Jonathan Polansky

A pretty good webpage.

OSSEC issue resolved: “ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.”

I’ve been using chef and the OSSEC cookbook (provided at http://community.opscode.com/cookbooks/ossec) to install and manage an OSSEC server and agent nodes. During the process of adding an agent to the server via the ossec::agent recipe I could not get OSSEC to start on the agent. After re-provisioning the agent node numerous times, every time chef would try to restart ossec (per the recipe) the recipe would fail with the following.

[Fri, 11 Mar 2011 14:38:43 -0800] INFO: template[/var/ossec/etc/ossec.conf] sending restart action to service[ossec] (delayed)
[Fri, 11 Mar 2011 14:39:13 -0800] ERROR: Running exception handlers
[Fri, 11 Mar 2011 14:39:13 -0800] ERROR: Exception handlers complete
/usr/lib64/ruby/gems/1.8/gems/chef-0.9.14/bin/../lib/chef/mixin/command.rb:184:in `handle_command_failures': /sbin/service ossec restart returned 1, expected 0 (Chef::Exceptions::Exec)

Running /sbin/service ossec restart manually would yield:
ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..

Google turned up this result which, in this case, turned out to be totally misleading: http://www.ossec.net/wiki/Errors:1210

It turns out that this was due to the agent being added on the server but not configured on the host. I think that when the agent is registered on the server, it tries to connect to it, but since the shared key hadn’t been setup it tries to connect locally instead, causing the error seen above. So, I guess the lesson is if you configure the server for the agent be sure to configure the agent as the same time. Otherwise, you’ll get weird mis-leading errors client(agent)-side.


Categorized as Tech

7 Comments

  1. How do you configure the client? I am also seeing these errors, and don’t really understand your last paragraph. ;-)

  2. Paige Thompson says:

    wot……
    how do you know that… I’m looking at the “host” configuration on both the client and the server and they both look fine yet I still get that message. Chef put the keys there just fine…

    file “#{node['ossec']['user']['dir']}/etc/client.keys” do
    owner “ossecd”
    group “ossec”
    mode 0660
    end
    that file is obviously empty on every agent… is it not supposed to be? it has the key for every agent in client.keys on the server…

  3. Paige Thompson says:

    K, I just added the proper corresponding key from the server’s client.keys to the client.keys on the agent and started it and it works, please next time finish your blog post :)

  4. Paige Thompson says:

    Also I’m curious how you “fixed” this, as near as I can tell I have to ssh into each server and add the correct corresponding key to each client.keys on each agent for this to work. Please email me.

  5. Paige Thompson says:

    The only way I can think of that would make this work would be to add something in the ossec server recipe that scp’s a client.keys file containing the correct corresponding key to each agent when it generates it’s own … or have the ossec:server save an item in the databag containing the key and have each client’s recipe grab the correct key by using it’s hostname as the index key… which obviously hasn’t been done in my version of the cookbook (1.0.1)

  6. Joe Passavanti says:
  7. madhu boppudi says:

    looks you have 2 keys in client. remove old one r remove everything and restart ossec in client
    /var/ossec/queue/rids
    [root@sxdb3102 rids]# ll
    total 8
    -rwxr-xr-x 1 root ossec 9 Oct 13 11:12 211
    -rw-r–r– 1 ossec ossec 0 Oct 13 11:58 263
    -rwxr-xr-x 1 root ossec 8 Oct 13 11:12 sender_counter
    [root@sxdb3102 rids]# rm -rf *

    restart osec

comment_type == "trackback" || $comment->comment_type == "pingback" || ereg("", $comment->comment_content) || ereg("", $comment->comment_content)) { ?>

Trackbacks & Pingbacks

  1. Darryl

    How do you configure the client? I am also seeing these errors, and don’t really understand your last paragraph. ;-)

  2. comment_type == "trackback" || $comment->comment_type == "pingback" || ereg("", $comment->comment_content) || ereg("", $comment->comment_content)) { ?>

    Trackbacks & Pingbacks

    1. Paige Thompson

      wot……
      how do you know that… I’m looking at the “host” configuration on both the client and the server and they both look fine yet I still get that message. Chef put the keys there just fine…

      file “#{node['ossec']['user']['dir']}/etc/client.keys” do
      owner “ossecd”
      group “ossec”
      mode 0660
      end
      that file is obviously empty on every agent… is it not supposed to be? it has the key for every agent in client.keys on the server…

    2. comment_type == "trackback" || $comment->comment_type == "pingback" || ereg("", $comment->comment_content) || ereg("", $comment->comment_content)) { ?>

      Trackbacks & Pingbacks

      1. Paige Thompson

        K, I just added the proper corresponding key from the server’s client.keys to the client.keys on the agent and started it and it works, please next time finish your blog post :)

      2. comment_type == "trackback" || $comment->comment_type == "pingback" || ereg("", $comment->comment_content) || ereg("", $comment->comment_content)) { ?>

        Trackbacks & Pingbacks

        1. Paige Thompson

          Also I’m curious how you “fixed” this, as near as I can tell I have to ssh into each server and add the correct corresponding key to each client.keys on each agent for this to work. Please email me.

        2. comment_type == "trackback" || $comment->comment_type == "pingback" || ereg("", $comment->comment_content) || ereg("", $comment->comment_content)) { ?>

          Trackbacks & Pingbacks

          1. Paige Thompson

            The only way I can think of that would make this work would be to add something in the ossec server recipe that scp’s a client.keys file containing the correct corresponding key to each agent when it generates it’s own … or have the ossec:server save an item in the databag containing the key and have each client’s recipe grab the correct key by using it’s hostname as the index key… which obviously hasn’t been done in my version of the cookbook (1.0.1)

          2. comment_type == "trackback" || $comment->comment_type == "pingback" || ereg("", $comment->comment_content) || ereg("", $comment->comment_content)) { ?>

            Trackbacks & Pingbacks

            1. Joe Passavanti
            2. comment_type == "trackback" || $comment->comment_type == "pingback" || ereg("", $comment->comment_content) || ereg("", $comment->comment_content)) { ?>

              Trackbacks & Pingbacks

              1. madhu boppudi

                looks you have 2 keys in client. remove old one r remove everything and restart ossec in client
                /var/ossec/queue/rids
                [root@sxdb3102 rids]# ll
                total 8
                -rwxr-xr-x 1 root ossec 9 Oct 13 11:12 211
                -rw-r–r– 1 ossec ossec 0 Oct 13 11:58 263
                -rwxr-xr-x 1 root ossec 8 Oct 13 11:12 sender_counter
                [root@sxdb3102 rids]# rm -rf *

                restart osec

              Leave a Reply