OSSEC agent socket busy error on HP-UX
57 views
Skip to first unread message
l0515
Aug 17, 2009, 1:10:05 PM8/17/09
to ossec...@ossec.net
I have a problem regarding running OSSEC agent (v.2.1.1) on HP-UX (11.23, ia64). The agent itself installed and started ok, no visible problems. The agent start/connection event is visible on OSSEC management server (also v.2.1.1). However after the startup, the agent fails to send anything to the server, the daemons remain functional, it just doesn't seem to be able to send the collected data. Here is the relevant part from the agent's ossec.log:
------------------
2009/08/17 13:13:50 ossec-agentd(1410): INFO: Reading authentication keys file.
2009/08/17 13:13:50 ossec-agentd: INFO: Started (pid: 2007).
2009/08/17 13:13:50 ossec-agentd: INFO: Server IP Address: xx.xx.xx.xx
2009/08/17 13:13:50 ossec-agentd: INFO: Trying to connect to server (xx.xx.xx.xx:1514).
2009/08/17 13:13:54 ossec-syscheckd: INFO: Started (pid: 2015).
2009/08/17 13:13:54 ossec-rootcheck: INFO: Started (pid: 2015).
2009/08/17 13:13:54 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2009/08/17 13:13:54 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2009/08/17 13:13:54 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.
2009/08/17 13:13:54 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2009/08/17 13:13:54 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2009/08/17 13:13:56 ossec-logcollector(1950): INFO: Analyzing file: '/var/adm/syslog'.
2009/08/17 13:13:56 ossec-logcollector(1950): INFO: Analyzing file: '/var/adm/syslog/syslog.log'.
2009/08/17 13:13:56 ossec-logcollector: INFO: Started (pid: 2011).
2009/08/17 13:13:56 ossec-agentd(1210): ERROR: Queue '/queue/alerts/execq' not accessible: 'Queue not found'.
2009/08/17 13:14:11 ossec-agentd: INFO: Unable to connect to the active response queue (disabled).
2009/08/17 13:14:11 ossec-agentd(4102): INFO: Connected to the server (xx.xx.xx.xx:1514).
2009/08/17 13:14:26 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
2009/08/17 13:18:43 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).
2009/08/17 13:20:43 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2009/08/17 13:21:10 ossec-syscheckd: socket busy ..
2009/08/17 13:21:20 ossec-syscheckd: socket busy ..
2009/08/17 13:21:20 ossec-syscheckd(1224): ERROR: Error sending message to queue.
2009/08/17 13:21:29 ossec-syscheckd: socket busy ..
2009/08/17 13:21:39 ossec-syscheckd: socket busy ..
2009/08/17 13:21:39 ossec-syscheckd: socketerr (not available).
2009/08/17 13:21:39 ossec-syscheckd(1224): ERROR: Error sending message to queue.
2009/08/17 13:21:48 ossec-syscheckd: socket busy ..
2009/08/17 13:21:58 ossec-syscheckd: socket busy ..
--------snipity-snip----------
2009/08/17 13:32:10 ossec-logcollector: socketerr (not available).
2009/08/17 13:32:10 ossec-logcollector(1224): ERROR: Error sending message to queue.
2009/08/17 13:32:29 ossec-logcollector: socket busy ..
--------snipity-snip----------
..and so on it repeats with no end in sight. Nothing is visible on the server side (both the webUI and logs), except after a while it just says that "Ossec agent disconnected.". There are other agents (albeit those are Linux and Windows) running with the same management server without any problems. Both servers can communicate otherwise (ICMP, SSH etc.), there is no significant load on the servers or network between them. I fruitlessly tried to search in the mailing list and other places, but nobody seems to have had similar problems or nobody answered those who did. Is this a bug of some sort or something extra needs to be tweaked/configured for OSSEC agent to work properly on HP-UX?
------------------
2009/08/17 13:13:50 ossec-agentd(1410): INFO: Reading authentication keys file.
2009/08/17 13:13:50 ossec-agentd: INFO: Started (pid: 2007).
2009/08/17 13:13:50 ossec-agentd: INFO: Server IP Address: xx.xx.xx.xx
2009/08/17 13:13:50 ossec-agentd: INFO: Trying to connect to server (xx.xx.xx.xx:1514).
2009/08/17 13:13:54 ossec-syscheckd: INFO: Started (pid: 2015).
