On Thu, Oct 18, 2012 at 5:07 PM, Christopher Decker <[email protected]> wrote: > No. SELinux is turned off. > > Sent from my iPhone >
Please provide the auditd logs (I should have asked for that in the first email). Are there any special mount options on the partition your OSSEC installation exists on? What kind of install did you do? Did you just use the install.sh script? > On Oct 18, 2012, at 8:50 AM, "dan (ddp)" <[email protected]> wrote: > >> On Wed, Oct 17, 2012 at 8:09 PM, Christopher Decker >> <[email protected]> wrote: >>> All, >>> >>> I've been running OSSEC 2.6 in my production environment for about a year >>> now. I recently had to re-install my OSSEC Manager (due to a recap of >>> hardware). Immediately after the installation I noticed that auditd was >>> spewing logs because the monitord process was unsuccessfully attempting to >>> open /logs/ossec.log. >>> >>> Eventually auditd begins consuming large amounts of CPU time, and then >>> monitord spins up thread after thread to try and keep up; eventually >>> monitord creates 1000+ threads and the server freaks out. >>> >>> Does anyone have any ideas on what the cause could be? I've never >>> experienced this with OSSEC and I use it heavily. At this point I'm >>> assuming it is something simple, as I've spent a considerable amount of time >>> troubleshooting :) >>> >>> Notes: >>> >>> My ossec.conf is heavily customized but obviously I do not have a >>> <localfile> entry for /var/ossec/logs/ossec.log. >>> I confirmed the permissions on /var/ossec/logs match those of an OSSEC >>> installation not exhibiting this behavior. The same is true for the >>> ossec.log file itself. >>> OSSEC is able to write to /var/ossec/logs/ossec.log upon start-up, though >>> I'm guessing the process there is not monitord >>> I know OSSEC is chrooted, but for the hell of it I created a symlink from >>> /logs/ossec.log-->/var/ossec/logs/ossec.log. This was unhelpful. >>> The server acting as the OSSEC Manager is beefy. >>> >>> >>> >>> >>> Thanks, >>> Chris >> >> Is SELinux blocking it?
