[ossec-list] Solaris 10 Agents Locked Up???

David Blanton Tue, 09 Jul 2013 11:50:32 -0700

I've been digging around the older threads and this seems to an issue,
but there have been no solutions posted.


Server-side:

[root@city-cacti etc]# /opt/ossec/bin/agent_control -lc

OSSEC HIDS agent_control. List of available agents:
   ID: 000, Name: city-cacti.bsg.na.companyname.com (server), IP:
127.0.0.1, Active/Local
   ID: 001, Name: dev-bnc3-web2, IP: 172.16.23.34, Active
   ID: 002, Name: bsg-cjahandar, IP: 172.16.63.206, Active
   ID: 004, Name: dev-bnc3-web5, IP: 172.16.23.37, Active
   ID: 005, Name: test-bnc3-city, IP: 172.16.23.220, Active
   ID: 006, Name: dev-bnc3-web4, IP: 172.16.23.36, Active
   ID: 008, Name: dev-bnc3-ctl-app-web, IP: 172.16.62.121, Active
   ID: 009, Name: dev-bnc3-db, IP: 172.16.62.123, Active
   ID: 010, Name: dev-bnc3-web3, IP: 172.16.23.35, Active
   ID: 011, Name: dev-bnc3-city, IP: 172.16.62.120, Active

Agent-side, this is the log file (ID: 011):

dev-bnc3-city:${PWD} # vi ossec.log
"ossec.log" 347 lines, 27444 characters
2013/06/26 10:54:58 ossec-execd: INFO: Started (pid: 15647).
2013/06/26 10:54:58 ossec-agentd(1410): INFO: Reading authentication keys 
file.
2013/06/26 10:54:58 ossec-agentd(1103): ERROR: Unable to open file
'/queue/ossec/.agent_info'.
2013/06/26 10:54:58 ossec-agentd: INFO: Started (pid: 15651).
2013/06/26 10:54:58 ossec-agentd: INFO: Server IP Address: 172.16.23.18
2013/06/26 10:54:58 ossec-agentd: INFO: Trying to connect to server
(172.16.23.18:1514).
2013/06/26 10:54:58 ossec-agentd: INFO: Using IPv4 for: 172.16.23.18 .
2013/06/26 10:55:02 ossec-syscheckd: INFO: Started (pid: 15659).
2013/06/26 10:55:02 ossec-rootcheck: INFO: Started (pid: 15659).
2013/06/26 10:55:02 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2013/06/26 10:55:02 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2013/06/26 10:55:02 ossec-syscheckd: INFO: Monitoring directory: 
'/usr/sbin'.
2013/06/26 10:55:02 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2013/06/26 10:55:02 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2013/06/26 10:55:04 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/authlog'.
2013/06/26 10:55:04 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/syslog'.
2013/06/26 10:55:04 ossec-logcollector(1950): INFO: Analyzing file:
'/var/adm/messages'.
2013/06/26 10:55:04 ossec-logcollector: INFO: Started (pid: 15655).
2013/06/26 10:55:19 ossec-agentd(4101): WARN: Waiting for server reply
(not started). Tried: '172.16.23.18'.
2013/06/26 10:55:21 ossec-agentd: INFO: Trying to connect to server
(172.16.23.18:1514).
2013/06/26 10:55:21 ossec-agentd: INFO: Using IPv4 for: 172.16.23.18 .
2013/06/26 10:55:42 ossec-agentd(4101): WARN: Waiting for server reply
(not started). Tried: '172.16.23.18'.
2013/06/26 10:56:02 ossec-agentd: INFO: Trying to connect to server
(172.16.23.18:1514).
2013/06/26 10:56:02 ossec-agentd: INFO: Using IPv4 for: 172.16.23.18 .
2013/06/26 10:56:04 ossec-syscheckd: INFO: Starting syscheck scan
(forwarding database).
2013/06/26 10:56:04 ossec-syscheckd: WARN: Process locked. Waiting for
permission...
2013/06/26 10:56:23 ossec-agentd(4101): WARN: Waiting for server reply
(not started). Tried: '172.16.23.18'.
2013/06/26 10:57:01 ossec-agentd: INFO: Trying to connect to server
(172.16.23.18:1514).
2013/06/26 10:57:01 ossec-agentd: INFO: Using IPv4 for: 172.16.23.18 .
2013/06/26 10:57:14 ossec-logcollector: WARN: Process locked. Waiting
for permission...
2013/06/26 10:57:22 ossec-agentd(4101): WARN: Waiting for server reply
(not started). Tried: '172.16.23.18'.
2013/06/26 10:58:00 ossec-logcollector(1225): INFO: SIGNAL Received.
Exit Cleaning...
2013/06/26 10:58:00 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2013/06/26 10:58:00 ossec-agentd(1225): INFO: SIGNAL Received. Exit 
Cleaning...
2013/06/26 10:58:00 ossec-execd(1314): INFO: Shutdown received.
Deleting responses.
2013/06/26 10:58:00 ossec-execd(1225): INFO: SIGNAL Received. Exit 
Cleaning...
2013/06/26 10:58:01 ossec-execd: INFO: Started (pid: 16030).
2013/06/26 10:58:01 ossec-agentd(1410): INFO: Reading authentication keys 
file.
2013/06/26 10:58:01 ossec-agentd: INFO: Assigning sender counter: 0:20
2013/06/26 10:58:01 ossec-agentd(1103): ERROR: Unable to open file
'/queue/ossec/.agent_info'.
2013/06/26 10:58:01 ossec-agentd: INFO: Started (pid: 16034).
2013/06/26 10:58:01 ossec-agentd: INFO: Server IP Address: 172.16.23.18
2013/06/26 10:58:01 ossec-agentd: INFO: Trying to connect to server
(172.16.23.18:1514).
2013/06/26 10:58:01 ossec-agentd: INFO: Using IPv4 for: 172.16.23.18 .
2013/06/26 10:58:05 ossec-syscheckd: INFO: Started (pid: 16042).
2013/06/26 10:58:05 ossec-rootcheck: INFO: Started (pid: 16042).
2013/06/26 10:58:05 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2013/06/26 10:58:05 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2013/06/26 10:58:05 ossec-syscheckd: INFO: Monitoring directory: 
'/usr/sbin'.
2013/06/26 10:58:05 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2013/06/26 10:58:05 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2013/06/26 10:58:07 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/authlog'.
2013/06/26 10:58:07 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/syslog'.
2013/06/26 10:58:07 ossec-logcollector(1950): INFO: Analyzing file:
'/var/adm/messages'.
2013/06/26 10:58:07 ossec-logcollector: INFO: Started (pid: 16038).
2013/06/26 10:58:22 ossec-agentd(4101): WARN: Waiting for server reply
(not started). Tried: '172.16.23.18'.
2013/06/26 10:58:24 ossec-agentd: INFO: Trying to connect to server
(172.16.23.18:1514).
2013/06/26 10:58:24 ossec-agentd: INFO: Using IPv4 for: 172.16.23.18 .
2013/06/26 10:58:45 ossec-agentd(4101): WARN: Waiting for server reply
(not started). Tried: '172.16.23.18'.
2013/06/26 10:59:05 ossec-agentd: INFO: Trying to connect to server
(172.16.23.18:1514).
2013/06/26 10:59:05 ossec-agentd: INFO: Using IPv4 for: 172.16.23.18 .
2013/06/26 10:59:07 ossec-syscheckd: INFO: Starting syscheck scan
(forwarding database).
2013/06/26 10:59:07 ossec-syscheckd: WARN: Process locked. Waiting for
permission...

