On Monday, November 25, 2013 10:18:58 AM UTC-5, dan (ddpbsd) wrote:
>
> On Mon, Nov 25, 2013 at 10:13 AM, Andrew Strozyk
> <[email protected]<javascript:>>
> wrote:
> > We actually are running 2.7.1. And since i am new to ossec i did not
> create
> > any specific remoted configuration. I just used all the defaults.
> >
>
> And that configuration would be what exactly? (help me out so I don't
> have to do a fresh install just to see the final configuration)
>
<remote>
<connection>secure</connection>
</remote>
> If you run `/var/ossec/bin/ossec-remoted -d` are there any more useful
> logs (possibly in /var/ossec/logs/ossec.log)?
>
Here's the logs with debug turned on, doesn't tell us much.
2013/11/25 10:58:36 ossec-remoted: DEBUG: Starting ...
2013/11/25 10:58:36 ossec-remoted: INFO: Started (pid: 4314).
2013/11/25 10:58:36 ossec-remoted: DEBUG: Forking remoted: '0'.
2013/11/25 10:58:36 ossec-remoted: INFO: Started (pid: 4315).
2013/11/25 10:58:36 ossec-remoted: DEBUG: Running manager_init
2013/11/25 10:58:36 ossec-remoted: INFO: (unix_domain) Maximum send buffer
set to: '212992'.
2013/11/25 10:58:36 ossec-remoted(4111): INFO: Maximum number of agents
allowed: '256'.
2013/11/25 10:58:36 ossec-remoted(1410): INFO: Reading authentication keys
file.
2013/11/25 10:58:36 ossec-remoted: DEBUG: OS_StartCounter.
2013/11/25 10:58:36 ossec-remoted: OS_StartCounter: keysize: 1
> Does it crash immediately?
>
Yes, it crashes immediately on startup.
> Is udp port 1514 currently occupied?
>
It it not being used.
> Can you run it under gdb?
> gdb /var/ossec/bin/ossec-remoted
> set follow-fork-mode child
> run -d
> CRASH
> bt
>
>
gdb /var/ossec/bin/ossec-remoted
Reading symbols from /var/ossec/bin/ossec-remoted...done.
(gdb) set follow-fork-mode child
(gdb) run -d
Starting program: /var/ossec/bin/ossec-remoted -d
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
2013/11/25 11:02:34 ossec-remoted: DEBUG: Starting ...
[New process 4494]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[New process 4495]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[New process 4496]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[New Thread 0x7ffff6fd8700 (LWP 4497)]
[New Thread 0x7ffff67d7700 (LWP 4498)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff7fdf700 (LWP 4496)]
0x0000000000420002 in OS_StartCounter (keys=0x64b5a0 <keys>) at msgs.c:89
89 msgs.c: No such file or directory.
Interesting if I run " strace -f /var/ossec/bin/ossec-remoted" the daemon
will start, and I'm not sure why that is yet.
> > On Friday, November 22, 2013 2:58:07 PM UTC-5, dan (ddpbsd) wrote:
> >>
> >> On Fri, Nov 22, 2013 at 2:47 PM, Andrew Strozyk <[email protected]>
> >> wrote:
> >> > Hi,
> >> >
> >> > I am running into some problems with ossec. I am testing out some
> HIDS
> >> > pilots at my work as we are in need of one for our systems. I am very
> >> > interested in using ossec but i have been having problems connecting
> the
> >> > agents to the server. I checked on the server in /var/log/messages
> and
> >> > this
> >> > is the output i get:
> >> >
> >> > [3886011.217396] ossec-remoted[20994]:
> >> > segfault
> >> > at 61 ip 0000000000420002 sp 00007fff6b9e5ca0 error 4 in
> >> > ossec-remoted[400000+4b000]
> >> >
> >> > The remoted service keeps crashing. I restart it manually using
> >> > /var/ossec/bin/ossec-control restart and then the above error shows
> up.
> >> > We
> >> > currently use openSUSE-12.3 on all our systems.
> >> >
> >>
> >> Try 2.7.1. Also, please provide your remoted configuration.
> >>
> >> > Just for more information, the agent is sending this error back as
> well:
> >> >
> >> > 2013/11/22 14:44:28 ossec-agentd: INFO: Trying to connect to server
> >> > (10.100.90.58:1514<http://www.google.com/url?q=http%3A%2F%2F10.100.90.58%3A1514&sa=D&sntz=1&usg=AFQjCNEGns-i39MGLwdu1sPTev0z5cRLzA>).
> >> >
>
> >> > 2013/11/22 14:44:28 ossec-agentd: INFO: Using IPv4 for: 10.100.90.58
> .
> >> > 2013/11/22 14:44:38 ossec-agentd(1218): ERROR: Unable to send message
> to
> >> > server.
> >> > 2013/11/22 14:44:50 ossec-agentd(1218): ERROR: Unable to send message
> to
> >> > server.
> >> > 2013/11/22 14:44:51 ossec-agentd(4101): WARN: Waiting for server
> reply
> >> > (not
> >> > started). Tried: '10.100.90.58'.
> >> >
> >> > 10.100.90.58 is the server's correct ip address.
> >> >
> >> > Appreciate any incite on this. Thanks!
> >> >
> >> > --
> >> >
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
