I will try to reply to all issues here in one email (inline):
> TM: >lillooet:/var/ossec/bin # ./ossec-control start >Starting OSSEC HIDS v2.1 (by Trend Micro Inc.)... >2009/07/02 11:50:12 ossec-syscheckd(1702): INFO: No directory provided >for syscheck to monitor. That's a different issue. A bug, but will only happen if you remove all directories from syscheck. We will fix it soon too. Btw, can you open a bug about it on our bugzilla: http://www.ossec.net/bugs ? >David: >anonmap[15387]: segfault at b7fdd000 ip b7fdd000 sp bfddfa8c error 15 These doesn't seem to be related to ossec as none of the other specified segfaults... > TM: > 2009/07/02 14:04:05 ossec-execd: INFO: Active response command not > present: '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using > it on this system. This is not an error, just informational message to let you know that restart-ossec.cmd is not available on Linux... Nothing to worry about. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Thu, Jul 2, 2009 at 6:08 PM, tm<[email protected]> wrote: > > Also, if I use ./agent_control -R id to restart an agent, this shows > up in the agent's ossec.log: > > (note that despite the Active response error message, the agent does > seem to restart) > > 2009/07/02 14:04:05 ossec-execd: INFO: Active response command not > present: '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using > it on this system. > 2009/07/02 14:04:05 ossec-logcollector(1225): INFO: SIGNAL Received. > Exit Cleaning... > 2009/07/02 14:04:05 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2009/07/02 14:04:05 ossec-agentd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2009/07/02 14:04:05 ossec-execd(1314): INFO: Shutdown received. > Deleting responses. > 2009/07/02 14:04:05 ossec-execd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2009/07/02 14:04:05 ossec-execd: INFO: Started (pid: 24126). > 2009/07/02 14:04:05 ossec-agentd(1410): INFO: Reading authentication > keys file. > 2009/07/02 14:04:05 ossec-agentd: INFO: Assigning counter for agent > w.x.y.z: '0:1153'. > 2009/07/02 14:04:05 ossec-agentd: INFO: Assigning sender counter: > 0:8912 > 2009/07/02 14:04:05 ossec-agentd: INFO: Started (pid: 24130). > 2009/07/02 14:04:05 ossec-agentd: INFO: Server IP Address: a.b.c.d > 2009/07/02 14:04:05 ossec-agentd: INFO: Trying to connect to server > (a.b.c.d:1514). > 2009/07/02 14:04:05 ossec-rootcheck: Rootcheck disabled. Exiting. > 2009/07/02 14:04:05 ossec-syscheckd: WARN: Rootcheck module disabled. > 2009/07/02 14:04:06 ossec-agentd(4102): INFO: Connected to the server > (a.b.c.d:1514). > 2009/07/02 14:04:09 ossec-syscheckd: INFO: Started (pid: 24138). > 2009/07/02 14:04:09 ossec-syscheckd: INFO: Monitoring directory: '/ > etc'. > 2009/07/02 14:04:09 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > bin'. > 2009/07/02 14:04:09 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > sbin'. > 2009/07/02 14:04:11 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/messages'. > 2009/07/02 14:04:11 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/mail.info'. > 2009/07/02 14:04:11 ossec-logcollector: INFO: Started (pid: 24134). > > > On Jul 2, 1:40 pm, tm <[email protected]> wrote: >> The problem, at least in my case, is that I upgraded an OSSEC >> installation which had no <syscheck></syscheck> section in the >> ossec.conf file (we don't want to use syscheck). When I added a dummy >> entry (below), OSSEC started up without a segfault: >> >> <syscheck> >> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> </syscheck> >> >> Obviously a bug that needs to be fixed. >> >> TM >> >> On Jul 2, 12:46 pm, David Cottle <[email protected]> wrote: >> >> >> >> > Yes agreed I am seeing heaps of segfaults only with 2.1 nothing else >> > been changed- >> >> > OSSEC HIDS Notification. >> > 2009 Jul 02 23:01:02 >> >> > Received From: server->/var/log/messages >> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >> > Portion of the log(s): >> >> > Jul 2 23:01:02 server kernel: anonmap[15387]: segfault at b7fdd000 ip >> > b7fdd000 sp bfddfa8c error 15 >> >> > --END OF NOTIFICATION >> >> > OSSEC HIDS Notification. >> > 2009 Jul 02 23:01:02 >> >> > Received From: server->/var/log/messages >> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >> > Portion of the log(s): >> >> > Jul 2 23:01:02 server kernel: execbss[15398]: segfault at 8049bec ip >> > 08049bec sp bfd8824c error 15 in execbss[8049000+1000] >> >> > --END OF NOTIFICATION >> >> > OSSEC HIDS Notification. >> > 2009 Jul 02 23:01:02 >> >> > Received From: server->/var/log/messages >> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >> > Portion of the log(s): >> >> > Jul 2 23:01:02 server kernel: execdata[15409]: segfault at 8049bd8 ip >> > 08049bd8 sp bfbe789c error 15 in execdata[8049000+1000] >> >> > --END OF NOTIFICATION >> >> > OSSEC HIDS Notification. >> > 2009 Jul 02 23:01:02 >> >> > Received From: server->/var/log/messages >> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >> > Portion of the log(s): >> >> > Jul 2 23:01:02 server kernel: execheap[15419]: segfault at 84cf098 ip >> > 084cf098 sp bfcc716c error 15 >> >> > --END OF NOTIFICATION >> >> > OSSEC HIDS Notification. >> > 2009 Jul 02 23:01:02 >> >> > Received From: server->/var/log/messages >> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >> > Portion of the log(s): >> >> > Jul 2 23:01:02 server kernel: execstack[15431]: segfault at bfe8db58 >> > ip bfe8db58 sp bfe8db4c error 15 >> >> > --END OF NOTIFICATION >> >> > OSSEC HIDS Notification. >> > 2009 Jul 02 23:01:02 >> >> > Received From: server->/var/log/messages >> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >> > Portion of the log(s): >> >> > Jul 2 23:01:02 server kernel: shlibbss[15712]: segfault at 1135a0 ip >> > 001135a0 sp bfe8832c error 15 in shlibtest.so[112000+2000] >> >> > --END OF NOTIFICATION >> >> > OSSEC HIDS Notification. >> > 2009 Jul 02 23:01:02 >> >> > Received From: server->/var/log/messages >> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >> > Portion of the log(s): >> >> > Jul 2 23:01:02 server kernel: shlibdata[15723]: segfault at 112580 >> > ip00112580 sp bfd571fc error 15 in shlibtest.so[112000+2000] >> >> > Sent from my iPhone >> >> > On 03/07/2009, at 5:00, tm <[email protected]> wrote: >> >> > > I just downloaded ossec-hids-2.1.tar.gz and did an update on my OSSEC >> > > 2.0 installation on a 32-bit SuSE host. It segfaults: >> >> > > lillooet:/var/ossec/bin # ./ossec-control start >> > > Starting OSSEC HIDS v2.1 (by Trend Micro Inc.)