[ossec-list] Re: ossec-remoted segfault

[glantz]

Some more info. I was looking through the /var/ossec/logs/ossec.log
this morning and noticed this chunk this was around the same time I
received another segfualt:

2008/02/06 09:08:56 ossec-remoted: socketerr (not available).
2008/02/06 09:08:56 ossec-remoted(1210): Queue '/queue/ossec/queue'
not accessible: 'Connection refused'.
2008/02/06 09:08:56 ossec-logcollector: socketerr (not available).
2008/02/06 09:08:56 ossec-logcollector(1224): Error sending message to
queue.
2008/02/06 09:08:59 ossec-remoted(1210): Queue '/queue/ossec/queue'
not accessible: 'Connection refused'.
2008/02/06 09:08:59 ossec-remoted(1211): Unable to access queue: '/
queue/ossec/queue'. Giving up..
2008/02/06 09:08:59 ossec-logcollector(1210): Queue '/var/ossec/queue/
ossec/queue' not accessible: 'Connection refused'.
2008/02/06 09:08:59 ossec-logcollector(1211): Unable to access queue:
'/var/ossec/queue/ossec/queue'. Giving up..

What would cause this, or, what things can I possibly check to try and
troubleshoot?

Thank you,
George


On Feb 4, 2:20 pm, glantz <[EMAIL PROTECTED]> wrote:
> We have about 150 agents pointing to our ossec server. Something seems
> to be killing ossec-remoted, possibly one of the agents. Nothing
> suspicious in the ossec logs that I can see. However, /var/log/
> messages | grep remoted shows:
>
> Feb  4 13:51:05 ossec2 kernel: ossec-remoted[21608] general protection
> rip:2ae9b135f8b3 rsp:7ffff99eb378 error:0
> Feb  4 13:57:34 ossec2 kernel: ossec-remoted[21803]: segfault at
> 00000000000002d0 rip 00002ab0ad0b38b3 rsp 00007ffffdc976f8 error 4
>
> I have a stack trace, way too big to post here since it runs correctly
> usually for 5-10 minutes at a time with at least 150 agents. Here is
> the last few lines, with IP removed.
>
> 21976 stat("/queue/ossec/.wait", 0x7fff3a949050) = -1 ENOENT (No such
> file or directory)
> 21976 sendto(5, "1:(linux-246) 10.x.x.x->ossec"..., 52, 0, NULL, 0) =
> 52
> 21976 recvfrom(4, ":\3703\265\313N\363\277\4>\211\3p|\332z\23X
> \36\27\177\277"..., 6144, 0, {sa_family=AF_INET,
> sin_port=htons(32784), sin_addr=inet_addr("10.x.x.x")}, [16]) = 73
> 21976 time(NULL)                        = 1202155456
> 21976 --- SIGSEGV (Segmentation fault) @ 0 (0) ---
> 21977 <... recvfrom resumed> 0x407ff970, 1023, 0, 0x5405e0, 0x53f710)
> = ? ERESTARTSYS (To be restarted)
> 21978 <... futex resumed> )             = -1 EINTR (Interrupted system
> call)
> 21977 +++ killed by SIGSEGV +++
> 21978 +++ killed by SIGSEGV +++