You can poke through client.keys file by hand. Finding odd entries may be easy, depending on what's wrong with them. I'd also take a look at the ossec user's limits. Some systems limit the numb er of open files and things.
Other than that, I've got no ideas. Adding logging messages in the code to see what it's choking on. On Tue, Mar 27, 2012 at 7:22 PM, MDACC-Luckie <luckief...@gmail.com> wrote: > Not long by max length standards.... 15 characters or so. Are there > any other of those type of things I could check.... data corruption > somewhere that I might need to look for that isnt obvious to me. I > dont think it is with ossec-maild but something with the extra 60 or > so agent keys I generated that might be causing some type of issue. > The reason I ask is that used list_agents and saw a device name as > being an agent but when I looked for it in a manage_agents listed of > keys, it wasnt there. Some type of consistency check that can be run > that looks for possible issues? > > On Mar 27, 3:58 pm, "dan (ddp)" <ddp...@gmail.com> wrote: >> Kind of off the wall: Do you have very long agent names? >> >> >> >> On Tue, Mar 27, 2012 at 4:46 PM, MDACC-Luckie <luckief...@gmail.com> wrote: >> > Our config is pretty standard with respect to the ossec.conf. The >> > only non-standard thing we have is that we are usiing port 9025 for >> > SMTP on the mail server we are using rather than 25. We have that >> > changed in the sendmail.c file that is used when everything is >> > compiled: >> >> > OSSEC.CONF >> >> > <global> >> > <email_notification>yes</email_notification> >> > <email_to>os...@xxxxxxxxxx.xxx</email_to> >> > <smtp_server>dcprpafszenoss2.xxxxxxxxxx.xxx</smtp_server> >> > <email_from>oss...@xxxxxxxxxx.xxx</email_from> >> > <email_maxperhour>1000</email_maxperhour> >> > </global> >> >> > SENDMAIL.C >> >> > /* Default values use to connect */ >> > #define SMTP_DEFAULT_PORT 9025 >> > #define HELOMSG "Helo notify.ossec.net\r\n" >> > #define MAILFROM "Mail From: <%s>\r\n" >> > #define RCPTTO "Rcpt To: <%s>\r\n" >> > #define DATAMSG "DATA\r\n" >> > #define FROM "From: OSSEC HIDS <%s>\r\n" >> > #define TO "To: <%s>\r\n" >> > #define CC "Cc: <%s>\r\n" >> > #define SUBJECT "Subject: %s\r\n" >> > #define ENDDATA "\r\n.\r\n" >> > #define QUITMSG "QUIT\r\n" >> >> > It was working prior to the increase of the number of agents supported >> > and the recompile. I ran a tcpdump on the manager and don't see the >> > manager even attempting to try to connect to the SMTP host on port >> > 9025, only using the agent/manager connection between the two boxes. >> >> > On Mar 27, 3:36 pm, "dan (ddp)" <ddp...@gmail.com> wrote: >> >> What's your mail configuration in the manager's ossec.conf? >> >> >> I wish ossec was compiled with -ggdb by default. It might make the gdb >> >> information a bit easier to follow. >> >> >> On Thu, Mar 22, 2012 at 1:47 PM, MDACC-Luckie <luckief...@gmail.com> >> >> wrote: >> >> > I increased the number of agents my installation was capable of >> >> > supporting, reinstalled and then copied my saved ossec.conf file and >> >> > internal_options.conf into the ossec/etc directory and restarted >> >> > ossec. My ossec-maild daemon starts, runs for a few seconds and then >> >> > dies. >> >> >> > I ran the following based on a previous email thread I saw and have >> >> > attached the results. Please let me know if anyone has ideas on why >> >> > it is happening: >> >> >> > [root@dcprpoemprddb1 logs]# gdb /opt/ossec/bin/ossec-maild >> >> > GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-23.el5_5.2) >> >> > Copyright (C) 2009 Free Software Foundation, Inc. >> >> > License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/ >> >> > gpl.html> >> >> > This is free software: you are free to change and redistribute it. >> >> > There is NO WARRANTY, to the extent permitted by law. Type "show >> >> > copying" >> >> > and "show warranty" for details. >> >> > This GDB was configured as "x86_64-redhat-linux-gnu". >> >> > For bug reporting instructions, please see: >> >> > <http://www.gnu.org/software/gdb/bugs/>... >> >> > Reading symbols from /opt/ossec/bin/ossec-maild...done. >> >> > (gdb) set follow-fork-mode child >> >> > (gdb) run >> >> > Starting program: /opt/ossec/bin/ossec-maild >> >> > [New process 2615] >> >> > [New process 2616] >> >> >> > Program received signal SIGSEGV, Segmentation fault. >> >> > [Switching to process 2616] >> >> > 0x000000387c879b60 in strlen () from /lib64/libc.so.6 >> >> > (gdb) bt >> >> > #0 0x000000387c879b60 in strlen () from /lib64/libc.so.6 >> >> > #1 0x000000387c846cb9 in vfprintf () from /lib64/libc.so.6 >> >> > #2 0x000000387c8699da in vsnprintf () from /lib64/libc.so.6 >> >> > #3 0x000000387c84d5e3 in snprintf () from /lib64/libc.so.6 >> >> > #4 0x0000000000402d66 in OS_RecvMailQ (fileq=0x635640, >> >> > p=0x387cb56cc0, Mail=0x7fffffffe870, msg_sms=0x7fffffffe7e0) >> >> > at os_maild_client.c:96 >> >> > #5 0x0000000000402848 in OS_Run (mail=0x7fffffffe870) at maild.c:381 >> >> > #6 0x00000000004023d0 in main (argc=1, argv=0x7fffffffe9f8) at >> >> > maild.c:171 >> >> > (gdb)- Hide quoted text - >> >> >> - Show quoted text -- Hide quoted text - >> >> - Show quoted text -
