Hi, I am glad it is working now. The defunct process that is showing up now (from ossecm) is normal and it will go away after the email is delivered (started by ossec-maild). The issue is that we were closing a popen call with fclose, instead of pclose. Strangely, it works on most systems except FreeBSD and Solaris, that's why we didn't noticed (it should have failed everywhere).
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Thu, May 29, 2008 at 6:51 AM, <[EMAIL PROTECTED]> wrote: > > Hi all > > I am wondering where my last post is... Hm, trying again: > > I tried it on the same Solaris 8 machine: > > (machine:root) # date > Mon May 26 09:59:34 MEST 2008 > (machine:root) # cd /var/ossec/bin > (machine:root) # ./ossec-control start > Starting OSSEC HIDS v1.5 (by Daniel B. Cid)... > Started ossec-maild... > Started ossec-execd... > Started ossec-analysisd... > Started ossec-logcollector... > Started ossec-syscheckd... > Started ossec-monitord... > Completed. > (machine:root) # /usr/ucb/ps aux |grep ossec > root 27466 1.1 0.3 2368 1200 ? S 09:59:57 0:00 > /var/ossec/bin/oss > ossec 27458 1.0 0.4 2888 1952 ? S 09:59:56 0:00 > /var/ossec/bin/oss > root 27462 0.1 0.3 2168 1096 ? S 09:59:56 0:00 > /var/ossec/bin/oss > ossec 27470 0.1 0.2 2144 1008 ? S 09:59:57 0:00 > /var/ossec/bin/oss > ossecm 27449 0.1 0.2 2160 1024 ? S 09:59:56 0:00 > /var/ossec/bin/oss > (machine:root) # /usr/ucb/ps aux |grep defunc > ossecm 27512 0.0 0.0 0 0 Z 0:00 > <defunct> > (machine:root) # /usr/ucb/ps aux |grep defunc > (machine:root) # /usr/ucb/ps aux |grep defunc > (machine:root) # date > Mon May 26 10:20:01 MEST 2008 > (machine:root) # /usr/ucb/ps aux |grep defunc > (machine:root) # > > There was still a zombie for a moment. But it looks much better now. > What was the problem? > I'll keep an eye on it and inform you, if I notice some strange > behavior. > > Thanks a lot! > > Matthias >
