ossec-logcollector: ERROR: socketerr (not available).

[Oriol]

Hey everyone.

Recently, I detected that in my wazuh-agent, there's an error that appears in the logs. Is the following log:

2018/12/20 11:50:43 ossec-logcollector: ERROR: socketerr (not available).

I don't know where it comes. Here I paste the ossec.conf:

<ossec_config>

  <client>

    <server>

      <address>xxxxxx</address>

      <port>xxxx</port>

      <protocol>udp</protocol>

    </server>

    <config-profile>xxxxx</config-profile>

    <notify_time>60</notify_time>

    <time-reconnect>300</time-reconnect>

    <auto_restart>yes</auto_restart>

  </client>

  <client_buffer>

    <!-- Agent buffer options -->

    <disabled>no</disabled>

    <queue_size>5000</queue_size>

    <events_per_second>500</events_per_second>

  </client_buffer>

  <!-- Policy monitoring -->

  <rootcheck>

    <disabled>no</disabled>

    <check_unixaudit>yes</check_unixaudit>

    <check_files>yes</check_files>

    <check_trojans>yes</check_trojans>

    <check_dev>yes</check_dev>

    <check_sys>yes</check_sys>

    <check_pids>yes</check_pids>

    <check_ports>yes</check_ports>

    <check_if>yes</check_if>

Someone can help me?

Thank you so much.

Oriol Val

[rafael...@wazuh.com]

Hi Oriol,

you are seeing that message because the ossec-agentd daemon is not running. Logcollector connects to the ossec-agentd socket to send the read log lines to the manager.

If you run the following command

/var/ossec/bin/ossec-control status

 

You will see something like this:

wazuh-modulesd is running...
ossec-logcollector is running...
ossec-syscheckd not running...
ossec-agentd not running...
ossec-execd is running...

Running:

/var/ossec/bin/ossec-control restart

Should fix the problem.

Best regards.

[Oriol]

Hi Rafa,

Thanks for your reply.

If I execute /var/ossec/bin/ossec-control status , I receive the following:

ossec-logcollector is running...

ossec-syscheckd is running...

ossec-agentd is running...

ossec-execd is running...

wazuh-modulesd not running...

Only is not running wazuh-modulesd, but I think that this is only running if I have OpenScap, and it's not my case, so I think that this output is correct.

Moreover, if I restart ossec, the output will be the same, and the error still appears.

Tell me if I'm wrong.

Thank you so much.

Oriol Val

El dijous, 20 desembre de 2018 12:35:41 UTC+1, rafael...@wazuh.com va escriure:

[rafael...@wazuh.com]

Hi Oriol,

yes you are right, the output seems to be correct. Maybe there are to instances of logcollector running.

Can you please post the output of:

ps aux | grep ossec

Best regards.

[Oriol]

Hi Rafa,

Here is the command and his output:

 ps aux | grep ossec

root      5146  0.0  0.0  10956   916 pts/6    S+   13:07   0:00 grep --color=auto ossec

root      6201  0.0  0.0  34544  1220 ?        Sl   Nov28   1:09 /var/ossec/bin/ossec-execd

root      6218  0.0  0.0 403344  1944 ?        Sl   Nov28  17:21 /var/ossec/bin/ossec-logcollector

root      6228  0.0  0.2 331540 19916 ?        Sl   Nov28   2:59 /var/ossec/bin/wazuh-modulesd

root     14724  0.0  0.0  34608  1372 ?        Sl   Dec18   0:07 /var/ossec/bin/ossec-execd

root     14745  0.1  0.0 403332  2304 ?        Sl   Dec18   3:26 /var/ossec/bin/ossec-logcollector

root     15131  0.0  0.0  29628   876 ?        Sl   11:43   0:00 /var/ossec/bin/ossec-execd

ossec    15138  0.0  0.0 251172  3512 ?        Sl   11:43   0:04 /var/ossec/bin/ossec-agentd

root     15146  2.7  0.0  18552  2576 ?        S    11:43   2:20 /var/ossec/bin/ossec-syscheckd

root     15149  0.0  0.0   8892   776 ?        S    11:43   0:00 /var/ossec/bin/ossec-logcollector

It's possible that there are more than one processes of ossec-logcollector, and for this crashes?

Thanks!!

Oriol Val

El dijous, 20 desembre de 2018 13:06:29 UTC+1, rafael...@wazuh.com va escriure:

[rafael...@wazuh.com]

Hi Oriol,

yes that's the problem you have more than one instance running. To fix this, please run these two commands as root:

# pkill -f logcollector
# /var/ossec/bin/ossec-logcollector

Tell me if it worked.

Best regards.

[Oriol]

Hi Rafa,

Yes, just this have worked!!

Thank you so much!

El dijous, 20 desembre de 2018 13:11:40 UTC+1, rafael...@wazuh.com va escriure:

[rafael...@wazuh.com]

Hi Oriol,

I'm glad it worked for you!

Best regards.

On Thursday, December 20, 2018 at 12:03:51 PM UTC+1, Oriol wrote: