Hi Dan - thanks for the reply. Further research showed the /var/ossec/queue ownership as root:ossec.
I changed this to ossec:ossec. I left the permissions at 750. Time to change my puppet scripts and rebake the image. It is a mystery how it ever worked with settings like this.... Again - Thanks! Matt On Tuesday, September 22, 2015 at 7:16:33 PM UTC-7, dan (ddpbsd) wrote: > > On Tue, Sep 22, 2015 at 4:56 AM, Matt Hickie <mhi...@gmail.com > <javascript:>> wrote: > > Running into an issue with ossec-remoted not running. Setup had been > > working for over a couple of months and now the remoted process just > seems > > to die. This is running on AWS linux > > > > Enabled debug with gdb. > > > > /var/ossec/bin/ossec-control enable debug > > /var/ossec/bin/ossec-control restart > > > > ran ossec-remoted in gdb. Below is output. > > > > Any help would be greatly appreciated. I am a bit worried I have > exceeded > > the max agents. It should not be that many >256 yet and was hopping to > see > > something from the gdb. > > > > If there are more than 256, did you recompile with support for more > agents? Are there any log messages in the ossec.log related to > remoted? > > > Thanks! > > > > gdb output > > ------------------------ > > gdb /var/ossec/bin/ossec-remoted > > GNU gdb (GDB) Amazon Linux (7.6.1-51.27.amzn1) > > Copyright (C) 2013 Free Software Foundation, Inc. > > License GPLv3+: GNU GPL version 3 or later > > <http://gnu.org/licenses/gpl.html> > > This is free software: you are free to change and redistribute it. > > There is NO WARRANTY, to the extent permitted by law. Type "show > copying" > > and "show warranty" for details. > > This GDB was configured as "x86_64-amazon-linux-gnu". > > For bug reporting instructions, please see: > > <http://www.gnu.org/software/gdb/bugs/>... > > Reading symbols from /var/ossec/bin/ossec-remoted...Reading symbols from > > /usr/lib/debug/var/ossec/bin/ossec-remoted.debug... > > warning: Skipping deprecated .gdb_index section in > > /usr/lib/debug/var/ossec/bin/ossec-remoted.debug. > > Do "set use-deprecated-index-sections on" before the file is read > > to use the section anyway. > > done. > > done. > > (gdb) set follow-fork-mode child > > (gdb) run > > Starting program: /var/ossec/bin/ossec-remoted > > [Thread debugging using libthread_db enabled] > > Using host libthread_db library "/lib64/libthread_db.so.1". > > 2015/09/21 23:05:34 ossec-remoted: DEBUG: Starting ... > > [New process 7230] > > [Thread debugging using libthread_db enabled] > > Using host libthread_db library "/lib64/libthread_db.so.1". > > [New process 7231] > > [Thread debugging using libthread_db enabled] > > Using host libthread_db library "/lib64/libthread_db.so.1". > > [New process 7232] > > [Thread debugging using libthread_db enabled] > > Using host libthread_db library "/lib64/libthread_db.so.1". > > [New Thread 0x7ffff75f2700 (LWP 7233)] > > [New Thread 0x7ffff6df1700 (LWP 7234)] > > [Thread 0x7ffff6df1700 (LWP 7234) exited] > > [Thread 0x7ffff75f2700 (LWP 7233) exited] > > [Inferior 4 (process 7232) exited with code 01] > > (gdb) > > > > Did you run any other commands to try and get any more info? > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
