not connect to socket 'queue/cluster/c-internal.sock': Connection refused (111).
2025/11/24 09:59:15 wazuh-authd: WARNING: Could not connect to socket 'queue/cluster/c-internal.sock': Connection refused (111).
2025/11/24 09:59:16 wazuh-authd: WARNING: Could not connect to socket 'queue/cluster/c-internal.sock': Connection refused (111).
2025/11/24 09:59:17 wazuh-authd: WARNING: Could not connect to socket 'queue/cluster/c-internal.sock': Connection refused (111).
2025/11/24 09:59:18 wazuh-authd: WARNING: Could not connect to socket 'queue/cluster/c-internal.sock': Connection refused (111).
2025/11/24 09:59:19 wazuh-authd: WARNING: Could not connect to socket 'queue/cluster/c-internal.sock': Connection refused (111).
2025/11/24 09:59:20 wazuh-authd: WARNING: Could not connect to socket 'queue/cluster/c-internal.sock': Connection refused (111).
2025/11/24 09:59:20 wazuh-authd: ERROR: Could not send message through the cluster after '10' attempts.
2025/11/24 09:59:20 wazuh-authd: INFO: Exiting...
2025/11/24 09:59:25 wazuh-analysisd: WARNING: (1103): Could not open file 'etc/lists/oym-cor-dispositivos' due to [(2)-(No such file or directory)].
2025/11/24 09:59:25 wazuh-analysisd: WARNING: (7612): Rule ID '4700' is duplicated. Only the first occurrence will be considered.
2025/11/24 09:59:25 wazuh-analysisd: WARNING: (7612): Rule ID '4710' is duplicated. Only the first occurrence will be considered.
2025/11/24 09:59:25 wazuh-analysisd: WARNING: (7612): Rule ID '4711' is duplicated. Only the first occurrence will be considered.
2025/11/24 09:59:25 wazuh-analysisd: WARNING: (7612): Rule ID '4712' is duplicated. Only the first occurrence will be considered.
2025/11/24 09:59:25 wazuh-analysisd: WARNING: (7612): Rule ID '4713' is duplicated. Only the first occurrence will be considered.
2025/11/24 09:59:25 wazuh-analysisd: WARNING: (7612): Rule ID '4714' is duplicated. Only the first occurrence will be considered.
2025/11/24 09:59:25 wazuh-analysisd: WARNING: (7612): Rule ID '4715' is duplicated. Only the first occurrence will be considered.
2025/11/24 09:59:25 wazuh-analysisd: WARNING: (7612): Rule ID '4716' is duplicated. Only the first occurrence will be considered.
2025/11/24 09:59:25 wazuh-analysisd: WARNING: (7612): Rule ID '4717' is duplicated. Only the first occurrence will be considered.
2025/11/24 09:59:25 wazuh-analysisd: WARNING: (7612): Rule ID '4721' is duplicated. Only the first occurrence will be considered.
2025/11/24 09:59:25 wazuh-analysisd: WARNING: (7612): Rule ID '4722' is duplicated. Only the first occurrence will be considered.
2025/11/24 09:59:25 wazuh-analysisd: WARNING: (7612): Rule ID '4724' is duplicated. Only the first occurrence will be considered.
2025/11/24 09:59:25 wazuh-analysisd: WARNING: (7612): Rule ID '81628' is duplicated. Only the first occurrence will be considered.
2025/11/24 09:59:25 wazuh-analysisd: WARNING: (7612): Rule ID '81629' is duplicated. Only the first occurrence will be considered.
2025/11/24 09:59:25 wazuh-analysisd: WARNING: (7612): Rule ID '81630' is duplicated. Only the first occurrence will be considered.
2025/11/24 09:59:25 wazuh-analysisd: WARNING: (7612): Rule ID '81631' is duplicated. Only the first occurrence will be considered.
2025/11/24 09:59:25 wazuh-analysisd: WARNING: (7612): Rule ID '81632' is duplicated. Only the first occurrence will be considered.
2025/11/24 09:59:25 wazuh-analysisd: WARNING: (7612): Rule ID '81633' is duplicated. Only the first occurrence will be considered.

