I am running OSSEC on Centos 5 (2.6.18-194.32.1.el5) I haven't had a problem with this daemon crashing since I restarted the OSSEC service yesterday morning - I am keeping my eyes open, though :)
FYI, I did make a code change in alert.c so that the format of the OSSEC syslog output would be the same for both clients and the OSSEC server - the syslog output for the OSSEC server currently shows only the relative hostname and no IP (because its default IP is 127.0.0.1) and I absolutely needed this format to show the FQDN and the external IP as well. Hence, the code changes which almost exclusively involve string manipulations (with string arrays of my own creation to store FQDN and IP of OSSEC server) while leaving all existing OSSEC data structures untouched and unchanged. That's the extent of the change. And I uploaded that code as a patch to the OSSEC developer list. I may be flattering myself, but I couldn't possibly blame my own code. Especially since you ran into the same problem. On Jun 7, 12:44 pm, "Jefferson, Shawn" <[email protected]> wrote: > I looked back through my logs and here is the alert: > > ossec-alerts-06.log:Jun 6 10:12:55 bcfossec kernel: [501421.634671] > ossec-csyslogd[3014]: segfault at 0 ip b7775821 sp bfc4ffbc error 4 in > libc-2.11.1.so[b7702000+153000] > > To the original poster: what OS are you running your OSSEC server on? I'm on > Ubuntu 10.04.2 LTS. I wonder if the segfault was caused by some package > being updated/upgraded? > > > > > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Daniel Cid > Sent: Monday, June 06, 2011 6:48 PM > To: [email protected] > Subject: Re: [ossec-list] Concern about the ossec-csyslogd daemon > > At least OSSEC is reporting it :) And yes, try to run it under gdb so > we can see where it is crashing. Or try the latest snapshot > to see if it works there. > > Thanks, > > On Mon, Jun 6, 2011 at 6:58 PM, dan (ddp) <[email protected]> wrote: > > Please try running it under gdb: > > > gdb ossec-csyslogd > > > (gdb) set follow-fork-mode child > > (gdb) run > > > On Mon, Jun 6, 2011 at 5:50 PM, Jefferson, Shawn > > <[email protected]> wrote: > >> Hey, I had the same crash too! > > >> -----Original Message----- > >> From: [email protected] [mailto:[email protected]] On > >> Behalf Of blacklight > >> Sent: Monday, June 06, 2011 2:36 PM > >> To: ossec-list > >> Subject: [ossec-list] Concern about the ossec-csyslogd daemon > > >> Hello Folks, > > >> I have a concern about the csyslogd demon: > > >> 2011 Jun 04 13:51:03 Rule Id: 151601 level: 7 > >> Location: ossec-server->/var/log/messages > >> Grouping of kernel error rules. > >> Jun 4 13:51:02 ossec-server kernel: ossec-csyslogd[21507]: segfault at > >> 0000000000000000 rip 0000003dd8479a30 rsp 00007fff23ba3a88 error 4 > > >> The ossec-csyslogd daemon crashed over the weekend over a single > >> segfault. I have no idea what caused this segfault. I am worried that > >> this daemon is less than rock solid. > > >> Regards,
