Navigation
Documentation

From OSSEC Wiki

Jump to: navigation, search

What does "1210 - Queue not accessible?" means

/queue/ossec/queue

If you have logs similar to: 

2008/04/29 15:40:39 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2008/04/29 15:40:39 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2008/04/29 15:40:45 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2008/04/29 15:40:45 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
2008/04/29 15:41:00 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2008/04/29 15:41:00 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..

It means that ossec-analysisd is not running for some reason.


The main reasons for this to happen are:

  • ossec-analysisd didn't start properly. Look at the logs for any error from it.
  • ossec-analysisd didn't start at all. There is a bug in the init scripts that during system reboot, it may not start if the PID is already in use (we are working to fix it).


How to fix it:

  • Stop OSSEC and start it back again: 
# /var/ossec/bin/ossec-control stop
(you can also check at /var/ossec/var/run that there is not PID file in there)
# /var/ossec/bin/ossec-control start
  • If there is any configuration error, fix it.

/queue/alerts/ar

If you have logs similar to: 

2009/02/17 12:03:04 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' not accessible: 'Connection refused'.
2009/02/17 12:03:04 ossec-analysisd(1301): ERROR: Unable to connect to active response queue.

it means that there is nothing listening on the other end of the socket the ossec-analysisd deamon would want to write to. This can happen in an ossec server installation. The deamon that should be listening on this socket is ossec-remoted.

How to fix it:

  • Add an OSSEC client (agent) with the /opt/ossec/bin/manage_agents utility on both agent and server. Then restart OSSEC. ossec-remoted should now be listening on the socket.
Retrieved from "http://www.ossec.net/wiki/Errors:1210"