On Dec 18, 2012 1:13 PM, "Carrie Poole" <[email protected]> wrote: > > Turned out to be permissions on queue folder that caused the > disconnection issues. Still looking into the segfaults when restarting > agents. > > ~ Carrie >
Which daemon is segfaulting on the agents? > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of dan (ddp) > Sent: Monday, December 17, 2012 10:42 PM > To: [email protected] > Subject: Re: [ossec-list] segmentation fault > > On Mon, Dec 17, 2012 at 10:31 PM, Carrie Poole > <[email protected]> wrote: > > The segfaults in /var/log/messages are: > > Dec 17 15:45:24 abeossecpr kernel: ossec-remoted[6378]: segfault at > > 00000000000002d1 rip 000000000042191b rsp 00007fff87247e90 error 4 Dec > > > 17 15:48:56 abeossecpr kernel: ossec-remoted[6627]: segfault at > > 00000000000002d1 rip 000000000042191b rsp 00007fff76959dc0 error 4 > > > > ~ Carrie > > > > Ok, I was thinking the segfaults were on the agents. Please post the > remote section of the ossec.conf. > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] > > On Behalf Of dan (ddp) > > Sent: Monday, December 17, 2012 10:06 PM > > To: [email protected] > > Subject: Re: [ossec-list] segmentation fault > > > > On Mon, Dec 17, 2012 at 7:17 PM, Carrie Poole > > <[email protected]> wrote: > >> Line 138 in ossec.conf is the active response, which is disabled: > >> > >> <!-- Active Response Config --> > >> > >> <active-response> > >> > >> <disabled>yes</disabled> > >> > >> <!-- This response is going to execute the host-deny > >> > >> - command for every event that fires a rule with > >> > >> - level (severity) >= 6. > >> > >> - The IP is going to be blocked for 600 seconds. > >> > >> --> > >> > >> <command>host-deny</command> > >> > >> <location>local</location> > >> > >> <level>6</level> > >> > >> <timeout>600</timeout> > >> > >> </active-response> > >> > >> <active-response> > >> > >> <disabled>yes</disabled> > >> > >> <!-- Firewall Drop response. Block the IP for > >> > >> - 600 seconds on the firewall (iptables, > >> > >> - ipfilter, etc). > >> > >> --> > >> > >> <command>firewall-drop</command> > >> > >> <location>local</location> > >> > >> <level>6</level> > >> > >> <timeout>600</timeout> > >> > >> </active-response> > >> > > > > So it looks like line 138 in ossec-control should be something like: > > for i in ${SDAEMONS}; do > > > > which goes through the list of daemons and tries to start them. One of > > > them is failing, and you have to figure out which one. > > > >> All of the ossec logs on the agent say they can't reach the server, > >> but this wasn't the case last week. The ossec server log doesn't say > >> anything, it acts as if the agents aren't even there. It does > >> syscheck > > > >> but no longer sees the agents. > >> > >> > > > > Check the system logs, Linux usually logs segfaults. You could also > > see which daemons are running after the segfault. If no traffic is > > passing between the agents and the server, ossec-agentd may have > > crashed. But real troubleshooting can't really happen until the basics > > > are taken care of, namely finding out which daemon is crashing. > > > >> > >> > >> > >> ~ Carrie > >> > >> > >> > >> From: [email protected] > >> [mailto:[email protected]] > > > >> On Behalf Of dan (ddp) > >> Sent: Monday, December 17, 2012 4:41 PM > >> To: [email protected] > >> Subject: Re: [ossec-list] segmentation fault > >> > >> > >> > >> > >> On Dec 17, 2012 4:37 PM, "Carrie Poole" > >> <[email protected]> > >> wrote: > >>> > >>> I'm getting segmentation faults across all of my agents when > > restarting. > >>> Nothing is showing connected anymore. > >>> > >>> > >>> > >>> > >>> > >>> /var/ossec/bin/ossec-control: line 138: 24910 Segmentation fault > >>> ${DIR}/bin/${i} > >>> > >>> > >> > >> What's line 138 in ossec-control? > >> Anything in the ossec.log for the failing agent? > >> > >>> > >>> Line 138 in ossec.conf is the active response, which is disabled. > >>> > >>> > >>> > >>> I have checked the ossec.conf and agent.conf for any mistakes and > >>> haven't found any. This was an issue on only a few agents last week, > > >>> and now it is happening across all agents after the 2,6 upgrade. All > > >>> agents are showing not connected. None of the configuration files > > have changed. > >>> > >>> > >>> > >>> Any help would be appreciated! > >>> > >>> > >>> > >>> Ossec V 2.6 RedHat Linux (server and agents with 5 windows agents) > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> Carrie P > >>> > >>> > >>> > >>> CONFIDENTIALITY NOTICE: This e-mail is confidential and intended > >>> solely for the use of the individual or entity to which it is > > addressed. > >>> If > >>> you are not the intended recipient, be advised that you have > >>> received > > > >>> this email in error and that any use, dissemination, forwarding, > >>> printing or copying of this e-mail is strictly prohibited. If you > >>> received this e-mail in error, please delete it from your computer > >>> and contact the sender. > >> > >> CONFIDENTIALITY NOTICE: This e-mail is confidential and intended > >> solely for the use of the individual or entity to which it is > >> addressed. If you are not the intended recipient, be advised that > >> you > > > >> have received this email in error and that any use, dissemination, > >> forwarding, printing or copying of this e-mail is strictly > prohibited. > > > >> If you received this e-mail in error, please delete it from your > >> computer and contact the sender. > > CONFIDENTIALITY NOTICE: This e-mail is confidential and intended > > solely for the use of the individual or entity to which it is > > addressed. If you are not the intended recipient, be advised that you > > > have received this email in error and that any use, dissemination, > > forwarding, printing or copying of this e-mail is strictly prohibited. > > > If you received this e-mail in error, please delete it from your > computer and contact the sender. > > > CONFIDENTIALITY NOTICE: This e-mail is confidential and intended > solely for the use of the individual or entity to which it is addressed. If > you are not the intended recipient, be advised that you have received > this email in error and that any use, dissemination, forwarding, printing > or copying of this e-mail is strictly prohibited. If you received this e-mail > in error, please delete it from your computer and contact the sender. >
