[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] Re: ossec-syscheckd and ossec-rootcheck

To: ossec-dev@xxxxxxxxxxxxxxxx
Subject: [ossec-dev] Re: ossec-syscheckd and ossec-rootcheck
From: "Daniel Cid" <dcid@xxxxxxxxx>
Date: Thu, 22 Mar 2007 20:41:13 -0400
Cc: rmillan@xxxxxxxxxxx
Content-disposition: inline
Content-transfer-encoding: 7bit


Hi Robert,

The only reader of queue/ossec/queue is analysisd, all ther others are writers.
If analysisd is not running, you will get this "queue" error for all
processes (syscheck, rootcheck, remoted, etc).

Maybe this "ascii" drawing will help understand (ugh):

analysisd (reader) -- queue/ossec/queue
                              /          \
                              |   |   |   |
                           (writers to ossec queue)
                           rootcheck, syscheck, remoted, logcollector


Hope it helps..

--
Daniel B. Cid
dcid ( at ) ossec.net


On 3/21/07, Robert Millan [ackstorm] <rmillan@xxxxxxxxxxx> wrote:



Hi,

What role do ossec-syscheckd and ossec-rootcheck play in the ossec internal
design?  It seems they're trying to communicate through a socket, but for
some reason one of them isn't doing the right thing:

2007/03/21 11:42:12 ossec-syscheckd(1210): Queue '/var/ossec/queue/ossec/queue' not accessible: Connection refused.
2007/03/21 11:42:12 ossec-rootcheck(1210): Queue '/var/ossec/queue/ossec/queue' not accessible: Connection refused.
2007/03/21 11:42:20 ossec-syscheckd(1210): Queue '/var/ossec/queue/ossec/queue' not accessible: Connection refused.
2007/03/21 11:42:20 ossec-rootcheck(1210): Queue '/var/ossec/queue/ossec/queue' not accessible: Connection refused.
2007/03/21 11:42:33 ossec-syscheckd(1210): Queue '/var/ossec/queue/ossec/queue' not accessible: Connection refused.
2007/03/21 11:42:33 ossec-rootcheck(1211): Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..

$ ls -l /var/ossec/queue/ossec/queue
srw-rw---- 1 ossec ossec 0 2007-03-21 11:42 /var/ossec/queue/ossec/queue
$ fuser /var/ossec/queue/ossec/queue
$ file /var/ossec/queue/ossec/queue
/var/ossec/queue/ossec/queue: socket
$

Who is the writer and who is the reader here?  Maybe the reader wasn't there
when writer attempted to open() or write() ?

Thanks

--
Robert Millan

ACK STORM, S.L.  -  http://www.ackstorm.es/

Follow-Ups:
- [ossec-dev] Re: ossec-syscheckd and ossec-rootcheck
  - From: Robert Millan [ackstorm]

References:
- [ossec-dev] ossec-syscheckd and ossec-rootcheck
  - From: Robert Millan [ackstorm]

Prev by Date: [ossec-dev] How to change Mail Subject
Next by Date: [ossec-dev] Re: How to change Mail Subject
Previous by thread: [ossec-dev] ossec-syscheckd and ossec-rootcheck
Next by thread: [ossec-dev] Re: ossec-syscheckd and ossec-rootcheck
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.