2009/08/17 13:13:54 ossec-rootcheck: INFO: Started (pid: 2015).
2009/08/17 13:13:54 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2009/08/17 13:13:54 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2009/08/17 13:13:54 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.
2009/08/17 13:13:54 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2009/08/17 13:13:54 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2009/08/17 13:13:56 ossec-logcollector(1950): INFO: Analyzing file: '/var/adm/syslog'.
2009/08/17 13:13:56 ossec-logcollector(1950): INFO: Analyzing file: '/var/adm/syslog/syslog.log'.
2009/08/17 13:13:56 ossec-logcollector: INFO: Started (pid: 2011).
2009/08/17 13:13:56 ossec-agentd(1210): ERROR: Queue '/queue/alerts/execq' not accessible: 'Queue not found'.
2009/08/17 13:14:11 ossec-agentd: INFO: Unable to connect to the active response queue (disabled).
2009/08/17 13:14:11 ossec-agentd(4102): INFO: Connected to the server (xx.xx.xx.xx:1514).
2009/08/17 13:14:26 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
2009/08/17 13:18:43 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).
2009/08/17 13:20:43 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2009/08/17 13:21:10 ossec-syscheckd: socket busy ..
2009/08/17 13:21:20 ossec-syscheckd: socket busy ..
2009/08/17 13:21:20 ossec-syscheckd(1224): ERROR: Error sending message to queue.
2009/08/17 13:21:29 ossec-syscheckd: socket busy ..
2009/08/17 13:21:39 ossec-syscheckd: socket busy ..
2009/08/17 13:21:39 ossec-syscheckd: socketerr (not available).
2009/08/17 13:21:39 ossec-syscheckd(1224): ERROR: Error sending message to queue.
2009/08/17 13:21:48 ossec-syscheckd: socket busy ..
2009/08/17 13:21:58 ossec-syscheckd: socket busy ..
--------snipity-snip----------
2009/08/17 13:32:10 ossec-logcollector: socketerr (not available).
2009/08/17 13:32:10 ossec-logcollector(1224): ERROR: Error sending message to queue.
2009/08/17 13:32:29 ossec-logcollector: socket busy ..
--------snipity-snip----------
..and so on it repeats with no end in sight. Nothing is visible on the server side (both the webUI and logs), except after a while it just says that "Ossec agent disconnected.". There are other agents (albeit those are Linux and Windows) running with the same management server without any problems. Both servers can communicate otherwise (ICMP, SSH etc.), there is no significant load on the servers or network between them. I fruitlessly tried to search in the mailing list and other places, but nobody seems to have had similar problems or nobody answered those who did. Is this a bug of some sort or something extra needs to be tweaked/configured for OSSEC agent to work properly on HP-UX?
Michael Starks
Aug 18, 2009, 5:20:25 PM8/18/09
to ossec...@googlegroups.com
On Mon, 17 Aug 2009 20:10:05 +0300, l0515 <l0...@inbox.lv> wrote:
> I have a problem regarding running OSSEC agent (v.2.1.1) on HP-UX (11.23,
> ia64). The agent itself installed and started ok, no visible problems.
The
> agent start/connection event is visible on OSSEC management server (also
> v.2.1.1). However after the startup, the agent fails to send anything to
> the
> server, the daemons remain functional, it just doesn't seem to be able to
> send the collected data.
I have no idea if this is relevant, but I recall having a problem with
HP-UX a couple of years ago when I wasn't using gcc to compile OSSEC. I
don't remember what the problem was, but I remember that the HP-UX build
environment didn't work. Sorry it's vague but I hope it helps.
--
Michael Starks
[I] Immutable Security
http://www.immutablesecurity.com
Information Security, Privacy and Personal Liberty
l0515
Aug 21, 2009, 9:31:57 AM8/21/09
to ossec...@ossec.net
Thanks for the tip, Michael. I tried to compile OSSEC with gcc4, which did not succeed (some sort of bug/incompatibility, there are similar problems reported regarding gcc4 on HP-UX). Then I tried gcc3, which did not produce any errors, however the behaviour of OSSEC after this fresh installation remained exactly the same, so now I am back at square 0. I am eager to get this working on HP-UX, but I'm fresh out of ideas.
Reply all
Reply to author
Forward
0 new messages