Are you running a stand alone OSSEC server, or OSSEC in AlienVault/OSSIM? If OSSIM/Alienvault, the permissions are in conflict if you edit files throuhgh the command line vs using the GUI. You should always use the GUI is OSSIM/AlienVault. If OSSEC stand alone, please looking at kern.log for segfault or in the ossec.log should tell you what is going on.
On Thursday, September 19, 2013 4:09:32 PM UTC-4, MDACC-Luckie wrote: > > Any thoughts? A client.keys file issue? All files/permissions should as > they were when OSSEC was running properly so it is perplexing to me what > might be wrong. Since I have over 500 agents, a reinstall and new key > deployment is a bit frightening. > > Thanks! > > On Wednesday, September 18, 2013 2:18:10 PM UTC-5, MDACC-Luckie wrote: >> >> Dan: >> >> Still following the issue of my ossec server that stopped running due to >> permissions that were changed on ossec directories and subdirectories. I >> opted to get our storage team to recover all files with appropriate >> permission from a given date/time. Things are coming along but now I am >> facing an issue with ossec-remoted not running. Everything appears to >> start when OSSEC starts but afer doing a status, I see the following: >> >> # /opt/ossec/bin/ossec-control status >> ossec-monitord is running... >> ossec-logcollector is running... >> ossec-remoted: Process 7541 not used by ossec, removing .. >> ossec-remoted not running... >> ossec-syscheckd is running... >> ossec-analysisd is running... >> ossec-maild is running... >> ossec-execd not running... >> Following recommendations you made to someone in another post in this >> group, I ran remoted in gdb. I really am not sure what I am looking at in >> the output of gdb below to further troubleshoot the issue. Any suggestions >> or recommendations would be greatly appreciated. >> >> GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-42.el5_8.1) >> Copyright (C) 2009 Free Software Foundation, Inc. >> License GPLv3+: GNU GPL version 3 or later < >> http://gnu.org/licenses/gpl.html> >> This is free software: you are free to change and redistribute it. >> There is NO WARRANTY, to the extent permitted by law. Type "show copying" >> and "show warranty" for details. >> This GDB was configured as "x86_64-redhat-linux-gnu". >> For bug reporting instructions, please see: >> <http://www.gnu.org/software/gdb/bugs/>... >> Reading symbols from /opt/ossec/bin/ossec-remoted...done. >> (gdb) set follow-fork-mode child >> (gdb) run -df >> Starting program: /opt/ossec/bin/ossec-remoted -df >> warning: no loadable sections found in added symbol-file system-supplied >> DSO at 0x2aaaaaaab000 >> [Thread debugging using libthread_db enabled] >> 2013/09/18 14:03:39 ossec-remoted: DEBUG: Starting ... >> 2013/09/18 14:03:39 ossec-remoted: INFO: Started (pid: 26892). >> [New process 26895] >> [Thread debugging using libthread_db enabled] >> 2013/09/18 14:03:39 ossec-remoted: DEBUG: Forking remoted: '0'. >> 2013/09/18 14:03:40 ossec-remoted: INFO: Started (pid: 26895). >> 2013/09/18 14:03:40 ossec-remoted: DEBUG: Running manager_init >> [New Thread 0x40a00940 (LWP 26896)] >> [New Thread 0x41401940 (LWP 26897)] >> 2013/09/18 14:03:40 ossec-remoted: INFO: (unix_domain) Maximum send >> buffer set to: '262144'. >> 2013/09/18 14:03:40 ossec-remoted(4111): INFO: Maximum number of agents >> allowed: '1024'. >> 2013/09/18 14:03:40 ossec-remoted(1410): INFO: Reading authentication >> keys file. >> 2013/09/18 14:03:40 ossec-remoted: DEBUG: OS_StartCounter. >> 2013/09/18 14:03:40 ossec-remoted: OS_StartCounter: keysize: 455 >> Program received signal SIGSEGV, Segmentation fault. >> [Switching to Thread 0x2aaaaaac5af0 (LWP 26895)] >> 0x000000000042191b in OS_StartCounter (keys=0x64e700) at msgs.c:88 >> 88 if((keys->keyentries[i -1]->fp) && (i > 10)) >> (gdb) >> (gdb) bt >> #0 0x000000000042191b in OS_StartCounter (keys=0x64e700) at msgs.c:88 >> #1 0x000000000040421d in HandleSecure () at secure.c:84 >> #2 0x00000000004040e1 in HandleRemote (position=0, uid=955) at >> remoted.c:101 >> #3 0x0000000000402c90 in main (argc=2, argv=0x7fffffffe988) at main.c:150 >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
