[ossec-list] ossec-analysisd core dumps on Solaris 10

Jim Sun, 12 Aug 2012 12:21:23 -0700

Hi,

I am trying to get OSSEC version 2.6 running on one of our Solaris 10 
loghosts but I am running into a problem where analysisd cores after about 
a minute.  It will actually report some e-mail alerts for a minute or so 
before analysisd cores.  Below is an MDeBug of the core file:



  
******************************************************************************
  Application core Dump Analysis Output                     MDeBug Rev 1.0
  Sun Aug 12 15:13:15 EDT 2012                   Files: 
/var/ossec/bin/ossec-analysisd  core.ossec-analysisd.713
  
******************************************************************************

                
                
                ** Core file status **
                ------------------------
debugging core file of ossec-analysisd (32-bit) from ex
file: /var/ossec/bin/ossec-analysisd
initial argv: /var/ossec/bin/ossec-analysisd -d -d
threading model: multi-threaded
status: process terminated by SIGSEGV (Segmentation Fault)
                
                
                ** Thread stack($c) **
                ----------------------
libc.so.1`strlen+0xc(8095e28, 8046478, 80bbc10, 0)
libc.so.1`fprintf+0x99(80bbc10, 8095e08, 7dc, 81b31f2, c, 81b31e8)
FW_Log+0x38e(81b3178, 81b3178, 8046500, 805763c)
OS_ReadMSG+0x5d0(4, 808d48b, 2c9, 808d46b)
main+0x98a(3, 8047db0, 8047dc0)
_start+0x80(3, 8047e74, 8047e93, 8047e96, 0, 8047e99)
                
                
                ** Shared objects **
                ----------------------
    BASE    LIMIT     SIZE NAME
 8050000  80a8000    58000 /var/ossec/bin/ossec-analysisd
fef90000 fef9b000     b000 /lib/libsocket.so.1
feef0000 fef71000    81000 /lib/libnsl.so.1
feea0000 feed6000    36000 /lib/libresolv.so.2
fed70000 fee7e000   10e000 /lib/libc.so.1
fefc3000 fefeb000    28000 /lib/ld.so.1
                
                
                Thread stack for MT app
                ------------------------
stack pointer for thread 1: 8046440
[ 08046440 libc.so.1`strlen+0xc() ]
  08046468 libc.so.1`fprintf+0x99()
  080464c8 FW_Log+0x38e()
  08047d28 OS_ReadMSG+0x5d0()
  08047d8c main+0x98a()
  08047da4 _start+0x80()


Then a disassembly of FW_log.  Let me know if you need me to dig deeper 
here...

bash-3.00# mdb /var/ossec/bin/ossec-analysisd core.ossec-analysisd.713   
Loading modules: [ libc.so.1 ld.so.1 ]
> ::stack
libc.so.1`strlen+0xc(8095e28, 8046478, 80bbc10, 0)
libc.so.1`fprintf+0x99(80bbc10, 8095e08, 7dc, 81b31f2, c, 81b31e8)
FW_Log+0x38e(81b3178, 81b3178, 8046500, 805763c)
OS_ReadMSG+0x5d0(4, 808d48b, 2c9, 808d46b)
main+0x98a(3, 8047db0, 8047dc0)
_start+0x80(3, 8047e74, 8047e93, 8047e96, 0, 8047e99)

> FW_Log+0x38e::dis
FW_Log+0x36b:                   movl   0x8(%ebp),%eax
FW_Log+0x36e:                   pushl  0x68(%eax)
FW_Log+0x371:                   movl   0x8(%ebp),%eax
FW_Log+0x374:                   addl   $0x7a,%eax
FW_Log+0x377:                   pushl  %eax
FW_Log+0x378:                   movl   0x8(%ebp),%eax
FW_Log+0x37b:                   pushl  0x6c(%eax)
FW_Log+0x37e:                   pushl  $0x8095e08
FW_Log+0x383:                   pushl  0x80c068c
FW_Log+0x389:                   call   -0x20f6c <PLT=libc.so.1`fprintf>
FW_Log+0x38e:                   addl   $0x40,%esp
FW_Log+0x391:                   subl   $0xc,%esp
FW_Log+0x394:                   pushl  0x80c068c
FW_Log+0x39a:                   call   -0x20e5d <PLT=libc.so.1`fflush>
FW_Log+0x39f:                   addl   $0x10,%esp
FW_Log+0x3a2:                   movl   $0x1,-0x8(%ebp)
FW_Log+0x3a9:                   movl   -0x8(%ebp),%eax
FW_Log+0x3ac:                   movl   -0x4(%ebp),%ebx
FW_Log+0x3af:                   leave  
FW_Log+0x3b0:                   ret    
mknod:                          pushl  %ebp
> ::quit



--JIM

[ossec-list] ossec-analysisd core dumps on Solaris 10

Reply via email to