2025/11/24 09:59:34 wazuh-authd: INFO: Received request for a new agent (ITHVHWIVRSPG201) from: 1x.xxx.xxx.33
2025/11/24 09:59:34 wazuh-authd: INFO: Dispatching request to master node
2025/11/24 09:59:34 wazuh-authd: WARNING: Could not connect to socket 'queue/cluster/c-internal.sock': Connection refused (111).
2025/11/24 09:59:34 wazuh-analysisd: INFO: EPS limit disabled
2025/11/24 09:59:35 wazuh-remoted: INFO: Started (pid: 1364234). Listening on port 1514/TCP (secure).
2025/11/24 09:59:35 wazuh-remoted: INFO: (1410): Reading authentication keys file.
2025/11/24 09:59:35 wazuh-authd: WARNING: Could not connect to socket 'queue/cluster/c-internal.sock': Connection refused (111).
2025/11/24 09:59:36 wazuh-monitord: INFO: Started (pid: 1364281).
2025/11/24 09:59:36 wazuh-authd: WARNING: Could not connect to socket 'queue/cluster/c-internal.sock': Connection refused (111).
2025/11/24 09:59:37 wazuh-modulesd:router: INFO: Loaded router module.
2025/11/24 09:59:37 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
2025/11/24 09:59:37 wazuh-modulesd: INFO: Started (pid: 1364295).
2025/11/24 09:59:37 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2025/11/24 09:59:37 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2025/11/24 09:59:37 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2025/11/24 09:59:37 wazuh-modulesd:task-manager: INFO: (8207): Module Task Manager only runs on Master nodes in cluster configuration.
2025/11/24 09:59:37 sca: INFO: Module started.
2025/11/24 09:59:37 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_rhel9_linux.yml'
2025/11/24 09:59:37 sca: INFO: Starting Security Configuration Assessment scan.
2025/11/24 09:59:37 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2025/11/24 09:59:37 wazuh-modulesd:router: INFO: Starting router module.
2025/11/24 09:59:37 wazuh-modulesd:content_manager: INFO: Starting content_manager module.
2025/11/24 09:59:37 wazuh-modulesd:database: INFO: Module started.
2025/11/24 09:59:37 wazuh-modulesd:download: INFO: Module started.
2025/11/24 09:59:37 wazuh-modulesd:control: INFO: Starting control thread.
2025/11/24 09:59:37 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_rhel9_linux.yml'
2025/11/24 09:59:37 wazuh-modulesd:syscollector: INFO: Module started.
2025/11/24 09:59:37 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/11/24 09:59:37 wazuh-authd: WARNING: Could not connect to socket 'queue/cluster/c-internal.sock': Connection refused (111).
2025/11/24 09:59:38 wazuh-authd: WARNING: Could not connect to socket 'queue/cluster/c-internal.sock': Connection refused (111).
2025/11/24 09:59:38 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/11/24 09:59:39 wazuh-authd: WARNING: 9008: Duplicate name
2025/11/24 09:59:39 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2025/11/24 09:59:39 wazuh-syscheckd: INFO: FIM sync module started.
2025/11/24 09:59:40 wazuh-remoted: WARNING: (1408): Invalid ID 30340 for the source ip: '1x.xxx.xxx.6' (name 'unknown').
2025/11/24 09:59:40 wazuh-remoted: WARNING: (1408): Invalid ID 30342 for the source ip: '1x.xxx.xx.80' (name 'unknown').
2025/11/24 09:59:40 wazuh-remoted: WARNING: (1408): Invalid ID 30341 for the source ip: '1x.xxx.xxx.241' (name 'unknown').

I hope someone can help me with this problem

tahnk you so much in advance and great work with Wazuh

[fabio.c...@wazuh.com]

Hello Johny,

The error indicates that wazuh-analysisd may not be running on your worker node, which is preventing other components from connecting to the analysis queue.

