The problem seems to be ossec-syscheckd from ossec 2.5, see /var/log/messages
Sep 28 12:19:55 sles11-sp1-vm1-kus kernel: [ 1378.452601] ossec-syscheckd[6437]: segfault at fffffff0 ip 00007fcfeffa7672 sp 00007ffff112d8b8 error 4 in libc-2.11.1.so[7fcfeff29000+154000] The OS is SLES 11 SP1 x86_64, OSSEC 2.4.1 was running fine on this system. Regards, Kai-Uwe -----Ursprüngliche Nachricht----- Von: Schurig, Kai-Uwe Gesendet: Dienstag, 28. September 2010 11:45 An: [email protected] Betreff: Segmentation fault when running /var/ossec/bin/ossec-control start after update from ossec 2.4.1 to 2.5 Hi all, i tried to update my ossec-server in my test environment from 2.4.1 to 2.5 an found the following issue: At the end of the installation process I see the following message: /var/ossec/bin/ossec-control: line 218: 5449 Segmentation fault ${DIR}/bin/${i} ${DEBUG_CLI} The same message occurs if I manually try to stop and start the ossec-daemons: sles11-sp1-vm1-kus:~/ossec/2.5/ossec-hids-2.5 # /var/ossec/bin/ossec-control stop ossec-monitord not running .. Killing ossec-logcollector .. Killing ossec-remoted .. ossec-syscheckd not running .. Killing ossec-analysisd .. ossec-maild not running .. ossec-execd not running .. Killing ossec-dbd .. OSSEC HIDS v2.5 Stopped sles11-sp1-vm1-kus:~/ossec/2.5/ossec-hids-2.5 # /var/ossec/bin/ossec-control start Starting OSSEC HIDS v2.5 (by Trend Micro Inc.)... 2010/09/28 11:17:22 ossec-testrule: INFO: Reading local decoder file. Started ossec-dbd... 2010/09/28 11:17:23 ossec-maild: INFO: E-Mail notification disabled. Clean Exit. Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-remoted... 2010/09/28 11:17:23 ossec-syscheckd(1702): INFO: No directory provided for syscheck to monitor. /var/ossec/bin/ossec-control: line 218: 5612 Segmentation fault ${DIR}/bin/${i} ${DEBUG_CLI} The ossec.log looks ok: 2010/09/28 11:17:23 ossec-remoted: INFO: Started (pid: 5609). 2010/09/28 11:17:23 ossec-remoted: INFO: Started (pid: 5611). 2010/09/28 11:17:23 ossec-remoted(4111): INFO: Maximum number of agents allowed: '256'. 2010/09/28 11:17:23 ossec-remoted(1410): INFO: Reading authentication keys file. 2010/09/28 11:17:23 ossec-remoted: INFO: Assigning counter for agent SLES10SP3VM: '18:6820'. 2010/09/28 11:17:23 ossec-remoted: INFO: Assigning counter for agent W2008R2: '14:3236'. 2010/09/28 11:17:23 ossec-remoted: INFO: Assigning counter for agent RHEL4U8VM: '24:690'. 2010/09/28 11:17:23 ossec-remoted: INFO: Assigning counter for agent W2K3R2VM1: '6:9681'. 2010/09/28 11:17:23 ossec-remoted: INFO: Assigning counter for agent Solaris10U8VM: '30:1165'. 2010/09/28 11:17:23 ossec-remoted: INFO: Assigning counter for agent SCOTDC201: '11:5439'. 2010/09/28 11:17:23 ossec-remoted: INFO: Assigning counter for agent VMWareESX35-MEI: '1:6500'. 2010/09/28 11:17:23 ossec-remoted: INFO: Assigning sender counter: 9:6099 2010/09/28 11:17:23 ossec-remoted(1501): ERROR: No IP or network allowed in the access list for syslog. No reason for running it. Exiting. 2010/09/28 11:17:23 ossec-syscheckd(1702): INFO: No directory provided for syscheck to monitor. 2010/09/28 11:17:26 ossec-dbd: INFO: Started (pid: 5589). 2010/09/28 11:17:29 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'. 2010/09/28 11:17:29 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/mail.info'. 2010/09/28 11:17:29 ossec-logcollector: INFO: Started (pid: 5605). Except the segfault message everything seems to be running. Any ideas or anybody with the same issue? Thanks and regards, Kai-Uwe
