On Wed, Aug 22, 2012 at 11:18 AM, Shaka Lewis <[email protected]> wrote: > Not sure what you mean, I have run all the debug commands you requested. >
I'm sorry, gmail isn't showing the gdb info. Or the answer to ">>>>>>>>> Did you make any changes before restarting? What log messages are >>>>>>>>> there before the first socketerr?" How many times did I ask which processes were running? You said you migrated to new hardware, but didn't give any information as to how that was done. I don't mind helping, but I don't like to be forced into digging the information out of you. I also hate repeating myself. > On Wed, Aug 22, 2012 at 10:33 AM, dan (ddp) <[email protected]> wrote: >> Since you don't seem too interested in fixing this, good luck. >> >> On Wed, Aug 22, 2012 at 10:19 AM, Shaka Lewis <[email protected]> wrote: >>> here is all I have from the latest debug: >>> >>> 2012/08/21 17:43:35 ossec-rootcheck: DEBUG: Going into check_rc_dev >>> 2012/08/21 17:43:35 ossec-rootcheck: DEBUG: Starting on check_rc_dev >>> 2012/08/21 17:43:36 ossec-rootcheck: DEBUG: Going into check_rc_sys >>> 2012/08/21 17:43:36 ossec-rootcheck: DEBUG: Starting on check_rc_sys >>> 2012/08/21 17:43:36 ossec-rootcheck: DEBUG: Going into check_rc_pids >>> 2012/08/21 18:16:40 ossec-rootcheck: DEBUG: Going into check_rc_ports >>> 2012/08/21 18:16:41 ossec-rootcheck: DEBUG: Going into check_open_ports >>> 2012/08/21 18:16:41 ossec-rootcheck: DEBUG: Going into check_rc_if >>> 2012/08/21 18:16:41 ossec-rootcheck: DEBUG: Completed with all checks. >>> 2012/08/21 18:16:46 ossec-rootcheck: INFO: Ending rootcheck scan. >>> 2012/08/21 18:16:46 ossec-rootcheck: DEBUG: Leaving run_rk_check >>> 2012/08/21 19:22:09 ossec-logcollector: socketerr (not available). >>> 2012/08/21 19:22:09 ossec-logcollector(1224): ERROR: Error sending >>> message to queue. >>> 2012/08/21 19:22:12 ossec-logcollector(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2012/08/21 19:22:12 ossec-logcollector(1211): ERROR: Unable to access >>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>> 2012/08/21 19:31:30 ossec-monitord: socketerr (not available). >>> >>> On Wed, Aug 22, 2012 at 7:45 AM, dan (ddp) <[email protected]> wrote: >>>> On Tue, Aug 21, 2012 at 2:13 PM, Shaka Lewis <[email protected]> wrote: >>>>> The ossec processes running at this point are execd, logcollector, and >>>>> monitord. >>>>> >>>>> >>>>> AnalysisD crashed and here is the output: >>>>> >>>>> Program received signal SIGSEGV, Segmentation fault. >>>>> [Switching to process 26814] >>>>> 0x0000000000000000 in ?? () >>>>> Missing separate debuginfos, use: debuginfo-install >>>>> glibc-2.12-1.47.el6_2.12.x86_64 >>>>> (This version of glibc is already installed on the system) >>>>> >>>>> >>>> >>>> You couldn't get a backtrace or anything on this? >>>> >>>>> This is a server install and stopped working after migrating to new >>>>> hardware. >>>>> >>>> >>>> >>>> Have you tried reinstalling/upgrading? >>>> >>>>> On Tue, Aug 21, 2012 at 12:19 PM, dan (ddp) <[email protected]> wrote: >>>>>> On Tue, Aug 21, 2012 at 11:19 AM, Shaka Lewis <[email protected]> >>>>>> wrote: >>>>>>> I ran the debug and here is the outupt >>>>>>> >>>>>>> 2012/08/20 17:06:18 ossec-rootcheck: INFO: Ending rootcheck scan. >>>>>>> 2012/08/20 18:56:28 ossec-logcollector: socketerr (not available). >>>>>>> 2012/08/20 18:56:28 ossec-logcollector(1224): ERROR: Error sending >>>>>>> message to queue. >>>>>>> 2012/08/20 18:56:29 ossec-logcollector: socketerr (not available). >>>>>>> 2012/08/20 18:56:29 ossec-logcollector(1224): ERROR: Error sending >>>>>>> message to queue. >>>>>>> 2012/08/20 18:56:31 ossec-logcollector(1210): ERROR: Queue >>>>>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>>>>> 2012/08/20 18:56:31 ossec-logcollector(1211): ERROR: Unable to access >>>>>>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>>>>>> 2012/08/20 18:56:32 ossec-logcollector(1210): ERROR: Queue >>>>>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>>>>> 2012/08/20 18:56:32 ossec-logcollector(1211): ERROR: Unable to access >>>>>>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>>>>>> 2012/08/20 18:57:18 ossec-monitord: socketerr (not available). >>>>>>> 2012/08/20 18:57:18 ossec-monitord(1224): ERROR: Error sending message >>>>>>> to queue. >>>>>>> 2012/08/20 19:19:19 ossec-monitord: socketerr (not available). >>>>>>> 2012/08/20 19:19:19 ossec-monitord(1224): ERROR: Error sending message >>>>>>> to queue. >>>>>>> 2012/08/20 19:19:19 ossec-monitord: