Also, if I use ./agent_control -R id to restart an agent, this shows up in the agent's ossec.log:
(note that despite the Active response error message, the agent does seem to restart) 2009/07/02 14:04:05 ossec-execd: INFO: Active response command not present: '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this system. 2009/07/02 14:04:05 ossec-logcollector(1225): INFO: SIGNAL Received. Exit Cleaning... 2009/07/02 14:04:05 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit Cleaning... 2009/07/02 14:04:05 ossec-agentd(1225): INFO: SIGNAL Received. Exit Cleaning... 2009/07/02 14:04:05 ossec-execd(1314): INFO: Shutdown received. Deleting responses. 2009/07/02 14:04:05 ossec-execd(1225): INFO: SIGNAL Received. Exit Cleaning... 2009/07/02 14:04:05 ossec-execd: INFO: Started (pid: 24126). 2009/07/02 14:04:05 ossec-agentd(1410): INFO: Reading authentication keys file. 2009/07/02 14:04:05 ossec-agentd: INFO: Assigning counter for agent w.x.y.z: '0:1153'. 2009/07/02 14:04:05 ossec-agentd: INFO: Assigning sender counter: 0:8912 2009/07/02 14:04:05 ossec-agentd: INFO: Started (pid: 24130). 2009/07/02 14:04:05 ossec-agentd: INFO: Server IP Address: a.b.c.d 2009/07/02 14:04:05 ossec-agentd: INFO: Trying to connect to server (a.b.c.d:1514). 2009/07/02 14:04:05 ossec-rootcheck: Rootcheck disabled. Exiting. 2009/07/02 14:04:05 ossec-syscheckd: WARN: Rootcheck module disabled. 2009/07/02 14:04:06 ossec-agentd(4102): INFO: Connected to the server (a.b.c.d:1514). 2009/07/02 14:04:09 ossec-syscheckd: INFO: Started (pid: 24138). 2009/07/02 14:04:09 ossec-syscheckd: INFO: Monitoring directory: '/ etc'. 2009/07/02 14:04:09 ossec-syscheckd: INFO: Monitoring directory: '/usr/ bin'. 2009/07/02 14:04:09 ossec-syscheckd: INFO: Monitoring directory: '/usr/ sbin'. 2009/07/02 14:04:11 ossec-logcollector(1950): INFO: Analyzing file: '/ var/log/messages'. 2009/07/02 14:04:11 ossec-logcollector(1950): INFO: Analyzing file: '/ var/log/mail.info'. 2009/07/02 14:04:11 ossec-logcollector: INFO: Started (pid: 24134). On Jul 2, 1:40 pm, tm <[email protected]> wrote: > The problem, at least in my case, is that I upgraded an OSSEC > installation which had no <syscheck></syscheck> section in the > ossec.conf file (we don't want to use syscheck). When I added a dummy > entry (below), OSSEC started up without a segfault: > > <syscheck> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > </syscheck> > > Obviously a bug that needs to be fixed. > > TM > > On Jul 2, 12:46 pm, David Cottle <[email protected]> wrote: > > > > > Yes agreed I am seeing heaps of segfaults only with 2.1 nothing else > > been changed- > > > OSSEC HIDS Notification. > > 2009 Jul 02 23:01:02 > > > Received From: server->/var/log/messages > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > > Portion of the log(s): > > > Jul 2 23:01:02 server kernel: anonmap[15387]: segfault at b7fdd000 ip > > b7fdd000 sp bfddfa8c error 15 > > > --END OF NOTIFICATION > > > OSSEC HIDS Notification. > > 2009 Jul 02 23:01:02 > > > Received From: server->/var/log/messages > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > > Portion of the log(s): > > > Jul 2 23:01:02 server kernel: execbss[15398]: segfault at 8049bec ip > > 08049bec sp bfd8824c error 15 in execbss[8049000+1000] > > > --END OF NOTIFICATION > > > OSSEC HIDS Notification. > > 2009 Jul 02 23:01:02 > > > Received From: server->/var/log/messages > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > > Portion of the log(s): > > > Jul 2 23:01:02 server kernel: execdata[15409]: segfault at 8049bd8 ip > > 08049bd8 sp bfbe789c error 15 in execdata[8049000+1000] > > > --END OF NOTIFICATION > > > OSSEC HIDS Notification. > > 2009 Jul 02 23:01:02 > > > Received From: server->/var/log/messages > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > > Portion of the log(s): > > > Jul 2 23:01:02 server kernel: execheap[15419]: segfault at 84cf098 ip > > 084cf098 sp bfcc716c error 