ERROR: FIM decoder: Unable to connect to socket '/queue/db/wdb'.
807 views
Skip to first unread message
frodo_neighbor
Mar 31, 2020, 11:41:55 AM3/31/20
to Wazuh mailing list
Hello Sir/Madam
I just got wazuh installed. using EFK stack with wazuh manager and wazuh API in 1 server. Everything seems to be working fine until today. I noticed when I browse to Wazuh
page in Kibana, basically I get to see the screen like attached. I got prompts
"Wazuh App: Please set up Wazuh API credentials." and "Could not select any API entry."
"Wazuh App: Please set up Wazuh API credentials." and "Could not select any API entry."
Also when I cliecked on the little question mark, the error shown is 3005 - Error reading cluster configuration
I did check if wazuh-manager and all other service, they are all up and running. I also tried to curl to wazuh-api, it gives possitive response i.e. curl foo:bar@localhost:55000/version ; i got {"error":0,"data":"v3.11.4"}
when I do tail -F /var/ossec/logs/ossec.log | grep -i -E "error|warn", I get thousands of line like this. The consistent error is ERROR: FIM decoder: Bad load query
2020/03/31 23:11:40 ossec-analysisd: ERROR: FIM decoder: Bad load query: 'agent 000 syscheck load /etc/cloud/templates/resolv.conf.tmpl'.
2020/03/31 23:11:50 ossec-analysisd: ERROR: FIM decoder: Unable to connect to socket '/queue/db/wdb'.
2020/03/31 23:11:50 ossec-analysisd: ERROR: FIM decoder: Bad load query: 'agent 000 syscheck load /etc/cloud/templates/chef_client.rb.tmpl'.
2020/03/31 23:11:55 ossec-analysisd: ERROR: FIM decoder: Unable to connect to socket '/queue/db/wdb'.
2020/03/31 23:11:55 ossec-analysisd: ERROR: FIM decoder: Bad load query: 'agent 000 syscheck load /etc/cloud/templates/chrony.conf.tmpl'.
2020/03/31 23:11:55 ossec-analysisd: ERROR: FIM decoder: Unable to connect to socket '/queue/db/wdb'.
...
i am using EFK 7.6.0 and Wazuh 3.11.4
If anyone has experience trouble shooting this/has any idea, I would appreciate to learn from you
Thank you
José Luis López Sánchez
Apr 1, 2020, 3:04:21 AM4/1/20
to Wazuh mailing list
Hello frodo_neighbor,
I will try to help here. According to those logs, I think it could be related to one of the following problems:
Kind regards,
Jose Luis.
I will try to help here. According to those logs, I think it could be related to one of the following problems:
- Maybe the wazuh-db binary isn't running. Could you please run this command and paste the output? ps aux | grep ossec
- It
could also be related to a wrong setting in ossec.conf, paste here the
content of the file if you want and I will take a look at it.
Kind regards,
Jose Luis.
Daniil Sobolev
Apr 1, 2020, 6:07:01 AM4/1/20
to Wazuh mailing list
I may suggest you to check if kibana plugin is configured to connect to https:// instead of http:// Config location is mentioned on your screenshot.
вторник, 31 марта 2020 г., 18:41:55 UTC+3 пользователь frodo_neighbor написал:
As for queue socket - you may try this:
run analysisd in debug mode and check for file access permissions errors:
/var/ossec/bin/ossec-analysisd -df
Sometimes this helps me:
chown -R ossecr:ossec /var/ossec/queue && chown ossecr:ossec /var/ossec/queue/rids/
chmod --recursive 770 to the /ossec dir.
Please note that I'm a regular user, so it might be better to wait for wzh team to reply =)
вторник, 31 марта 2020 г., 18:41:55 UTC+3 пользователь frodo_neighbor написал:
Reply all
Reply to author
Forward
0 new messages