If you're receiving email notices like this: Subject: [psmon/pp100.obinet.net] Failed to spawn 'ossec-dbd' with '/sbin/service ossec-hids restart'
Or you are getting alert notices like this:
Command executed: /sbin/service ossec-hids restart Exit value: 0 Signal number: 0 Dumped core?: 0 Shutting down ossec-hids: [ OK ] Starting ossec-hids: [ OK ]
This message means that the host intrusion detection system will not start. This generally means one of the following:
- The HIDS has been shut down manually, and is being automatically restarted by ASL
- The HIDS has been automatically restarted by ASL to install updates to the HIDS
- The HIDS or a part of the HIDS is not running correctly and has been restarted by ASL to fix this condition.
- The HIDS has run into a condition that is preventing it from starting.
See the section "Solutions" below for assistance if the HIDS will not start.
If this condition is continuing to occur, that is you get many alerts within a minute or two of each other, that means ASL is not able to restart the HIDS. If you get an email with this alert, and series of these alerts within a minute or two of each other then ASL is not able to start the HIDS.
If the afore mentioned alerts are just a single notice,
And no additional alerts, then everything is fine. ASL just needed to restart OSSEC to apply some software updates to OSSEC.
The most common cause of this condition is when the ossec-dbd process has a problem communicating with the systems database server, or the tables it uses are corrupt or crashed. This means that either the database server (mysql) is not listening on the configured IP address and port, the database is overloaded and is rejecting connections (or is over tuned and is dropping connections), or a table has been corrupted and can no longer be updated or accessed.
1) ASL not up to date
Upgrade ASL per the upgrade procedure:
Then run this command:
services ossec-hids restart
If OSSEC starts, your system is working normally. If not, continue with this troubleshooting guide.
2) Mysql problems
First, check your mysql logs first to determine if you have any corrupt databases that require repair.
grep -i error /var/log/mysqld.log
Note: Some control panels disable mysql logging, or may change the location of the mysql log file.
The HIDS will not start correctly to log events to the database if the tables it is using are corrupt. If you have crashed tables, please see this article:
If there are no mysql errors, check the log below for any error messages:
Then check this FAQ for guidance on those specific errors (just use your browsers search function to look for those messages on this page). In most cases OSSEC will not start because there is a problem communicating with the systems database or the HIDS rules are not up to date.
3) HIDS rules are not up to date
Run these commands as root:
asl -s -f
4) Firewall rules do not allow connection to the database
Temporarily clear your firewall rules:
service asl-firewall stop
service iptables stop
If OSSEC can start now, you have configured a firewall rule that is blocking database connections. You will need to remove this rule.
If OSSEC still can not start, your firewall rules are likely not the cause.
5) /etc/hosts file incorrectly configured
An incorrectly configured /etc/hosts file can cause issues with startups. For example, using a hostname for the database that is not resolving or is not in the /etc/hosts file. For example a missing or incomplete localhost entry in /etc/hosts (localhost should resolve to 127.0.0.1)
6) Database improperly configured
A non-optimally tuned database that is rejecting connections can cause start up issues. Please see the recommended minimum configuration for mysql at this URL:
Equally, over tuning mysql can cause it to drop connections. If you believe this is happening to you, please contact a qualified MySQL consultant for assistance configuring your database.
7) Overloaded Mysql
An overloaded database that is dropping, closing or rejecting connections sporadically. If you believe this to be the case, you will need to either allocate more resources for your database, or remove load.
8) MySQL not listening for TCP
A database that is not listening on a TCP port or the same port that you have configured ASL to use. Check to make sure your MySQL server is listening on port 3306 on the IP address you have configured ASL to use as its database server.
9) MySQL not listening on configured IP
A database server that is listening on a different IP address from the one configured for ASL can cause start up errors. Check to make sure your MySQL server is listening on port 3306 on the IP address you have configured ASL to use as its database server.