Hi Dan, What kernel version are you using? On old kernel versions it used to have a bug that if you attempted to read a file in the /sys directory the kernel would crash.
When syscheck/rootcheck tried to scan the file system it would read that file and crash the server. Not an OSSEC bug, but triggered that issue on the kernel. If you have an old 2.6 kernel version, my recommendation is to update it or to add <ignore>/sys</ignore> to the rootcheck and syscheck sections. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Mon, Oct 19, 2009 at 6:11 PM, Dan Denton <dden...@remitpro.com> wrote: > I have several systems running on Dell PE2850 hardware running RHEL4 > 32-bit OS. I’ve deployed OSSEC to them, one as a standalone server and > another as an agent to a third server. Both of these servers are running > Dell’s OMSA software, which has a agent that looks for server hangs, and > reboots the server after a preset amount of time should a hang be detected. > > > > Both servers have a history of solid uptime, but since installing OSSEC, > the one standalone installation has rebooted once, and the agent server has > rebooted 3 times. We’ve been running OSSEC successfully on other servers for > over a year now, and I’m baffled why these are now hanging and being > rebooted, or rather that Dell’s OMSA software sees the server hanging and > forces a reboots. Logs are useless in these cases, as the OMSA logs simply > say an automatic reboot has taken place, and the server logs show normal use > one moment and a reboot the next. The configurations for OSSEC are pretty > vanilla, with everything except active-response enabled, and very few > modifications to the ossec.conf file. > > > > Does anyone else have Dell OMSA running on their servers with OSSEC and > have you seen such forced reboots? > > > > Thanks in advance… > > > > Dan > > >
