What's the theory and practice of /var/ossec/queue/ossec/queue?

[Whit Blauvelt]

Something didn't end up right here. How should this be corrected?

# /var/ossec/bin/ossec-control start
Starting Wazuh v3.0.1 (maintained by Wazuh Inc.)...
Started wazuh-clusterd...
wazuh-modulesd already running...
ossec-maild already running...
ossec-execd already running...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
2017/12/14 14:35:20 ossec-syscheckd: ERROR: (1210): Queue '/var/ossec//queue/ossec/queue' not accessible: 'Connection refused'.
2017/12/14 14:35:20 rootcheck: ERROR: (1210): Queue '/var/ossec//queue/ossec/queue' not accessible: 'Connection refused'.
2017/12/14 14:35:28 ossec-syscheckd: ERROR: (1210): Queue '/var/ossec//queue/ossec/queue' not accessible: 'Connection refused'.
2017/12/14 14:35:28 rootcheck: ERROR: (1210): Queue '/var/ossec//queue/ossec/queue' not accessible: 'Connection refused'.
2017/12/14 14:35:41 ossec-syscheckd: ERROR: (1210): Queue '/var/ossec//queue/ossec/queue' not accessible: 'Connection refused'.
2017/12/14 14:35:41 rootcheck: CRITICAL: (1211): Unable to access queue: '/var/ossec//queue/ossec/queue'. Giving up..
ossec-syscheckd did not start correctly.

Thanks,
Whit

[Victor Fernandez]

Hi Whit,

the file at /var/ossec/queue/ossec/queue is actually a socket. It's created by Analysisd (the log matching engine, that produces alerts) and the rest of componentes (Syscheck, Rootcheck, Logcollector, Remoted, etc.) use that socket to send their data to Analysisd.

This error usually happens when Analysisd couldn't start correctly due to some reason. It was probably due to a misconfiguration. This command should help us to figure out what was the problem:

grep "ossec-analysisd" /var/ossec/logs/ossec.log

Hope it help

Best regards,

Victor.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b67bd243-b9e9-40e7-b5fd-f8276615a4d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Victor M. Fernandez-Castro

IT Security Engineer

Wazuh Inc.

[Whit Blauvelt]

grep "ossec-analysisd" /var/ossec/logs/ossec.log

Hi Victor,

Good clue. Thanks.

  2017/12/14 14:35:17 ossec-analysisd: CRITICAL: (1107): Could not create directory '/logs/archives/2017/Dec' due to [(13)-(Permission denied)].

And then after changing ownership to ossec:ossec there:

  2017/12/15 10:11:06 ossec-analysisd: CRITICAL: (1107): Could not create directory '/logs/alerts/2017/Dec' due to [(13)-(Permission denied)].

And then after fixing that we're good.

Minor thing, but the "Migrating from OSSEC" page might mention checking perms in these locations. Somewhere in the migration the user that OSSEC had been running as, "1001," got removed from the system so copying over the prior files from ossec_backup brought in the now-obsolete ownership. At least, OSSEC had been happily running before with user and group as "1001," and neither is in /etc/passwd or /etc/group now.

Best,

Whit