15 > > > --END OF NOTIFICATION > > > OSSEC HIDS Notification. > > 2009 Jul 02 23:01:02 > > > Received From: server->/var/log/messages > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > > Portion of the log(s): > > > Jul 2 23:01:02 server kernel: execstack[15431]: segfault at bfe8db58 > > ip bfe8db58 sp bfe8db4c error 15 > > > --END OF NOTIFICATION > > > OSSEC HIDS Notification. > > 2009 Jul 02 23:01:02 > > > Received From: server->/var/log/messages > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > > Portion of the log(s): > > > Jul 2 23:01:02 server kernel: shlibbss[15712]: segfault at 1135a0 ip > > 001135a0 sp bfe8832c error 15 in shlibtest.so[112000+2000] > > > --END OF NOTIFICATION > > > OSSEC HIDS Notification. > > 2009 Jul 02 23:01:02 > > > Received From: server->/var/log/messages > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > > Portion of the log(s): > > > Jul 2 23:01:02 server kernel: shlibdata[15723]: segfault at 112580 > > ip00112580 sp bfd571fc error 15 in shlibtest.so[112000+2000] > > > Sent from my iPhone > > > On 03/07/2009, at 5:00, tm <[email protected]> wrote: > > > > I just downloaded ossec-hids-2.1.tar.gz and did an update on my OSSEC > > > 2.0 installation on a 32-bit SuSE host. It segfaults: > > > > lillooet:/var/ossec/bin # ./ossec-control start > > > Starting OSSEC HIDS v2.1 (by Trend Micro Inc.)... > > > 2009/07/02 11:50:12 ossec-syscheckd(1702): INFO: No directory provided > > > for syscheck to monitor. > > > ./ossec-control: line 197: 23391 Segmentation fault ${DIR}/bin/$ > > > {i} -t > > > ossec-syscheckd: Configuration error. Exiting > > > > Next steps? > > > > TM > > > > On Jun 30, 8:34 pm, louie <[email protected]> wrote: > > >> Hi: > > > >> Yeah, it works. > > > >> After re-download the newest ossec-hids-2.1.tar.gz, seems > > >> fix my segfault problem > > > >> The two machine (one i386, one x86_64) ossec-syscheckd is > > >> running fine over 15 minutes > > > >> Thanks, daniel. > > > >> $ ls -l ossec-hids-2.1.tar.gz > > >> -rw-r--r-- 1 louie louie 711299 Jul 1 02:39 ossec-hids-2.1.tar.gz > > > >> DIRECTORY="/var/ossec" > > >> VERSION="v2.1" > > >> DATE="Wed Jul 1 11:17:38 CST 2009" > > >> TYPE="agent" > > > >> -- > > >> Louie July 01, 2009 11:19:22On Tue, Jun 30, 2009 at 12:48:06PM > > >> -0600, Md Monk wrote: > > >>> No segfault for me yet, and I've been running it for a bit over an > > >>> hour. > > > >>> I am using the snapshot: ossec-hids-090630.tar.gz > > > >>> -Chuck (MdMonk) > > > >>> On Tue, Jun 30, 2009 at 11:59 AM, Koski, David <[email protected]> > > >>> wrote: > > > >>>> I got a seg fault on the new one as well, I won't have a chance > > >>>> for at > > >>>> least a few hours to gdb it. > > > >>>> David > > > >>>> -----Original Message----- > > >>>> From: > > >>>> [email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&to=ossec-l...@googlegr > > >>>> ...>[mailto: > > >>>> [email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&to=ossec-l...@googlegr > > >>>> ...>] > > >>>> On Behalf Of louie > > >>>> Sent: Tuesday, June 30, 2009 1:28 PM > > >>>> To: > > >>>> [email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&to=ossec-l...@googlegr > > >>>> ...> > > >>>> Subject: [ossec-list] Re: OSSEC v2.1 released > > > >>>> Hi Daniel: > > > >>>> I re-download ossec-hids-2.1, but it segfault again > > > >>>> $ ls -ltr ossec-hids-2.1* > > >>>> -rw-r--r-- 1 louie louie 711257 Jul 1 00:18 ossec-hids-2.1.tar.gz > > > >>>> cat /etc/ossec-init.conf > > >>>> DIRECTORY="/var/ossec" > > >>>> VERSION="v2.1" > > >>>> DATE="Wed Jul 1 00:57:48 CST 2009" > > >>>> TYPE="agent" > > > >>>> root 6547 1 0 00:57 ? 00:00:00 /var/ossec/bin/ > > >>>> ossec-execd > > >>>> ossec 6551 1 0 00:57 ? 00:00:00 /var/ossec/bin/ > > >>>> ossec-agentd > > >>>> root 6555 1 0 00:57 ? 