Line 138 in ossec.conf is the active response, which is disabled:
<!-- Active Response Config -->
<active-response>
<disabled>yes</disabled>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<disabled>yes</disabled>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
All of the ossec logs on the agent say they can't reach the server, but
this wasn't the case last week. The ossec server log doesn't say
anything, it acts as if the agents aren't even there. It does syscheck
but no longer sees the agents.
~ Carrie
From: [email protected] [mailto:[email protected]]
On Behalf Of dan (ddp)
Sent: Monday, December 17, 2012 4:41 PM
To: [email protected]
Subject: Re: [ossec-list] segmentation fault
On Dec 17, 2012 4:37 PM, "Carrie Poole"
<[email protected]> wrote:
>
> I'm getting segmentation faults across all of my agents when
restarting. Nothing is showing connected anymore.
>
>
>
>
>
> /var/ossec/bin/ossec-control: line 138: 24910 Segmentation fault
${DIR}/bin/${i}
>
>
What's line 138 in ossec-control?
Anything in the ossec.log for the failing agent?
>
> Line 138 in ossec.conf is the active response, which is disabled.
>
>
>
> I have checked the ossec.conf and agent.conf for any mistakes and
haven't found any. This was an issue on only a few agents last week, and
now it is happening across all agents after the 2,6 upgrade. All agents
are showing not connected. None of the configuration files have changed.
>
>
>
> Any help would be appreciated!
>
>
>
> Ossec V 2.6 RedHat Linux (server and agents with 5 windows agents)
>
>
>
>
>
>
>
> Carrie P
>
>
>
> CONFIDENTIALITY NOTICE: This e-mail is confidential and intended
> solely for the use of the individual or entity to which it is
addressed. If
> you are not the intended recipient, be advised that you have received
> this email in error and that any use, dissemination, forwarding,
printing
> or copying of this e-mail is strictly prohibited. If you received this
e-mail
> in error, please delete it from your computer and contact the sender.
CONFIDENTIALITY NOTICE: This e-mail is confidential and intended
solely for the use of the individual or entity to which it is addressed. If
you are not the intended recipient, be advised that you have received
this email in error and that any use, dissemination, forwarding, printing
or copying of this e-mail is strictly prohibited. If you received this e-mail
in error, please delete it from your computer and contact the sender.