... >> > > 2009/07/02 11:50:12 ossec-syscheckd(1702): INFO: No directory provided >> > > for syscheck to monitor. >> > > ./ossec-control: line 197: 23391 Segmentation fault ${DIR}/bin/$ >> > > {i} -t >> > > ossec-syscheckd: Configuration error. Exiting >> >> > > Next steps? >> >> > > TM >> >> > > On Jun 30, 8:34 pm, louie <[email protected]> wrote: >> > >> Hi: >> >> > >> Yeah, it works. >> >> > >> After re-download the newest ossec-hids-2.1.tar.gz, seems >> > >> fix my segfault problem >> >> > >> The two machine (one i386, one x86_64) ossec-syscheckd is >> > >> running fine over 15 minutes >> >> > >> Thanks, daniel. >> >> > >> $ ls -l ossec-hids-2.1.tar.gz >> > >> -rw-r--r-- 1 louie louie 711299 Jul 1 02:39 ossec-hids-2.1.tar.gz >> >> > >> DIRECTORY="/var/ossec" >> > >> VERSION="v2.1" >> > >> DATE="Wed Jul 1 11:17:38 CST 2009" >> > >> TYPE="agent" >> >> > >> -- >> > >> Louie July 01, 2009 11:19:22On Tue, Jun 30, 2009 at 12:48:06PM >> > >> -0600, Md Monk wrote: >> > >>> No segfault for me yet, and I've been running it for a bit over an >> > >>> hour. >> >> > >>> I am using the snapshot: ossec-hids-090630.tar.gz >> >> > >>> -Chuck (MdMonk) >> >> > >>> On Tue, Jun 30, 2009 at 11:59 AM, Koski, David <[email protected]> >> > >>> wrote: >> >> > >>>> I got a seg fault on the new one as well, I won't have a chance >> > >>>> for at >> > >>>> least a few hours to gdb it. >> >> > >>>> David >> >> > >>>> -----Original Message----- >> > >>>> From: >> > >>>> [email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&to=ossec-l...@googlegr >> > >>>> ...>[mailto: >> > >>>> [email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&to=ossec-l...@googlegr >> > >>>> ...>] >> > >>>> On Behalf Of louie >> > >>>> Sent: Tuesday, June 30, 2009 1:28 PM >> > >>>> To: >> > >>>> [email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&to=ossec-l...@googlegr >> > >>>> ...> >> > >>>> Subject: [ossec-list] Re: OSSEC v2.1 released >> >> > >>>> Hi Daniel: >> >> > >>>> I re-download ossec-hids-2.1, but it segfault again >> >> > >>>> $ ls -ltr ossec-hids-2.1* >> > >>>> -rw-r--r-- 1 louie louie 711257 Jul 1 00:18 ossec-hids-2.1.tar.gz >> >> > >>>> cat /etc/ossec-init.conf >> > >>>> DIRECTORY="/var/ossec" >> > >>>> VERSION="v2.1" >> > >>>> DATE="Wed Jul 1 00:57:48 CST 2009" >> > >>>> TYPE="agent" >> >> > >>>> root 6547 1 0 00:57 ? 00:00:00 /var/ossec/bin/ >> > >>>> ossec-execd >> > >>>> ossec 6551 1 0 00:57 ? 00:00:00 /var/ossec/bin/ >> > >>>> ossec-agentd >> > >>>> root 6555 1 0 00:57 ? 00:00:00 >> > >>>> /var/ossec/bin/ossec-logcollector >> >> > >>>> the ossec-syschecked is gone >> >> > >>>> /var/log/message >> > >>>> Jul 1 01:07:46 print kernel: [10258.274006] ossec-syscheckd[6559]: >> > >>>> segfault at 0 ip 40448d sp 7fff8f484ab0 error 4 in >> > >>>> ossec-syscheckd[400000+3b000] >> >> > >>>> and gdb's log the same with the ossec-hids-090630.tar.gz, where >> > >>>> am I doing >> > >>>> wrong? >> >> > >>>> # gdb /var/ossec/bin/ossec-syscheckd >> > >>>> Tue Jun 30 23:48:34 CST 2009 >> > >>>> GNU gdb 6.8-debian >> > >>>> Copyright (C) 2008 Free Software Foundation, Inc. >> > >>>> License GPLv3+: GNU GPL version 3 or later < >> > >>>>http://gnu.org/licenses/gpl.html> >> > >>>> This is free software: you are free to change and redistribute it. >> > >>>> There is NO WARRANTY, to the extent permitted by law. ?Type "show >> > >>>> copying" >> > >>>> and "show