ERROR3099 ossec-analysisd stopped
591 views
Skip to first unread message
riiky devils
Jul 5, 2021, 5:48:01 AM7/5/21
to Wazuh mailing list
Hello,
For now i'm encountered issue about Wazuh API that can't connect. The initial problem is i'm following this link https://github.com/wazuh/wazuh/issues/4281 to modify wazuh path storage log. After restart wazuh-manager suddenly i'm cannot connect to wazuh-api. Seems Wazuh-api is "missing".
Step by step when modify log storage path
> systemctl stop wazuh-manager
> mv /var/ossec/logs/* /tmp/mnt/win/wazuh
> mount --bind /tmp/mnt/win/wazuh /var/ossec/logs
> echo "/tmp/mnt/win/wazuh /var/ossec/logs/ none defaults,bind 0 0" >> /etc/fstab
> systemctl start wazuh-manager
/tmp/mnt/win/wazuh is QNAP NAS storage location that mounted on local server
This is my wazuh.yml conf in /usr/share/kibana/data/wazuh/config/wazuh.yml
For now i'm encountered issue about Wazuh API that can't connect. The initial problem is i'm following this link https://github.com/wazuh/wazuh/issues/4281 to modify wazuh path storage log. After restart wazuh-manager suddenly i'm cannot connect to wazuh-api. Seems Wazuh-api is "missing".
Step by step when modify log storage path
> systemctl stop wazuh-manager
> mv /var/ossec/logs/* /tmp/mnt/win/wazuh
> mount --bind /tmp/mnt/win/wazuh /var/ossec/logs
> echo "/tmp/mnt/win/wazuh /var/ossec/logs/ none defaults,bind 0 0" >> /etc/fstab
> systemctl start wazuh-manager
/tmp/mnt/win/wazuh is QNAP NAS storage location that mounted on local server
This is my wazuh.yml conf in /usr/share/kibana/data/wazuh/config/wazuh.yml
hosts:
- default:
url: https://localhost
port: 55000
username: wazuh-wui
password: wazuh-wui
this is error when open wazuh plugin in kibana
log from ossec.log
this is error when open wazuh plugin in kibana
log from ossec.log
2021/07/05 16:35:07 ossec-integratord: ERROR: (1103): Could not open file '/var/ossec/logs/alerts/alerts.json' due to [(2)-(No such file or directory)].
2021/07/05 16:35:07 ossec-integratord: ERROR: (1103): Could not open file '/var/ossec/logs/alerts/alerts.json' due to [(2)-(No such file or directory)].
2021/07/05 16:35:07 ossec-integratord: ERROR: (1103): Could not open file '/var/ossec/logs/alerts/alerts.json' due to [(2)-(No such file or directory)].
Please help me how to fix this problem
Thank You
Please help me how to fix this problem
Thank You
Miguel Angel Cazajous
Jul 5, 2021, 12:08:45 PM7/5/21
to Wazuh mailing list
Hi riiky,
I could repeat the process detailed in that issue, and restarting the Wazuh service it started fine.
I also could reproduce a similar scenario where it fails. As you can see both logs, mine and yours, claims that a daemon did not start properly due to a missing file/directory. In my case, the log is the following.
To force this state, after copy the logs from /var/ossec/logs/ to another location
I changed the order of the parameters in the mount --bind command. Doing that ended with all the logs files deleted.
My logs folder now looks like this.
Does your directory look similar?
I would like to ask you if you are completely sure the commands/parameters were executed in the right order.
It's the only reason I can think of now why this is not starting as expected.
If you list your files after mounting the logs folder to another location. Does it look ok?
Regards!
I could repeat the process detailed in that issue, and restarting the Wazuh service it started fine.
I also could reproduce a similar scenario where it fails. As you can see both logs, mine and yours, claims that a daemon did not start properly due to a missing file/directory. In my case, the log is the following.
To force this state, after copy the logs from /var/ossec/logs/ to another location
I changed the order of the parameters in the mount --bind command. Doing that ended with all the logs files deleted.
My logs folder now looks like this.
Does your directory look similar?
I would like to ask you if you are completely sure the commands/parameters were executed in the right order.
It's the only reason I can think of now why this is not starting as expected.
If you list your files after mounting the logs folder to another location. Does it look ok?
Regards!
riiky devils
Jul 5, 2021, 9:59:03 PM7/5/21
to Wazuh mailing list
Hi Miguel,
My logs folder similar as your
does this indicate that wazuh cannot read logs from the new path location?
what steps should be taken so that wazuh-api can work properly again?
Thank You
My logs folder similar as your
does this indicate that wazuh cannot read logs from the new path location?
what steps should be taken so that wazuh-api can work properly again?
Thank You
Miguel Angel Cazajous
Jul 6, 2021, 3:19:58 PM7/6/21
to Wazuh mailing list
Hi riiky,
I apologize for the late response. After doing those steps you should have the same files in both locations, at the end it's the same location.
It seems that the mount didn't work for you, what I can see is that the directory /var/ossec/log was empty after you moved them to the new
location and once you restarted the service just the logs files were created, but all the config files were lost.
The important files are the ones you have in /tmp/mnt/win/wazuh.
Before attempting the following I suggest to BACKUP THOSE FILES, I always do that in case something goes wrong, just after everything is ok
I delete the backup.
This is what I have.
/var/ossec/logs/ is empty, you should remove those logs files.
And then use mount --bind SOURCE TARGET
where SOURCE is /tmp/mnt/win/wazuh and TARGET /var/ossec/logs
You can use findmnt to check that the TARGET and SOURCE are the right ones too.
After that restart, the service and it should work.
I hope this was useful. Please, let me know how it goes.
Regards!