To further debug the error, could you please do the following steps on your worker node:

Verify analysisd status:

/var/ossec/bin/wazuh-control status

Confirm whether wazuh-analysisd is running.

Enable debug logging to get more details:

• Set analysisd.debug=2 in /var/ossec/etc/local_internal_options.conf
• Restart the manager:

/var/ossec/bin/wazuh-control restart

• Check /var/ossec/logs/ossec.log for detailed error messages

Check version compatibility:

• What version is your Wazuh manager/worker?
• What versions are your connected agents?
• Ensure no agents have a version higher than your manager

With that info I can understand the issue better.

Best regards,

[Johny Novent]

Hi Fabio

thanks for your quick response

I just ran the following command: 

/var/ossec/bin/wazuh-control status

this is the output:

the analisisd is running in the worker

wazuh-clusterd is running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

I changed the value from 0 to 2 in the file  /var/ossec/etc/internal_options.conf

# Analysisd (server or local)
analysisd.debug=2

and then I restarted the worker

I can't see errors about that problem because the worker is working fine right now, when the problem occurs again I return with some logs

about these topics:

Check version compatibility:

• What version is your Wazuh manager/worker?

I'm using version 4.10.1 in all nodes

node01  master  4.10.1
node03  worker  4.10.1
node05  worker  4.10.1
node14  worker  4.10.1
node12  worker  4.10.1
node08  worker  4.10.1
node13  worker  4.10.1  
node11  worker  4.10.1
node07  worker  4.10.1
node04  worker  4.10.1
node09  worker  4.10.1
node02  worker  4.10.1  
node10  worker  4.10.1  
node06  worker  4.10.1   

• What versions are your connected agents?

In the worker with the problem I have agents with these versions:

All are early versions that the worker 4.10.1

4.2.2
4.3.0
4.3.4
4.3.5
4.3.9
4.3.10
4.4.4
4.4.5
4.8.0

I hoped this information above help you Fabio thank you so much

[fabio.c...@wazuh.com]

Hello Johny,

Thank you for the detailed information! This is very helpful. Based on what you've shared, your setup looks good.

The debug logs you've enabled will be crucial when the issue occurs again.

When the problem happens again, please capture:

1. Logs from /var/ossec/logs/ossec.log around the time of the error (especially any lines mentioning analysisd crashes or restarts)
2. Check if analysisd actually stopped:

> grep "analysisd.*shutdown" /var/ossec/logs/ossec.log > grep "analysisd.*started" /var/ossec/logs/ossec.log

3. System logs that might show if the process crashed:

> journalctl -u wazuh-manager | grep analysisd

4. Memory/resource usage at the time - sometimes analysisd crashes due to resource constraints

I'll wait for your logs when the issue reoccurs. This will help us identify the root cause.

[Johny Novent]

Hi Fabio 

Recently the error happened again 

I found these other errors 

2025/12/04 06:18:48 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).
2025/12/04 06:18:53 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).
2025/12/04 06:18:55 wazuh-authd: INFO: New connection from 10.1x.xx.8
2025/12/04 06:18:55 wazuh-authd: INFO: Received request for a new agent (QAxxx1) from: 10.1x.x.8
2025/12/04 06:18:55 wazuh-authd: INFO: Dispatching request to master node
2025/12/04 06:18:55 wazuh-authd: WARNING: 9008: Duplicate name
2025/12/04 06:18:57 wazuh-authd: INFO: New connection from 1x.xx.xx.241
2025/12/04 06:18:57 wazuh-authd: INFO: Received request for a new agent (ithvrhaxxxxxx6) from: 1x.xxx.xxx.241
2025/12/04 06:18:57 wazuh-authd: INFO: Dispatching request to master node
2025/12/04 06:18:57 wazuh-authd: WARNING: 9008: Duplicate name
2025/12/04 06:18:58 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).
2025/12/04 06:18:59 sca: INFO: Starting Security Configuration Assessment scan.
2025/12/04 06:18:59 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_rhel9_linux.yml'
2025/12/04 06:19:03 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).
2025/12/04 06:19:06 wazuh-authd: INFO: New connection from 1x.xxx.xx.6
2025/12/04 06:19:06 wazuh-authd: INFO: Received request for a new agent (ithvrhsixxxx03) from: 1x.xxx.xx.6
2025/12/04 06:19:06 wazuh-authd: INFO: Dispatching request to master node
2025/12/04 06:19:06 wazuh-authd: WARNING: 9008: Duplicate name
2025/12/04 06:19:08 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).
2025/12/04 06:19:10 wazuh-modulesd: ERROR: socketerr (not available).
2025/12/04 06:19:10 wazuh-modulesd: ERROR: At wm_sendmsg(): Unable to send message to queue: (Connection refused)
2025/12/04 06:19:10 sca: ERROR: (1210): Queue 'queue/sockets/queue' not accessible: 'Connection refused'
2025/12/04 06:19:13 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).
2025/12/04 06:19:18 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).
2025/12/04 06:19:21 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2025/12/04 06:19:21 wazuh-syscheckd: ERROR: socketerr (not available).
2025/12/04 06:19:21 wazuh-syscheckd: ERROR: (1224): Error sending message to queue.
2025/12/04 06:19:23 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).

