Common Errors in logcollector, syscheckd and modulesd

Avatar
Charity
  • Updated
2025-06-25 12:14:45 ossec-syscheckd: INFO: (6286): Ignoring file '/etc/nmp/errlog'.
2025-06-25 12:14:46 ossec-logcollector: INFO: (1958): Analyzing file: '/var/log/httpderror_log'.
2025-06-25 12:14:46 ossec-logcollector: ERROR: (1958): Could not open file '/var/log/tortixdasi_error_log' due to [(2)-(No such file or directory)].
2025-06-25 12:14:46 ossec-logcollector: ERROR: (1958): Could not open file '/var/log/apache2error_log' due to [(2)-(No such file or directory)].
2025-06-25 12:14:46 ossec-logcollector: ERROR: (1958): Could not open file '/var/log/sw-cp-servererror_log' due to [(2)-(No such file or directory)].
2025-06-25 12:14:46 ossec-logcollector: ERROR: (1958): Could not open file '/var/log/plesk-roundcube' due to [(2)-(No such file or directory)].
2025-06-25 12:14:53 ossec-modulesd: WARNING: Ignoring content 's-centos-7ds.xml' due to errors (1).
2025-06-25 12:15:27 ossec-syscheckd: ERROR: in_wcompress_gzfile(): fopen error /usr/lib/build-id/4d/e546c9181ba09cb1f36452c2ca14ca7ece3fb (2): 'No such file or directory'.
2025-06-25 12:15:29 ossec-syscheckd: ERROR: in_wcompress_gzfile(): fopen error /usr/lib/build-id/18/0e9867b5978eece36a859823984808371a2 (2): 'No such file or directory'.
2025-06-25 12:15:33 ossec-syscheckd: ERROR: in_wcompress_gzfile(): fopen error /usr/lib/build-id/25/c39b5426ef4d478712c7dec5822a665a3b (2): 'No such file or directory'.
2025-06-25 12:15:35 ossec-syscheckd: ERROR: in_wcompress_gzfile(): fopen error /usr/lib/build-id/33/c558e2c76deec78a3ebff3c2278e1c789 (2): 'No such file or directory'.
 
  1. "Could not open file" (ossec-logcollector):
    • Description: The ossec-logcollector process attempted to open log files (e.g., /var/log/httpderror_log, /var/log/tortixdasi_error_log, etc.) but failed.
    • Reason: The error code (2) - (No such file or directory) suggests that the specified log files do not exist at the given paths.
    • Cause: This could be due to misconfiguration (wrong file paths in OSSEC configuration), files not being created by the applications, or permissions issues. OSSEC will skip monitoring these non-existent files.
  2. "Ignoring file" (ossec-syscheckd):
    • Description: The ossec-syscheckd process is ignoring a file (e.g., /etc/snmp/errlog).
    • Reason: This is typically an informational message indicating that the file is being excluded from monitoring, possibly due to configuration settings or lack of relevance.
    • No action is needed unless you intended to monitor this file.
  3. "Ignoring content" (ossec-modulesd):
    • Description: The ossec-modulesd process is ignoring content (e.g., s-centos-7ds.xml) due to errors.
    • Reason: The error code (1) suggests a general error, possibly a parsing issue or invalid content in the file.
    • Cause: The file may be corrupted or not in the expected format, and OSSEC skips processing it.
  4. "fopen error" (ossec-syscheckd in_wcompress_gzfile):
    • Description: The ossec-syscheckd process encountered an error while trying to open compressed files (e.g., /usr/lib/build-id/4d/e546c9181ba09cb1f36452c2ca14ca7ece3fb) using the in_wcompress_gzfile function.
    • Reason: The error (2) - (No such file or directory) indicates that the compressed files (likely .gz files) do not exist at the specified paths.
    • Cause: This could result from OSSEC attempting to monitor files that were deleted, moved, or never created. It might also indicate a misconfiguration where OSSEC is looking in the wrong directory (e.g., /usr/lib/build-id/).
General Insights:
  • Most errors stem from OSSEC trying to access files or directories that do not exist, which could be due to dynamic file creation (e.g., log rotation removing old files)
  • These errors are non-critical in most cases, as OSSEC will skip the missing files and continue monitoring other configured resources. However, they may indicate gaps in coverage if the missing files are intended to be monitored.
     

Related articles

Articles in this section

See more
Powered by Zendesk