On Dec 18, 2012 3:08 PM, "Carrie Poole" <[email protected]> wrote: > > syscheckd daemon… is crashing because it says there is no syscheck file to monitor…..there is a syscheck file, but it’s in the agent.conf, not the ossec.conf. > > All of my agents have the same files (ossec.conf & agent.conf), and only a few of them do the segfault error on startup. > > > > ~ Carrie >
I think these issues were fixed in 2.7. Not sure why the agent.conf isn't working correctly though. Can you post the ossec.conf and agent.conf? > > > From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) > Sent: Tuesday, December 18, 2012 1:35 PM > To: [email protected] > Subject: RE: [ossec-list] segmentation fault > > > > > On Dec 18, 2012 1:13 PM, "Carrie Poole" <[email protected]> wrote: > > > > Turned out to be permissions on queue folder that caused the > > disconnection issues. Still looking into the segfaults when restarting > > agents. > > > > ~ Carrie > > > > Which daemon is segfaulting on the agents? > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] > > On Behalf Of dan (ddp) > > Sent: Monday, December 17, 2012 10:42 PM > > To: [email protected] > > Subject: Re: [ossec-list] segmentation fault > > > > On Mon, Dec 17, 2012 at 10:31 PM, Carrie Poole > > <[email protected]> wrote: > > > The segfaults in /var/log/messages are: > > > Dec 17 15:45:24 abeossecpr kernel: ossec-remoted[6378]: segfault at > > > 00000000000002d1 rip 000000000042191b rsp 00007fff87247e90 error 4 Dec > > > > > 17 15:48:56 abeossecpr kernel: ossec-remoted[6627]: segfault at > > > 00000000000002d1 rip 000000000042191b rsp 00007fff76959dc0 error 4 > > > > > > ~ Carrie > > > > > > > Ok, I was thinking the segfaults were on the agents. Please post the > > remote section of the ossec.conf. > > > > > -----Original Message----- > > > From: [email protected] [mailto:[email protected]] > > > On Behalf Of dan (ddp) > > > Sent: Monday, December 17, 2012 10:06 PM > > > To: [email protected] > > > Subject: Re: [ossec-list] segmentation fault > > > > > > On Mon, Dec 17, 2012 at 7:17 PM, Carrie Poole > > > <[email protected]> wrote: > > >> Line 138 in ossec.conf is the active response, which is disabled: > > >> > > >> <!-- Active Response Config --> > > >> > > >> <active-response> > > >> > > >> <disabled>yes</disabled> > > >> > > >> <!-- This response is going to execute the host-deny > > >> > > >> - command for every event that fires a rule with > > >> > > >> - level (severity) >= 6. > > >> > > >> - The IP is going to be blocked for 600 seconds. > > >> > > >> --> > > >> > > >> <command>host-deny</command> > > >> > > >> <location>local</location> > > >> > > >> <level>6</level> > > >> > > >> <timeout>600</timeout> > > >> > > >> </active-response> > > >> > > >> <active-response> > > >> > > >> <disabled>yes</disabled> > > >> > > >> <!-- Firewall Drop response. Block the IP for > > >> > > >> - 600 seconds on the firewall (iptables, > > >> > > >> - ipfilter, etc). > > >> > > >> --> > > >> > > >> <command>firewall-drop</command> > > >> > > >> <location>local</location> > > >> > > >> <level>6</level> > > >> > > >> <timeout>600</timeout> > > >> > > >> </active-response> > > >> > > > > > > So it looks like line 138 in ossec-control should be something like: > > > for i in ${SDAEMONS}; do > > > > > > which goes through the list of daemons and tries to start them. One of > > > > > them is failing, and you have to figure out which one. > > > > > >> All of the ossec logs on the agent say they can't reach the server, > > >> but this wasn't the case last week. The ossec server log doesn't say > > >> anything, it acts as if the agents aren't even there. It does > > >> syscheck > > > > > >> but no longer sees the agents. > > >> > > >> > > > > > > Check the system logs, Linux usually logs segfaults. You could also > > > see which daemons are running after the segfault. If no traffic is > > > passing between the agents and the server, ossec-agentd may have > > > crashed. But real troubleshooting can't really happen until