warranty" for details. >> > >>>> This GDB was configured as "x86_64-linux-gnu"... >> > >>>> (gdb) set follow-fork-mode child >> > >>>> (gdb) run >> > >>>> Starting program: /var/ossec/bin/ossec-syscheckd Executing new >> > >>>> program: >> > >>>> /bin/bash (no debugging symbols found) (no debugging symbols found) >> > >>>> [tcsetpgrp failed in terminal_inferior: No such process] (no >> > >>>> debugging >> > >>>> symbols found) (no debugging symbols found) (no debugging symbols >> > >>>> found) >> > >>>> Executing new program: /bin/ps (no debugging symbols found) (no >> > >>>> debugging >> > >>>> symbols found) (no debugging symbols found) (no debugging symbols >> > >>>> found) >> >> > >>>> Program exited normally. >> >> > >>>> -- >> > >>>> Louie July 01, 2009 01:10:11 >> >> > >>>> On Tue, Jun 30, 2009 at 01:46:23PM -0300, Daniel Cid wrote: >> >> > >>>>> Hi Louie, >> >> > >>>>> The log you sent is good. Means it is working now. I updated 2.1 >> > >>>>> with >> > >>>>> the fix. If you had problems, please download it again: >> > >>>>>http://www.ossec.net/main/downloads/ >> >> > >>>>> Thanks, >> >> > >>>>> -- >> > >>>>> Daniel B. Cid >> > >>>>> dcid ( at ) ossec.net >> >> > >>>>> On Tue, Jun 30, 2009 at 1:36 PM, >> > >>>>> louie<[email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&[email protected] >> >> > >>>> wrote: >> > >>>>>> Sorry, forgot the whole logs >> >> > >>>>>> # gdb /var/ossec/bin/ossec-syscheckd Tue Jun 30 23:48:34 CST 2009 >> > >>>>>> GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, >> > >>>>>> Inc. >> > >>>>>> License GPLv3+: GNU GPL version 3 or later >> > >>>>>> <http://gnu.org/licenses/gpl.html> >> > >>>>>> This is free software: you are free to change and redistribute >> > >>>>>> it. >> > >>>>>> There is NO WARRANTY, to the extent permitted by law. ?Type "show >> > >>>> copying" >> > >>>>>> and "show warranty" for details. >> > >>>>>> This GDB was configured as "x86_64-linux-gnu"... >> > >>>>>> (gdb) set follow-fork-mode child >> > >>>>>> (gdb) run >> > >>>>>> Starting program: /var/ossec/bin/ossec-syscheckd Executing new >> > >>>>>> program: /bin/bash (no debugging symbols found) (no debugging >> > >>>>>> symbols found) [tcsetpgrp failed in terminal_inferior: No such >> > >>>>>> process] (no debugging symbols found) (no debugging symbols >> > >>>>>> found) >> > >>>>>> (no debugging symbols found) Executing new program: /bin/ps (no >> > >>>>>> debugging symbols found) (no debugging symbols found) (no >> > >>>>>> debugging >> > >>>>>> symbols found) (no debugging symbols found) >> >> > >>>>>> Program exited normally. >> >> > >>>>>> -- >> > >>>>>> ? ? ? ? ? ? ? ? ? ? ?Louie July 01, 2009 ? 00:35:47 >> >> > >>>>>> On Wed, Jul 01, 2009 at 12:26:31AM +0800, louie wrote: >> > >>>>>>> Hi, Daniel: >> >> > >>>>>>> Thanks for quick fix, but it segfault again on both one i386 and >> > >>>>>>> one x86_64 machine >> >> > >>>>>>> cat /etc/ossec-init.conf >> > >>>>>>> DIRECTORY="/var/ossec" >> > >>>>>>> VERSION="2.0-SNP-090630" >> > >>>>>>> DATE="Tue Jun 30 23:29:49 CST 2009" >> > >>>>>>> TYPE="agent" >> >> > >>>>>>> # gdb /var/ossec/bin/ossec-syscheckd Tue Jun 30 23:48:34 CST >> > >>>>>>> 2009 >> > >>>>>>> GNU gdb 6.8-debian Copyright (C) 2008 Free Software >> >> ... >> >> read more »- Hide quoted text - >> >> - Show quoted text - >
