[ossec-list] custom log crash

Mon, 15 Jul 2013 03:05:20 -0700 

Hi,

I installed OSSEC (ver 2.7.1 beta, and 2.7 dev) on CENTOS 5.9. I actived 
log custom for analys by OSSIM. After many minutes, OSSEC crash with error 
log (i actived internal debug level 2) :
2013/07/15 08:51:42 apache, == DEBUG: groupe OS_CustomLog()
2013/07/15 08:51:42 DEBUG: AVif OS_CustomLog()
2013/07/15 08:51:42 DEBUG: if OS_CustomLog()
2013/07/15 08:51:42 AV - Alert - "1373871102" --> RID: "31410"; RL: "3"; 
RG: "apache,"; RC: "PHP Warning message."; USER: "None"; SRCIP: 
"XX.XXX.XXX.XXX"; HOSTNAME: "(XXXX) 
XXX.XX.XX.XXX->/var/log/httpd/error_log"; LOCATION: "(XXXX) 
XXX.XX.XX.XXX->/var/log/httpd/error_log"; EVENT: "[INIT][Mon Jul 15 
08:51:41 2013] [error] [client XX.XXX.XXX.XXX] PHP Warning:  Cannot modify 
header information - headers already sent in Unknown on line 0, referer: 
http://www.xxxxxx.xx/xxx?sa=t&rct=j&q=substrats%20xxxxxxxx%20des%20am%C3%A9liorations%20xxxxxxxxx%20dues%20%C3%A0%20l%27%C3%A9coute%20de%20la%20xxxxxxx&source=web&cd=1&ved=0CC0QFjAA&url=http%3A%2F%2Fxxxx.xxxx.xx%2Fxxxxxxxx%2Fxxxx.htm&ei=xxxxxxxxxxxxxxxx_4DADQ&usg=xxxxxxxxxxxxxxxTxzmrX6GEhga_6lZLaw&bvm=bv.48705608,d.d2k[END]";;
 
 == DEBUG: logprint OS_CustomLog()
2013/07/15 08:51:42 DEBUG: FLush OS_CustomLog()
2013/07/15 08:51:42 ossec-remoted: socketerr (not available).
2013/07/15 08:51:42 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' 
not accessible: 'Connection refused'.
2013/07/15 08:51:42 ossec-logcollector: socketerr (not available).
2013/07/15 08:51:42 ossec-logcollector(1224): ERROR: Error sending message 
to queue.

I added debug1() function in code analysisd/alerts/log.c - function void 
OS_CustomLog(Eventinfo *lf,char* format) {
.......
  debug1("%s == DEBUG: logprint OS_CustomLog()",log);
  fprintf(_aflog,log);
  fprintf(_aflog,"\n");
  debug1("DEBUG: FLush OS_CustomLog()"); // CRASH AFTER FFLUSH function 
when crash arrived
  fflush(_aflog);
  debug1("DEBUG: AVif OS_CustomLog()");
  debug1("%s == DEBUG: logprint2 OS_CustomLog()",log);
  //if(log!=NULL)
  //{
   debug1("DEBUG: if OS_CustomLog()");
    os_free(log);
    log=NULL;
//  }
 debug1("DEBUG: return OS_CustomLog()"); // NEVER PRINTED when crash arrived
  return;
}

OSSEC work good many minutes and send log by function OS_CustomLog 
information in log alert.log. And after a longer or shorter time, ossec 
crash in OS_CustomLog causing stop all services ossec because queue not 
accessible....

I think a problem could come of a forget free memory.... But i cannot 
find...
Thx for help!

Lionel

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to