-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
I've noticed that when I (re)start ossec, that ossec-remoted seems to
exit immediately. There's no indication of what's happened in the
ossec.log. I get a pid, then nothing. And if I do a `ps -ef' it's
not there. And when the restart command goes to stop the service(s),
I get this:
Killing ossec-logcollector ..
ossec-remoted not running ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
Killing ossec-execd ..
OSSEC HIDS v0.9 Stopped
This doesn't mean a whole lot to me, but maybe someone on the list can
use it (apologize for the length). This is what I get from `strace
/var/ossec/bin/ossec-remoted -t':
execve("/var/ossec/bin/ossec-remoted",
["/var/ossec/bin/ossec-remoted", "-t"], [/* 45 vars */]) = 0
uname({sys="Linux", node="gentoo", ...}) = 0
brk(0) = 0x8073000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=156766, ...}) = 0
mmap2(NULL, 156766, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f5b000
close(3) = 0
open("/lib/libpthread.so.0", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0LH\0\000"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=99085, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7f5a000
mmap2(NULL, 70104, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0xb7f48000
madvise(0xb7f48000, 70104, MADV_SEQUENTIAL|0x1) = 0
mmap2(0xb7f56000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xd) = 0xb7f56000
mmap2(0xb7f58000, 4568, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7f58000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\322O\1"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1150072, ...}) = 0
mmap2(NULL, 1120444, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
3, 0) = 0xb7e36000
madvise(0xb7e36000, 1120444, MADV_SEQUENTIAL|0x1) = 0
mmap2(0xb7f42000, 12288, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x10c) = 0xb7f42000
mmap2(0xb7f45000, 10428, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7f45000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7e35000
mprotect(0xb7f42000, 4096, PROT_READ) = 0
mprotect(0xb7f56000, 4096, PROT_READ) = 0
mprotect(0xb7f97000, 4096, PROT_READ) = 0
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e356b0,
limit:1048575, seg_32bit:1, contents:0, read_exec_only:0,
limit_in_pages:1, seg_not_present:0, useable:1}) = 0
munmap(0xb7f5b000, 156766) = 0
set_tid_address(0xb7e356f8) = 15563
rt_sigaction(SIGRTMIN, {0xb7f4c476, [], SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0xb7f4c3f0, [], SA_RESTART|SA_SIGINFO}, NULL,
8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
_sysctl({{CTL_KERN, KERN_VERSION}, 2, 0xbf91c450, 43, (nil), 0}) = 0
open("/dev/urandom", O_RDONLY) = 3
read(3, "\210\10\2464", 4) = 4
close(3) = 0
brk(0) = 0x8073000
brk(0x8094000) = 0x8094000
open("/var/ossec/etc/ossec.conf", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0550, st_size=3589, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7f81000
read(3, "<ossec_config>\n <global>\n <e"..., 4096) = 3589
read(3, "", 4096) = 0
close(3) = 0
munmap(0xb7f81000, 4096) = 0
exit_group(0) = ?
Process 15563 detached
So, it looks like it reads the config file and then "detaches", which
I take to mean that the daemon forks off into daemon mode, but it
stops instead. Is there something in the ossec.conf that tells the
server that it has agents that need to be listened to? (I'm assuming
here that ossec-remoted is what handles the agents.)
- --
gentux
echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2
18D3 4A9E
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFE6kIkTPA54hjTSp4RAraDAJ9KdlwV0QICsVrD3TqVIsQHk0vT+gCgogTW
GXsCfmbEJAuX5sl9SoKLtlg=
=j9SB
-----END PGP SIGNATURE-----