socketerr (not available). >>>>>>> >>>>>> >>>>>> And what OSSEC processes are running at this point? >>>>>> Did you run analysisd in gdb? Did it crash? Is there a backtrace? >>>>>> >>>>>> I'll throw in some more questions, because I need some more to not be >>>>>> answered. Is this a server or a standalone installation? Has it ever >>>>>> worked? Did you change anything? >>>>>> >>>>>>> >>>>>>> On Mon, Aug 20, 2012 at 9:40 AM, dan (ddp) <[email protected]> wrote: >>>>>>>> On Mon, Aug 20, 2012 at 9:38 AM, Shaka Lewis <[email protected]> >>>>>>>> wrote: >>>>>>>>> This is the error log in the ossec.log file when i restarted this >>>>>>>>> morning >>>>>>>>> >>>>>>>>> ossec-logcollector(1950): INFO: Analyzing file: >>>>>>>>> '/var/ossec/logs/alerts/alerts.log'. >>>>>>>>> 2012/08/20 09:29:30 ossec-logcollector: INFO: Started (pid: 10978). >>>>>>>>> 2012/08/20 09:29:50 ossec-logcollector: socketerr (not available). >>>>>>>>> 2012/08/20 09:29:50 ossec-logcollector(1224): ERROR: Error sending >>>>>>>>> message to queue. >>>>>>>>> 2012/08/20 09:29:53 ossec-logcollector(1210): ERROR: Queue >>>>>>>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>>>>>>> 2012/08/20 09:29:53 ossec-logcollector(1211): ERROR: Unable to access >>>>>>>>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>>>>>>>> 2012/08/20 09:30:31 ossec-syscheckd: INFO: Starting syscheck scan >>>>>>>>> (forwarding database). >>>>>>>>> 2012/08/20 09:30:31 ossec-syscheckd: socketerr (not available). >>>>>>>>> 2012/08/20 09:30:31 ossec-syscheckd(1224): ERROR: Error sending >>>>>>>>> message to queue. >>>>>>>>> 2012/08/20 09:30:34 ossec-syscheckd(1210): ERROR: Queue >>>>>>>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>>>>>>> 2012/08/20 09:30:34 ossec-syscheckd(1211): ERROR: Unable to access >>>>>>>>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>>>>>>>> >>>>>>>>> >>>>>>>>> This was in /var/log/messages >>>>>>>>> >>>>>>>>> kernel: ossec-analysisd[10974]: segfault at 0 ip (null) sp >>>>>>>>> 00007fffe5ada2b8 error 14 in ossec-analysisd[400000+62000] >>>>>>>>> >>>>>>>> >>>>>>>> Try running ossec-analysisd in gdb to see if you can get more >>>>>>>> information from the crash. >>>>>>>> >>>>>>>> gdb ossec-analysisd >>>>>>>> set follow-fork-mode child >>>>>>>> run -d >>>>>>>> CRASH >>>>>>>> bt >>>>>>>> >>>>>>>> For a start >>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, Aug 20, 2012 at 7:54 AM, dan (ddp) <[email protected]> wrote: >>>>>>>>>> On Fri, Aug 17, 2012 at 5:29 PM, Shaka Lewis <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>>> I get the below errors after restarting ossec. This is version 2.6 >>>>>>>>>>> running on a Linux machine >>>>>>>>>>> >>>>>>>>>>> 2012/08/17 16:55:21 ossec-logcollector: socketerr (not available). >>>>>>>>>>> 2012/08/17 16:55:21 ossec-logcollector(1224): ERROR: Error sending >>>>>>>>>>> message to queue. >>>>>>>>>>> 2012/08/17 16:55:24 ossec-logcollector(1210): ERROR: Queue >>>>>>>>>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>>>>>>>>> 2012/08/17 16:55:24 ossec-logcollector(1211): ERROR: Unable to >>>>>>>>>>> access >>>>>>>>>>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>>>>>>>>>> 2012/08/17 17:09:21 ossec-syscheckd: socketerr (not available). >>>>>>>>>>> 2012/08/17 17:09:21 ossec-rootcheck(1224): ERROR: Error sending >>>>>>>>>>> message to queue. >>>>>>>>>>> 2012/08/17 17:09:24 ossec-syscheckd(1210): ERROR: Queue >>>>>>>>>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>>>>>>>>> 2012/08/17 17:09:24 ossec-rootcheck(1211): ERROR: Unable to access >>>>>>>>>>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>>>>>>>>>> 2012/08/17 17:10:41 ossec-monitord: socketerr (not available). >>>>>>>>>>> 2012/08/17 17:10:41 ossec-monitord(1224): ERROR: Error sending >>>>>>>>>>> message to queue. >>>>>>>>>>> 2012/08/17 17:16:41 ossec-monitord: socketerr (not available). >>>>>>>>>>> 2012/08/17 17:16:41 ossec-monitord(1224): ERROR: Error sending >>>>>>>>>>> message to queue. >>>>>>>>>>> 2012/08/17 17:18:41 ossec-monitord: socketerr (not available). >>>>>>>>>>> 2012/08/17 17:18:41 ossec-monitord(1224): ERROR: Error sending >>>>>>>>>>> message to queue. >>>>>>>>>>> 2012/08/17 17:18:41 ossec-monitord: socketerr (not available). >>>>>>>>>> >>>>>>>>>> These types of errors usually means something was changed >>>>>>>>>> incorrectly. >>>>>>>>>> Did you make any changes before restarting? What log messages are >>>>>>>>>> there before the first socketerr? What OSSEC processes are running >>>>>>>>>> when this happens?
