Hi Daniel,
Here the information you are requesting:
Result of the strace:
read(4, "", 4096) = 0
select(0, NULL, NULL, NULL, {5, 0}) = 0 (Timeout)
read(4, "", 4096) = 0
select(0, NULL, NULL, NULL, {5, 0}) = 0 (Timeout)
read(4, "", 4096) = 0
select(0, NULL, NULL, NULL, {5, 0}) = 0 (Timeout)
read(4, "", 4096) = 0
select(0, NULL, NULL, NULL, {5, 0}) = 0 (Timeout)
read(4, "", 4096) = 0
select(0, NULL, NULL, NULL, {5, 0}) = 0 (Timeout)
read(4, "", 4096) = 0
select(0, NULL, NULL, NULL, {5, 0}) = 0 (Timeout)
read(4, "", 4096) = 0
select(0, NULL, NULL, NULL, {5, 0}) = 0 (Timeout)
time(NULL) = 1196312447
read(4, "", 4096) = 0
close(4) = 0
munmap(0xb7f88000, 4096) = 0
open("/logs/alerts/2007/Nov/ossec-alerts-29.log", O_RDONLY|O_LARGEFILE) = -1
ENOENT (No such file or directory)
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
Also, here the ossec.conf file: (clean from private information)
Hope this help,
ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>[EMAIL PROTECTED]</email_to>
<smtp_server>dddd.servername.com.</smtp_server>
<email_from>[EMAIL PROTECTED]</email_from>
</global>
<email_alerts>
<email_to>[EMAIL PROTECTED]</email_to>
<rule_id>101702</rule_id>
<do_not_delay />
<do_not_group />
</email_alerts>
<email_alerts>
<email_to>[EMAIL PROTECTED]</email_to>
<rule_id>101702</rule_id>
<do_not_delay />
<do_not_group />
</email_alerts>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 6 hours -->
<frequency>21600</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>X.X.X.X</white_list>
<white_list>X.X.X.X</white_list>
</global>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<remote>
<connection>syslog</connection>
<port>514</port>
<allowed-ips>X.X.X.X</allowed-ips>
<allowed-ips>X.X.X.X</allowed-ips>
</remote>
----- Original Message ----
From: Daniel Cid <[EMAIL PROTECTED]>
To: [email protected]
Sent: Monday, November 26, 2007 9:05:51 PM
Subject: [ossec-list] Re: maild always stop running
Hi Pierre (and Aaron),
Thanks for the report. I never saw similar behavior on ossec-maild, so
I would need a bit more information
to understand what is going on. Can you show us your config? Are you
using the granular e-mail alerts?
If possible, can you stop ossec-maild and start it manually using:
# strace -f /var/ossec/bin/ossec-maild -d -d
-Or (gdb is preferred)
# gdb /var/ossec/bin/ossec-maild
(gdb) set follow-fork-mode child
(gdb) run -d -d --> (after it crashes, run bt)
(gdb) bt
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Nov 26, 2007 10:40 AM, Aaron Bliss <[EMAIL PROTECTED]> wrote:
>
> I'm actually seeing the same issue. Server is running on RedHat ES 5
> box. No errors in the logs, the mailer daemon simply stops running
> after 4 or 5 days....
>
> Aaron
>
>
> Pierre Boisvert wrote:
> > Hi,
> >
> > I would to have some help to be able to find out why the maild
process on my Ossec server is always stopping.
> >
> > I'm running ossec on fedora 7, with Ossec-WUI. Everything else is
working fine. I don't see any message in the ossec.log file regarding
this issue.
> >
> > Thanks in advance
> >
> > Timononk
> >
> >
> >
> >
> > Get a sneak peak at messages with a handy reading pane with
All new Yahoo! Mail: http://mail.yahoo.ca
> >
>
> --
> Aaron Bliss
> Systems Administrator
> SUNY Brockport
> (585) 395-2417
>
>
Looking for the perfect gift? Give the gift of Flickr!
http://www.flickr.com/gift/
