We have about 150 agents pointing to our ossec server. Something seems
to be killing ossec-remoted, possibly one of the agents. Nothing
suspicious in the ossec logs that I can see. However, /var/log/
messages | grep remoted shows:
Feb 4 13:51:05 ossec2 kernel: ossec-remoted[21608] general protection
rip:2ae9b135f8b3 rsp:7ffff99eb378 error:0
Feb 4 13:57:34 ossec2 kernel: ossec-remoted[21803]: segfault at
00000000000002d0 rip 00002ab0ad0b38b3 rsp 00007ffffdc976f8 error 4
I have a stack trace, way too big to post here since it runs correctly
usually for 5-10 minutes at a time with at least 150 agents. Here is
the last few lines, with IP removed.
21976 stat("/queue/ossec/.wait", 0x7fff3a949050) = -1 ENOENT (No such
file or directory)
21976 sendto(5, "1:(linux-246) 10.x.x.x->ossec"..., 52, 0, NULL, 0) =
52
21976 recvfrom(4, ":\3703\265\313N\363\277\4>\211\3p|\332z\23X
\36\27\177\277"..., 6144, 0, {sa_family=AF_INET,
sin_port=htons(32784), sin_addr=inet_addr("10.x.x.x")}, [16]) = 73
21976 time(NULL) = 1202155456
21976 --- SIGSEGV (Segmentation fault) @ 0 (0) ---
21977 <... recvfrom resumed> 0x407ff970, 1023, 0, 0x5405e0, 0x53f710)
= ? ERESTARTSYS (To be restarted)
21978 <... futex resumed> ) = -1 EINTR (Interrupted system
call)
21977 +++ killed by SIGSEGV +++
21978 +++ killed by SIGSEGV +++
