On Mon, Dec 17, 2012 at 10:31 PM, Carrie Poole <[email protected]> wrote: > The segfaults in /var/log/messages are: > Dec 17 15:45:24 abeossecpr kernel: ossec-remoted[6378]: segfault at > 00000000000002d1 rip 000000000042191b rsp 00007fff87247e90 error 4 > Dec 17 15:48:56 abeossecpr kernel: ossec-remoted[6627]: segfault at > 00000000000002d1 rip 000000000042191b rsp 00007fff76959dc0 error 4 > > ~ Carrie >
Ok, I was thinking the segfaults were on the agents. Please post the remote section of the ossec.conf. > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of dan (ddp) > Sent: Monday, December 17, 2012 10:06 PM > To: [email protected] > Subject: Re: [ossec-list] segmentation fault > > On Mon, Dec 17, 2012 at 7:17 PM, Carrie Poole > <[email protected]> wrote: >> Line 138 in ossec.conf is the active response, which is disabled: >> >> <!-- Active Response Config --> >> >> <active-response> >> >> <disabled>yes</disabled> >> >> <!-- This response is going to execute the host-deny >> >> - command for every event that fires a rule with >> >> - level (severity) >= 6. >> >> - The IP is going to be blocked for 600 seconds. >> >> --> >> >> <command>host-deny</command> >> >> <location>local</location> >> >> <level>6</level> >> >> <timeout>600</timeout> >> >> </active-response> >> >> <active-response> >> >> <disabled>yes</disabled> >> >> <!-- Firewall Drop response. Block the IP for >> >> - 600 seconds on the firewall (iptables, >> >> - ipfilter, etc). >> >> --> >> >> <command>firewall-drop</command> >> >> <location>local</location> >> >> <level>6</level> >> >> <timeout>600</timeout> >> >> </active-response> >> > > So it looks like line 138 in ossec-control should be something like: > for i in ${SDAEMONS}; do > > which goes through the list of daemons and tries to start them. One of > them is failing, and you have to figure out which one. > >> All of the ossec logs on the agent say they can't reach the server, >> but this wasn't the case last week. The ossec server log doesn't say >> anything, it acts as if the agents aren't even there. It does syscheck > >> but no longer sees the agents. >> >> > > Check the system logs, Linux usually logs segfaults. You could also see > which daemons are running after the segfault. If no traffic is passing > between the agents and the server, ossec-agentd may have crashed. But > real troubleshooting can't really happen until the basics are taken care > of, namely finding out which daemon is crashing. > >> >> >> >> ~ Carrie >> >> >> >> From: [email protected] [mailto:[email protected]] > >> On Behalf Of dan (ddp) >> Sent: Monday, December 17, 2012 4:41 PM >> To: [email protected] >> Subject: Re: [ossec-list] segmentation fault >> >> >> >> >> On Dec 17, 2012 4:37 PM, "Carrie Poole" >> <[email protected]> >> wrote: >>> >>> I'm getting segmentation faults across all of my agents when > restarting. >>> Nothing is showing connected anymore. >>> >>> >>> >>> >>> >>> /var/ossec/bin/ossec-control: line 138: 24910 Segmentation fault >>> ${DIR}/bin/${i} >>> >>> >> >> What's line 138 in ossec-control? >> Anything in the ossec.log for the failing agent? >> >>> >>> Line 138 in ossec.conf is the active response, which is disabled. >>> >>> >>> >>> I have checked the ossec.conf and agent.conf for any mistakes and >>> haven't found any. This was an issue on only a few agents last week, >>> and now it is happening across all agents after the 2,6 upgrade. All >>> agents are showing not connected. None of the configuration files > have changed. >>> >>> >>> >>> Any help would be appreciated! >>> >>> >>> >>> Ossec V 2.6 RedHat Linux (server and agents with 5 windows agents) >>> >>> >>> >>> >>> >>> >>> >>> Carrie P >>> >>> >>> >>> CONFIDENTIALITY NOTICE: This e-mail is confidential and intended >>> solely for the use of the individual or entity to which it is > addressed. >>> If >>> you are not the intended recipient, be advised that you have received > >>> this email in error and that any use, dissemination, forwarding, >>> printing or copying of this e-mail is strictly prohibited. If you >>> received this e-mail in error, please delete it from your computer >>> and contact the sender. >> >> CONFIDENTIALITY NOTICE: This e-mail is confidential and intended >> solely for the use of the individual or entity to which it is >> addressed. If you are not the intended recipient, be advised that you > >> have received this email in error and that any use, dissemination, >> forwarding, printing or copying of this e-mail is strictly prohibited. > >> If you received this e-mail in error, please delete it from your >> computer and contact the sender. > CONFIDENTIALITY NOTICE: This e-mail is confidential and intended > solely for the use of the individual or entity to which it is addressed. If > you are not the intended recipient, be advised that you have received > this email in error and that any use, dissemination, forwarding, printing > or copying of this e-mail is strictly prohibited. If you received this e-mail > in error, please delete it from your computer and contact the sender. >
