Hi, I had similar problems with Solaris 10 installation. The patched version so far works OK for me - no rapid explosion of zombies. Looks like trying to close already closed FD was the problem:
4226: vfork() = 8956 8956: vfork() (returning as child ...) = 4226 8956: lwp_sigmask(SIG_SETMASK, 0x00000000, 0x00000000) = 0xFFBFFEFF [0x0000FFF F] 8956: close(8) = 0 8956: close(8) Err#9 EBADF 8956: _exit(127) Rgds, MS [EMAIL PROTECTED] wrote: > Hi all > > I am wondering where my last post is... Hm, trying again: > > I tried it on the same Solaris 8 machine: > > (machine:root) # date > Mon May 26 09:59:34 MEST 2008 > (machine:root) # cd /var/ossec/bin > (machine:root) # ./ossec-control start > Starting OSSEC HIDS v1.5 (by Daniel B. Cid)... > Started ossec-maild... > Started ossec-execd... > Started ossec-analysisd... > Started ossec-logcollector... > Started ossec-syscheckd... > Started ossec-monitord... > Completed. > (machine:root) # /usr/ucb/ps aux |grep ossec > root 27466 1.1 0.3 2368 1200 ? S 09:59:57 0:00 > /var/ossec/bin/oss > ossec 27458 1.0 0.4 2888 1952 ? S 09:59:56 0:00 > /var/ossec/bin/oss > root 27462 0.1 0.3 2168 1096 ? S 09:59:56 0:00 > /var/ossec/bin/oss > ossec 27470 0.1 0.2 2144 1008 ? S 09:59:57 0:00 > /var/ossec/bin/oss > ossecm 27449 0.1 0.2 2160 1024 ? S 09:59:56 0:00 > /var/ossec/bin/oss > (machine:root) # /usr/ucb/ps aux |grep defunc > ossecm 27512 0.0 0.0 0 0 Z 0:00 > <defunct> > (machine:root) # /usr/ucb/ps aux |grep defunc > (machine:root) # /usr/ucb/ps aux |grep defunc > (machine:root) # date > Mon May 26 10:20:01 MEST 2008 > (machine:root) # /usr/ucb/ps aux |grep defunc > (machine:root) # > > There was still a zombie for a moment. But it looks much better now. > What was the problem? > I'll keep an eye on it and inform you, if I notice some strange > behavior. > > Thanks a lot! > > Matthias > >