Here is a snoop/tcpdump Agent-side:

dev-bnc3-city:${PWD} # snoop | grep 1514
Using device ce0 (promiscuous mode)
dev-bnc3-city.bsg.na.companyname.com ->
city-cacti.bsg.na.companyname.com UDP D=1514 S=59619 LEN=153

And it continues on, so that port is open and in use.

Here seems to be some nasty side effects that are going on that may be
playing a role:

When attempting to restart the agent server side:


[root@city-cacti bin]# /opt/ossec/bin/agent_control -R 011

2013/07/09 15:59:48 agent_control(1401): ERROR: Error reading
authentication key: '
'.
2013/07/09 15:59:48 agent_control(1401): ERROR: Error reading
authentication key: '
'.

OSSEC HIDS agent_control: Restarting agent: 011'

Yet, it still restarts, all agents are listed as active, and
supposedly working. This is happening when all agent IDs are used. Web
UI shows that the agent starts back up.

Heres the server-side log:

2013/07/09 14:20:52 agent_control(1401): ERROR: Error reading
authentication key: '
'.
2013/07/09 14:21:17 agent_control(1401): ERROR: Error reading
authentication key: '
'.
2013/07/09 14:21:17 agent_control(1401): ERROR: Error reading
authentication key: '
'.
2013/07/09 14:21:22 agent_control(1401): ERROR: Error reading
authentication key: '
'.
2013/07/09 14:21:22 agent_control(1401): ERROR: Error reading
authentication key: '
'.
2013/07/09 14:21:24 agent_control(1401): ERROR: Error reading
authentication key: '
'.
2013/07/09 14:21:24 agent_control(1401): ERROR: Error reading
authentication key: '
'.
2013/07/09 14:21:31 agent_control(1401): ERROR: Error reading
authentication key: '
'.
2013/07/09 14:21:31 agent_control(1401): ERROR: Error reading
authentication key: '
'.
2013/07/09 14:21:33 agent_control(1401): ERROR: Error reading
authentication key: '
'.
2013/07/09 14:21:33 agent_control(1401): ERROR: Error reading
authentication key: '
'.
2013/07/09 14:21:34 agent_control(1401): ERROR: Error reading
authentication key: '
'.
2013/07/09 14:21:34 agent_control(1401): ERROR: Error reading
authentication key: '
'.
2013/07/09 14:21:36 agent_control(1401): ERROR: Error reading
authentication key: '
'.
2013/07/09 14:21:36 agent_control(1401): ERROR: Error reading
authentication key: '

However, I re-added the keys over and over again. client.keys file
looks fine as well.

Anyone have any insight on what is going on.

By the way, stopping and starting ossec-control also kills the PIDS
and starts the PIDS. Everything seems to be working. All other agents
seem to be alerting, just my Solaris 10 machines are not.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] Solaris 10 Agents Locked Up???

Reply via email to