the basics > > > > > are taken care of, namely finding out which daemon is crashing. > > > > > >> > > >> > > >> > > >> ~ Carrie > > >> > > >> > > >> > > >> From: [email protected] > > >> [mailto:[email protected]] > > > > > >> On Behalf Of dan (ddp) > > >> Sent: Monday, December 17, 2012 4:41 PM > > >> To: [email protected] > > >> Subject: Re: [ossec-list] segmentation fault > > >> > > >> > > >> > > >> > > >> On Dec 17, 2012 4:37 PM, "Carrie Poole" > > >> <[email protected]> > > >> wrote: > > >>> > > >>> I'm getting segmentation faults across all of my agents when > > > restarting. > > >>> Nothing is showing connected anymore. > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> /var/ossec/bin/ossec-control: line 138: 24910 Segmentation fault > > >>> ${DIR}/bin/${i} > > >>> > > >>> > > >> > > >> What's line 138 in ossec-control? > > >> Anything in the ossec.log for the failing agent? > > >> > > >>> > > >>> Line 138 in ossec.conf is the active response, which is disabled. > > >>> > > >>> > > >>> > > >>> I have checked the ossec.conf and agent.conf for any mistakes and > > >>> haven't found any. This was an issue on only a few agents last week, > > > > >>> and now it is happening across all agents after the 2,6 upgrade. All > > > > >>> agents are showing not connected. None of the configuration files > > > have changed. > > >>> > > >>> > > >>> > > >>> Any help would be appreciated! > > >>> > > >>> > > >>> > > >>> Ossec V 2.6 RedHat Linux (server and agents with 5 windows agents) > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> Carrie P > > >>> > > >>> > > >>> > > >>> CONFIDENTIALITY NOTICE: This e-mail is confidential and intended > > >>> solely for the use of the individual or entity to which it is > > > addressed. > > >>> If > > >>> you are not the intended recipient, be advised that you have > > >>> received > > > > > >>> this email in error and that any use, dissemination, forwarding, > > >>> printing or copying of this e-mail is strictly prohibited. If you > > >>> received this e-mail in error, please delete it from your computer > > >>> and contact the sender. > > >> > > >> CONFIDENTIALITY NOTICE: This e-mail is confidential and intended > > >> solely for the use of the individual or entity to which it is > > >> addressed. If you are not the intended recipient, be advised that > > >> you > > > > > >> have received this email in error and that any use, dissemination, > > >> forwarding, printing or copying of this e-mail is strictly > > prohibited. > > > > > >> If you received this e-mail in error, please delete it from your > > >> computer and contact the sender. > > > CONFIDENTIALITY NOTICE: This e-mail is confidential and intended > > > solely for the use of the individual or entity to which it is > > > addressed. If you are not the intended recipient, be advised that you > > > > > have received this email in error and that any use, dissemination, > > > forwarding, printing or copying of this e-mail is strictly prohibited. > > > > > If you received this e-mail in error, please delete it from your > > computer and contact the sender. > > > > > CONFIDENTIALITY NOTICE: This e-mail is confidential and intended > > solely for the use of the individual or entity to which it is addressed. If > > you are not the intended recipient, be advised that you have received > > this email in error and that any use, dissemination, forwarding, printing > > or copying of this e-mail is strictly prohibited. If you received this e-mail > > in error, please delete it from your computer and contact the sender. > > > > CONFIDENTIALITY NOTICE: This e-mail is confidential and intended > solely for the use of the individual or entity to which it is addressed. If > you are not the intended recipient, be advised that you have received > this email in error and that any use, dissemination, forwarding, printing > or copying of this e-mail is strictly prohibited. If you received this e-mail > in error, please delete it from your computer and contact the sender.
