I've been running OSSEC 1.5 on this FreeBSD 7.0 server for about 3
weeks, and in the past week the server has hit its maxproc limit
(6164) three times. Got a chance to investigate, and the cause is
ossec-syscheckd spawning thousands of defunct processes.
In about 4 hours after a reboot:
# ps aux | grep defunct | head -5
root 25973 0.0 0.0 0 0 ?? Z 7:59PM 0:00.01 <defunct>
root 25975 0.0 0.0 0 0 ?? Z 7:59PM 0:00.01 <defunct>
root 25977 0.0 0.0 0 0 ?? Z 7:59PM 0:00.01 <defunct>
root 25979 0.0 0.0 0 0 ?? Z 7:59PM 0:00.01 <defunct>
root 25981 0.0 0.0 0 0 ?? Z 7:59PM 0:00.01 <defunct>
# ps ax|grep defunct|wc -l
1280
# ps ax|wc -l
1493
1492 - 1280 = about what the server normally runs, and about what it
was running when it first booted up.
Finding it was ossec-syscheckd:
# ps ax|grep 28528
28528 ?? Z 0:00.01 <defunct>
# ps axo ppid -p 28528 | grep -v PPID
826
# ps ax|grep 826
826 ?? I 0:19.67 /var/ossec/bin/ossec-syscheckd
Stopping OSSEC made all the defunct processes disappear.
# /var/ossec/bin/ossec-control stop
Killing ossec-logcollector ..
Killing ossec-syscheckd ..
Killing ossec-agentd ..
Killing ossec-execd ..
OSSEC HIDS v1.5 Stopped
# ps ax|wc -l
197
# ps ax|grep defunct
26877 p1 R+ 0:00.00 grep defunct
#
Anything I can provide to help troubleshoot this?
Thanks,
Chris