I apologize for the late response. After doing those steps you should have the same files in both locations, at the end it's the same location.
It seems that the mount didn't work for you, what I can see is that the directory /var/ossec/log was empty after you moved them to the new
location and once you restarted the service just the logs files were created, but all the config files were lost.
The important files are the ones you have in /tmp/mnt/win/wazuh.
Before attempting the following I suggest to BACKUP THOSE FILES, I always do that in case something goes wrong, just after everything is ok
I delete the backup.
This is what I have.
/var/ossec/logs/ is empty, you should remove those logs files.
And then use mount --bind SOURCE TARGET
where SOURCE is /tmp/mnt/win/wazuh and TARGET /var/ossec/logs
You can use findmnt to check that the TARGET and SOURCE are the right ones too.
After that restart, the service and it should work.
I hope this was useful. Please, let me know how it goes.
Regards!
riiky devils
Jul 7, 2021, 5:58:04 AM7/7/21
to Wazuh mailing list
Hi Miguel,
I'm already perform step that move logs folder from our nas to original logs path
But i'm still face the issue that ossec-analysisd cannot running.
Seems like before i'm encountered folder / file permission issue and i must corrected one by one in /var/ossec folder
This one is error log from ossec.log
I'm already perform step that move logs folder from our nas to original logs path
But i'm still face the issue that ossec-analysisd cannot running.
Seems like before i'm encountered folder / file permission issue and i must corrected one by one in /var/ossec folder
This one is error log from ossec.log
What causing queue folder bad file descriptor? How to fix it?
Thank You,
Thank You,
Miguel Angel Cazajous
Jul 7, 2021, 5:29:39 PM7/7/21
to Wazuh mailing list
Hi riiky,
I couldn't reproduce that error, I would like to ask you something:
- Did you change anything else in the /var/ossec/ directory or just the logs directory?, I don't see that is related to the logs relocation.
- When did that exactly occur? after you move the logs to the original directory, followed by a service restart? Does the service start ok?
- In case the service fails to start could you share the output of journalctl -xe
- Also I would like to see the complete log when you see those error lines.
On the other hand, It's always possible to reinstall the manager if something went wrong. I'm thinking that maybe we are pursuing different and not related issues.
Тимур Исламов
Jun 16, 2023, 8:42:00 AM6/16/23
to Wazuh mailing list
Absolutely the same problem as the author, when using --bind, the API does not start:
2023/06/16 15:34:10 wazuh-syscheckd: INFO: (6000): Starting daemon...
2023/06/16 15:34:10 rootcheck: INFO: Starting rootcheck scan.
2023/06/16 15:34:10 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2023/06/16 15:34:10 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2023/06/16 15:34:10 wazuh-analysisd: INFO: (7200): Logtest started
2023/06/16 15:34:10 wazuh-analysisd: CRITICAL: Error opening logfile: 'logs/alerts/2023/Jun/ossec-alerts-16.log': (22) Invalid argument
2023/06/16 15:34:11 wazuh-syscheckd: ERROR: socketerr (not available).
2023/06/16 15:34:11 rootcheck: ERROR: (1224): Error sending message to queue.
2023/06/16 15:34:11 wazuh-remoted: INFO: Started (pid: 428060). Listening on port 1514/TCP (secure).
2023/06/16 15:34:11 wazuh-remoted: INFO: (1501): IP or network must be present in syslog access list (allowed-ips). Syslog server disabled.
2023/06/16 15:34:11 wazuh-remoted: INFO: (1501): IP or network must be present in syslog access list (allowed-ips). Syslog server disabled.
2023/06/16 15:34:11 wazuh-remoted: INFO: (1501): IP or network must be present in syslog access list (allowed-ips). Syslog server disabled.
2023/06/16 15:34:13 wazuh-monitord: INFO: Started (pid: 428105).
2023/06/16 15:34:14 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2023/06/16 15:34:14 wazuh-syscheckd: ERROR: socketerr (not available).
2023/06/16 15:34:14 wazuh-syscheckd: ERROR: (1224): Error sending message to queue.
2023/06/16 15:34:10 rootcheck: INFO: Starting rootcheck scan.
2023/06/16 15:34:10 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2023/06/16 15:34:10 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2023/06/16 15:34:10 wazuh-analysisd: INFO: (7200): Logtest started
2023/06/16 15:34:10 wazuh-analysisd: CRITICAL: Error opening logfile: 'logs/alerts/2023/Jun/ossec-alerts-16.log': (22) Invalid argument
2023/06/16 15:34:11 wazuh-syscheckd: ERROR: socketerr (not available).
2023/06/16 15:34:11 rootcheck: ERROR: (1224): Error sending message to queue.
2023/06/16 15:34:11 wazuh-remoted: INFO: Started (pid: 428060). Listening on port 1514/TCP (secure).
2023/06/16 15:34:11 wazuh-remoted: INFO: (1501): IP or network must be present in syslog access list (allowed-ips). Syslog server disabled.
2023/06/16 15:34:11 wazuh-remoted: INFO: (1501): IP or network must be present in syslog access list (allowed-ips). Syslog server disabled.
2023/06/16 15:34:11 wazuh-remoted: INFO: (1501): IP or network must be present in syslog access list (allowed-ips). Syslog server disabled.
2023/06/16 15:34:13 wazuh-monitord: INFO: Started (pid: 428105).
2023/06/16 15:34:14 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2023/06/16 15:34:14 wazuh-syscheckd: ERROR: socketerr (not available).
2023/06/16 15:34:14 wazuh-syscheckd: ERROR: (1224): Error sending message to queue.
четверг, 8 июля 2021 г. в 00:29:39 UTC+3, Miguel Angel Cazajous:
Reply all
Reply to author
Forward
0 new messages