Hi George,
First of all, thanks for the detailed explanation. This later problem
(all the socketerr + error
sending message to queue) are caused when ossec-analysis is not
running. Can you check
in your logs for anything from it? It creates all the queues to
receive the events from the
other daemons...
As for remoted segfaulting, can you run it with gdb?
# gdb /var/ossec/bin/ossec-remoted
(gdb) set follow-fork-mode child
(gdb) run --> (after it crashes/exits, run bt)
(gdb) bt
Btw, which OS + ossec version are you using?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Feb 6, 2008 1:54 PM, glantz <[EMAIL PROTECTED]> wrote:
>
> Some more info. I was looking through the /var/ossec/logs/ossec.log
> this morning and noticed this chunk this was around the same time I
> received another segfualt:
>
> 2008/02/06 09:08:56 ossec-remoted: socketerr (not available).
> 2008/02/06 09:08:56 ossec-remoted(1210): Queue '/queue/ossec/queue'
> not accessible: 'Connection refused'.
> 2008/02/06 09:08:56 ossec-logcollector: socketerr (not available).
> 2008/02/06 09:08:56 ossec-logcollector(1224): Error sending message to
> queue.
> 2008/02/06 09:08:59 ossec-remoted(1210): Queue '/queue/ossec/queue'
> not accessible: 'Connection refused'.
> 2008/02/06 09:08:59 ossec-remoted(1211): Unable to access queue: '/
> queue/ossec/queue'. Giving up..
> 2008/02/06 09:08:59 ossec-logcollector(1210): Queue '/var/ossec/queue/
> ossec/queue' not accessible: 'Connection refused'.
> 2008/02/06 09:08:59 ossec-logcollector(1211): Unable to access queue:
> '/var/ossec/queue/ossec/queue'. Giving up..
>
> What would cause this, or, what things can I possibly check to try and
> troubleshoot?
>
> Thank you,
> George
>
>
>
> On Feb 4, 2:20 pm, glantz <[EMAIL PROTECTED]> wrote:
> > We have about 150 agents pointing to our ossec server. Something seems
> > to be killing ossec-remoted, possibly one of the agents. Nothing
> > suspicious in the ossec logs that I can see. However, /var/log/
> > messages | grep remoted shows:
> >
> > Feb 4 13:51:05 ossec2 kernel: ossec-remoted[21608] general protection
> > rip:2ae9b135f8b3 rsp:7ffff99eb378 error:0
> > Feb 4 13:57:34 ossec2 kernel: ossec-remoted[21803]: segfault at
> > 00000000000002d0 rip 00002ab0ad0b38b3 rsp 00007ffffdc976f8 error 4
> >
> > I have a stack trace, way too big to post here since it runs correctly
> > usually for 5-10 minutes at a time with at least 150 agents. Here is
> > the last few lines, with IP removed.
> >
> > 21976 stat("/queue/ossec/.wait", 0x7fff3a949050) = -1 ENOENT (No such
> > file or directory)
> > 21976 sendto(5, "1:(linux-246) 10.x.x.x->ossec"..., 52, 0, NULL, 0) =
> > 52
> > 21976 recvfrom(4, ":\3703\265\313N\363\277\4>\211\3p|\332z\23X
> > \36\27\177\277"..., 6144, 0, {sa_family=AF_INET,
> > sin_port=htons(32784), sin_addr=inet_addr("10.x.x.x")}, [16]) = 73
> > 21976 time(NULL) = 1202155456
> > 21976 --- SIGSEGV (Segmentation fault) @ 0 (0) ---
> > 21977 <... recvfrom resumed> 0x407ff970, 1023, 0, 0x5405e0, 0x53f710)
> > = ? ERESTARTSYS (To be restarted)
> > 21978 <... futex resumed> ) = -1 EINTR (Interrupted system
> > call)
> > 21977 +++ killed by SIGSEGV +++
> > 21978 +++ killed by SIGSEGV +++
>