2025/12/04 06:20:58 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).
2025/12/04 06:21:03 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).
2025/12/04 06:21:08 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).
2025/12/04 06:21:13 wazuh-syscheckd: ERROR: socketerr (not available).
2025/12/04 06:21:13 rootcheck: ERROR: (1224): Error sending message to queue.
2025/12/04 06:21:13 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).
2025/12/04 06:21:18 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).
2025/12/04 06:21:23 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).
2025/12/04 06:21:24 wazuh-authd: INFO: New connection from 1x.xxx.xxx.40
2025/12/04 06:21:24 wazuh-authd: INFO: Received request for a new agent (ITHVHPxxxxxxx5) from: 1x.xxx.xxx.40
2025/12/04 06:21:24 wazuh-authd: INFO: Dispatching request to master node
2025/12/04 06:21:24 wazuh-authd: WARNING: 9008: Duplicate name
2025/12/04 06:21:28 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).
2025/12/04 06:21:33 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).
2025/12/04 06:21:38 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).
2025/12/04 06:21:43 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).
2025/12/04 06:21:48 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).
2025/12/04 06:21:53 wazuh-modulesd: ERROR: (1278): Unable to reconnect to 'queue/sockets/queue': Connection refused (111).

I don't know if this new errors about SCA cause the problem

NOTE: i have to disable the debug mode because the alerts coming slowly to our SIEM instance

[Onur Gökyaka]

Hi TurkJohny,

After reviewing the screenshot, I noticed that the /var/log directory is 100% full. This is very likely the main cause of the issue.

Since Wazuh’s internal queue mechanism also relies on this disk, when it becomes full:

• Queue files cannot be written

• Modules fail to access the queue

• Errors such as “Connection refused (111)” start appearing

Additionally, a 3 GB partition for /var/log is quite small for a Wazuh node, so it can fill up very quickly.

The reason the service works again after a restart is because the queue files are cleared and recreated, allowing Wazuh to operate normally for a while.

I recommend increasing the size of the /var/log partition and restarting the Wazuh Manager service afterward.
If the system works fine when /var/log is not full, and the issue returns when it fills up, then this is almost certainly the root cause.

4 Aralık 2025 Perşembe tarihinde saat 23:21:41 UTC+3 itibarıyla Johny Novent şunları yazdı:

[fabio.c...@wazuh.com]

Hello Johny,

I apologize for missing the disk usage detail in your screenshot. The /var/log partition being 100% full is definitely the root cause of your queue socket errors.

Your current 3 GB partition is critically undersized for a production Wazuh worker node.

You can find detailed information about disk space requirements here

Additionally, I'd recommend implementing disk space monitoring to prevent this from recurring. Here's a guide on setting up automated alerts

Please let me know once you've expanded the partition and whether the issue is resolved. If the errors persist after ensuring adequate disk space, I'll investigate further.

Best regards,