If you are seeing errors like this:
2020/01/08 21:57:10 agent_control: ERROR: (1210): Queue '/queue/alerts/ar' not accessible: 'Connection refused'.
2020/01/08 21:57:10 agent_control: ERROR: (1301): Unable to connect to active response queue.
** Unable to connect to remoted.
This likely means the remoted daemon is not running.
Note: For ASL v5 and AWP v5 users, this message is normal as those systems do not use the remoted service. You can ignore this message.
For all other users, include AEO users, run this command as root to restart the services:
service ossec-hids restart
If this command can not restart the remoted service the most likely cause is that system has run out of drive space (In Linux only the root user can use 100% of drive space, so if the system has 5% or less of its drive space left the system has no drive space left for other users or processes). Add more drive space to the system or you can remove archived logs from this directory:
Note: Do not remove this directory, archive logs are stored in subdirectories by year, and within those directories by Month.
Data retention settings are also controlled from the GUI. Click on "Settings", then the ASL, AEO or AWP configuration sub option (this settings name will vary depending on the type of software installed on the agents and hubs), then select "Data Retention Policies" and select a retention period that is appropriate for your needs. Old data is expunged nightly, changing this setting will not immediately remove old data.