00:00:00 > > >>>> /var/ossec/bin/ossec-logcollector > > > >>>> the ossec-syschecked is gone > > > >>>> /var/log/message > > >>>> Jul 1 01:07:46 print kernel: [10258.274006] ossec-syscheckd[6559]: > > >>>> segfault at 0 ip 40448d sp 7fff8f484ab0 error 4 in > > >>>> ossec-syscheckd[400000+3b000] > > > >>>> and gdb's log the same with the ossec-hids-090630.tar.gz, where > > >>>> am I doing > > >>>> wrong? > > > >>>> # gdb /var/ossec/bin/ossec-syscheckd > > >>>> Tue Jun 30 23:48:34 CST 2009 > > >>>> GNU gdb 6.8-debian > > >>>> Copyright (C) 2008 Free Software Foundation, Inc. > > >>>> License GPLv3+: GNU GPL version 3 or later < > > >>>>http://gnu.org/licenses/gpl.html> > > >>>> This is free software: you are free to change and redistribute it. > > >>>> There is NO WARRANTY, to the extent permitted by law. ?Type "show > > >>>> copying" > > >>>> and "show warranty" for details. > > >>>> This GDB was configured as "x86_64-linux-gnu"... > > >>>> (gdb) set follow-fork-mode child > > >>>> (gdb) run > > >>>> Starting program: /var/ossec/bin/ossec-syscheckd Executing new > > >>>> program: > > >>>> /bin/bash (no debugging symbols found) (no debugging symbols found) > > >>>> [tcsetpgrp failed in terminal_inferior: No such process] (no > > >>>> debugging > > >>>> symbols found) (no debugging symbols found) (no debugging symbols > > >>>> found) > > >>>> Executing new program: /bin/ps (no debugging symbols found) (no > > >>>> debugging > > >>>> symbols found) (no debugging symbols found) (no debugging symbols > > >>>> found) > > > >>>> Program exited normally. > > > >>>> -- > > >>>> Louie July 01, 2009 01:10:11 > > > >>>> On Tue, Jun 30, 2009 at 01:46:23PM -0300, Daniel Cid wrote: > > > >>>>> Hi Louie, > > > >>>>> The log you sent is good. Means it is working now. I updated 2.1 > > >>>>> with > > >>>>> the fix. If you had problems, please download it again: > > >>>>>http://www.ossec.net/main/downloads/ > > > >>>>> Thanks, > > > >>>>> -- > > >>>>> Daniel B. Cid > > >>>>> dcid ( at ) ossec.net > > > >>>>> On Tue, Jun 30, 2009 at 1:36 PM, > > >>>>> louie<[email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&[email protected] > > > >>>> wrote: > > >>>>>> Sorry, forgot the whole logs > > > >>>>>> # gdb /var/ossec/bin/ossec-syscheckd Tue Jun 30 23:48:34 CST 2009 > > >>>>>> GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, > > >>>>>> Inc. > > >>>>>> License GPLv3+: GNU GPL version 3 or later > > >>>>>> <http://gnu.org/licenses/gpl.html> > > >>>>>> This is free software: you are free to change and redistribute > > >>>>>> it. > > >>>>>> There is NO WARRANTY, to the extent permitted by law. ?Type "show > > >>>> copying" > > >>>>>> and "show warranty" for details. > > >>>>>> This GDB was configured as "x86_64-linux-gnu"... > > >>>>>> (gdb) set follow-fork-mode child > > >>>>>> (gdb) run > > >>>>>> Starting program: /var/ossec/bin/ossec-syscheckd Executing new > > >>>>>> program: /bin/bash (no debugging symbols found) (no debugging > > >>>>>> symbols found) [tcsetpgrp failed in terminal_inferior: No such > > >>>>>> process] (no debugging symbols found) (no debugging symbols > > >>>>>> found) > > >>>>>> (no debugging symbols found) Executing new program: /bin/ps (no > > >>>>>> debugging symbols found) (no debugging symbols found) (no > > >>>>>> debugging > > >>>>>> symbols found) (no debugging symbols found) > > > >>>>>> Program exited normally. > > > >>>>>> -- > > >>>>>> ? ? ? ? ? ? ? ? ? ? ?Louie July 01, 2009 ? 00:35:47 > > > >>>>>> On Wed, Jul 01, 2009 at 12:26:31AM +0800, louie wrote: > > >>>>>>> Hi, Daniel: > > > >>>>>>> Thanks for quick fix, but it segfault again on both one i386 and > > >>>>>>> one x86_64 machine > > > >>>>>>> cat /etc/ossec-init.conf > > >>>>>>> DIRECTORY="/var/ossec" > > >>>>>>> VERSION="2.0-SNP-090630" > > >>>>>>> DATE="Tue Jun 30 23:29:49 CST 2009" > > >>>>>>> TYPE="agent" > > > >>>>>>> # gdb /var/ossec/bin/ossec-syscheckd Tue Jun 30 23:48:34 CST > > >>>>>>> 2009 > > >>>>>>> GNU gdb 6.8-debian Copyright (C) 2008 Free Software > > ... > > read more »- Hide quoted text - > > - Show quoted text -
