Not long by max length standards.... 15 characters or so. Are there any other of those type of things I could check.... data corruption somewhere that I might need to look for that isnt obvious to me. I dont think it is with ossec-maild but something with the extra 60 or so agent keys I generated that might be causing some type of issue. The reason I ask is that used list_agents and saw a device name as being an agent but when I looked for it in a manage_agents listed of keys, it wasnt there. Some type of consistency check that can be run that looks for possible issues?
On Mar 27, 3:58 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > Kind of off the wall: Do you have very long agent names? > > > > On Tue, Mar 27, 2012 at 4:46 PM, MDACC-Luckie <luckief...@gmail.com> wrote: > > Our config is pretty standard with respect to the ossec.conf. The > > only non-standard thing we have is that we are usiing port 9025 for > > SMTP on the mail server we are using rather than 25. We have that > > changed in the sendmail.c file that is used when everything is > > compiled: > > > OSSEC.CONF > > > <global> > > <email_notification>yes</email_notification> > > <email_to>os...@xxxxxxxxxx.xxx</email_to> > > <smtp_server>dcprpafszenoss2.xxxxxxxxxx.xxx</smtp_server> > > <email_from>oss...@xxxxxxxxxx.xxx</email_from> > > <email_maxperhour>1000</email_maxperhour> > > </global> > > > SENDMAIL.C > > > /* Default values use to connect */ > > #define SMTP_DEFAULT_PORT 9025 > > #define HELOMSG "Helo notify.ossec.net\r\n" > > #define MAILFROM "Mail From: <%s>\r\n" > > #define RCPTTO "Rcpt To: <%s>\r\n" > > #define DATAMSG "DATA\r\n" > > #define FROM "From: OSSEC HIDS <%s>\r\n" > > #define TO "To: <%s>\r\n" > > #define CC "Cc: <%s>\r\n" > > #define SUBJECT "Subject: %s\r\n" > > #define ENDDATA "\r\n.\r\n" > > #define QUITMSG "QUIT\r\n" > > > It was working prior to the increase of the number of agents supported > > and the recompile. I ran a tcpdump on the manager and don't see the > > manager even attempting to try to connect to the SMTP host on port > > 9025, only using the agent/manager connection between the two boxes. > > > On Mar 27, 3:36 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > >> What's your mail configuration in the manager's ossec.conf? > > >> I wish ossec was compiled with -ggdb by default. It might make the gdb > >> information a bit easier to follow. > > >> On Thu, Mar 22, 2012 at 1:47 PM, MDACC-Luckie <luckief...@gmail.com> wrote: > >> > I increased the number of agents my installation was capable of > >> > supporting, reinstalled and then copied my saved ossec.conf file and > >> > internal_options.conf into the ossec/etc directory and restarted > >> > ossec. My ossec-maild daemon starts, runs for a few seconds and then > >> > dies. > > >> > I ran the following based on a previous email thread I saw and have > >> > attached the results. Please let me know if anyone has ideas on why > >> > it is happening: > > >> > [root@dcprpoemprddb1 logs]# gdb /opt/ossec/bin/ossec-maild > >> > GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-23.el5_5.2) > >> > Copyright (C) 2009 Free Software Foundation, Inc. > >> > License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/ > >> > gpl.html> > >> > This is free software: you are free to change and redistribute it. > >> > There is NO WARRANTY, to the extent permitted by law. Type "show > >> > copying" > >> > and "show warranty" for details. > >> > This GDB was configured as "x86_64-redhat-linux-gnu". > >> > For bug reporting instructions, please see: > >> > <http://www.gnu.org/software/gdb/bugs/>... > >> > Reading symbols from /opt/ossec/bin/ossec-maild...done. > >> > (gdb) set follow-fork-mode child > >> > (gdb) run > >> > Starting program: /opt/ossec/bin/ossec-maild > >> > [New process 2615] > >> > [New process 2616] > > >> > Program received signal SIGSEGV, Segmentation fault. > >> > [Switching to process 2616] > >> > 0x000000387c879b60 in strlen () from /lib64/libc.so.6 > >> > (gdb) bt > >> > #0 0x000000387c879b60 in strlen () from /lib64/libc.so.6 > >> > #1 0x000000387c846cb9 in vfprintf () from /lib64/libc.so.6 > >> > #2 0x000000387c8699da in vsnprintf () from /lib64/libc.so.6 > >> > #3 0x000000387c84d5e3 in snprintf () from /lib64/libc.so.6 > >> > #4 0x0000000000402d66 in OS_RecvMailQ (fileq=0x635640, > >> > p=0x387cb56cc0, Mail=0x7fffffffe870, msg_sms=0x7fffffffe7e0) > >> > at os_maild_client.c:96 > >> > #5 0x0000000000402848 in OS_Run (mail=0x7fffffffe870) at maild.c:381 > >> > #6 0x00000000004023d0 in main (argc=1, argv=0x7fffffffe9f8) at > >> > maild.c:171 > >> > (gdb)- Hide quoted text - > > >> - Show quoted text -- Hide quoted text - > > - Show quoted text -