Any thoughts? A client.keys file issue? All files/permissions should as they were when OSSEC was running properly so it is perplexing to me what might be wrong. Since I have over 500 agents, a reinstall and new key deployment is a bit frightening.
Thanks! On Wednesday, September 18, 2013 2:18:10 PM UTC-5, MDACC-Luckie wrote: > > Dan: > > Still following the issue of my ossec server that stopped running due to > permissions that were changed on ossec directories and subdirectories. I > opted to get our storage team to recover all files with appropriate > permission from a given date/time. Things are coming along but now I am > facing an issue with ossec-remoted not running. Everything appears to > start when OSSEC starts but afer doing a status, I see the following: > > # /opt/ossec/bin/ossec-control status > ossec-monitord is running... > ossec-logcollector is running... > ossec-remoted: Process 7541 not used by ossec, removing .. > ossec-remoted not running... > ossec-syscheckd is running... > ossec-analysisd is running... > ossec-maild is running... > ossec-execd not running... > Following recommendations you made to someone in another post in this > group, I ran remoted in gdb. I really am not sure what I am looking at in > the output of gdb below to further troubleshoot the issue. Any suggestions > or recommendations would be greatly appreciated. > > GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-42.el5_8.1) > Copyright (C) 2009 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later < > http://gnu.org/licenses/gpl.html> > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. Type "show copying" > and "show warranty" for details. > This GDB was configured as "x86_64-redhat-linux-gnu". > For bug reporting instructions, please see: > <http://www.gnu.org/software/gdb/bugs/>... > Reading symbols from /opt/ossec/bin/ossec-remoted...done. > (gdb) set follow-fork-mode child > (gdb) run -df > Starting program: /opt/ossec/bin/ossec-remoted -df > warning: no loadable sections found in added symbol-file system-supplied > DSO at 0x2aaaaaaab000 > [Thread debugging using libthread_db enabled] > 2013/09/18 14:03:39 ossec-remoted: DEBUG: Starting ... > 2013/09/18 14:03:39 ossec-remoted: INFO: Started (pid: 26892). > [New process 26895] > [Thread debugging using libthread_db enabled] > 2013/09/18 14:03:39 ossec-remoted: DEBUG: Forking remoted: '0'. > 2013/09/18 14:03:40 ossec-remoted: INFO: Started (pid: 26895). > 2013/09/18 14:03:40 ossec-remoted: DEBUG: Running manager_init > [New Thread 0x40a00940 (LWP 26896)] > [New Thread 0x41401940 (LWP 26897)] > 2013/09/18 14:03:40 ossec-remoted: INFO: (unix_domain) Maximum send buffer > set to: '262144'. > 2013/09/18 14:03:40 ossec-remoted(4111): INFO: Maximum number of agents > allowed: '1024'. > 2013/09/18 14:03:40 ossec-remoted(1410): INFO: Reading authentication keys > file. > 2013/09/18 14:03:40 ossec-remoted: DEBUG: OS_StartCounter. > 2013/09/18 14:03:40 ossec-remoted: OS_StartCounter: keysize: 455 > Program received signal SIGSEGV, Segmentation fault. > [Switching to Thread 0x2aaaaaac5af0 (LWP 26895)] > 0x000000000042191b in OS_StartCounter (keys=0x64e700) at msgs.c:88 > 88 if((keys->keyentries[i -1]->fp) && (i > 10)) > (gdb) > (gdb) bt > #0 0x000000000042191b in OS_StartCounter (keys=0x64e700) at msgs.c:88 > #1 0x000000000040421d in HandleSecure () at secure.c:84 > #2 0x00000000004040e1 in HandleRemote (position=0, uid=955) at > remoted.c:101 > #3 0x0000000000402c90 in main (argc=2, argv=0x7fffffffe988) at main.c:150 > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
