On Tue, Nov 26, 2013 at 5:48 AM, Darin Perusich <[email protected]> wrote: > On Mon, Nov 25, 2013 at 11:04 AM, Darin Perusich <[email protected]> wrote: >> >> >> On Monday, November 25, 2013 10:18:58 AM UTC-5, dan (ddpbsd) wrote: >>> >>> On Mon, Nov 25, 2013 at 10:13 AM, Andrew Strozyk <[email protected]> >>> wrote: >>> > We actually are running 2.7.1. And since i am new to ossec i did not >>> > create >>> > any specific remoted configuration. I just used all the defaults. >>> > >>> >>> And that configuration would be what exactly? (help me out so I don't >>> have to do a fresh install just to see the final configuration) >> >> >> <remote> >> <connection>secure</connection> >> </remote> >> >> >>> >>> If you run `/var/ossec/bin/ossec-remoted -d` are there any more useful >>> logs (possibly in /var/ossec/logs/ossec.log)? >> >> >> Here's the logs with debug turned on, doesn't tell us much. >> >> 2013/11/25 10:58:36 ossec-remoted: DEBUG: Starting ... >> 2013/11/25 10:58:36 ossec-remoted: INFO: Started (pid: 4314). >> 2013/11/25 10:58:36 ossec-remoted: DEBUG: Forking remoted: '0'. >> 2013/11/25 10:58:36 ossec-remoted: INFO: Started (pid: 4315). >> 2013/11/25 10:58:36 ossec-remoted: DEBUG: Running manager_init >> 2013/11/25 10:58:36 ossec-remoted: INFO: (unix_domain) Maximum send buffer >> set to: '212992'. >> 2013/11/25 10:58:36 ossec-remoted(4111): INFO: Maximum number of agents >> allowed: '256'. >> 2013/11/25 10:58:36 ossec-remoted(1410): INFO: Reading authentication keys >> file. >> 2013/11/25 10:58:36 ossec-remoted: DEBUG: OS_StartCounter. >> 2013/11/25 10:58:36 ossec-remoted: OS_StartCounter: keysize: 1 >> >> >>> >>> Does it crash immediately? >> >> >> Yes, it crashes immediately on startup. >> >>> >>> Is udp port 1514 currently occupied? >> >> >> It it not being used. >> >>> >>> Can you run it under gdb? >>> gdb /var/ossec/bin/ossec-remoted >>> set follow-fork-mode child >>> run -d >>> CRASH >>> bt >>> >> >> gdb /var/ossec/bin/ossec-remoted >> Reading symbols from /var/ossec/bin/ossec-remoted...done. >> (gdb) set follow-fork-mode child >> (gdb) run -d >> Starting program: /var/ossec/bin/ossec-remoted -d >> [Thread debugging using libthread_db enabled] >> Using host libthread_db library "/lib64/libthread_db.so.1". >> 2013/11/25 11:02:34 ossec-remoted: DEBUG: Starting ... >> [New process 4494] >> [Thread debugging using libthread_db enabled] >> Using host libthread_db library "/lib64/libthread_db.so.1". >> [New process 4495] >> [Thread debugging using libthread_db enabled] >> Using host libthread_db library "/lib64/libthread_db.so.1". >> [New process 4496] >> [Thread debugging using libthread_db enabled] >> Using host libthread_db library "/lib64/libthread_db.so.1". >> [New Thread 0x7ffff6fd8700 (LWP 4497)] >> [New Thread 0x7ffff67d7700 (LWP 4498)] >> >> Program received signal SIGSEGV, Segmentation fault. >> [Switching to Thread 0x7ffff7fdf700 (LWP 4496)] >> 0x0000000000420002 in OS_StartCounter (keys=0x64b5a0 <keys>) at msgs.c:89 >> 89 msgs.c: No such file or directory. >> >> >> Interesting if I run " strace -f /var/ossec/bin/ossec-remoted" the daemon >> will start, and I'm not sure why that is yet. > > Any thoughts on what's going on with remoted? >
It's crashing. You provided the info less than 24h ago, hold your horses. >>> >>> > On Friday, November 22, 2013 2:58:07 PM UTC-5, dan (ddpbsd) wrote: >>> >> >>> >> On Fri, Nov 22, 2013 at 2:47 PM, Andrew Strozyk <[email protected]> >>> >> wrote: >>> >> > Hi, >>> >> > >>> >> > I am running into some problems with ossec. I am testing out some >>> >> > HIDS >>> >> > pilots at my work as we are in need of one for our systems. I am very >>> >> > interested in using ossec but i have been having problems connecting >>> >> > the >>> >> > agents to the server. I checked on the server in /var/log/messages >>> >> > and >>> >> > this >>> >> > is the output i get: >>> >> > >>> >> > [3886011.217396] ossec-remoted[20994]: >>> >> > segfault >>> >> > at 61 ip 0000000000420002 sp 00007fff6b9e5ca0 error 4 in >>> >> > ossec-remoted[400000+4b000] >>> >> > >>> >> > The remoted service keeps crashing. I restart it manually using >>> >> > /var/ossec/bin/ossec-control restart and then the above error shows >>> >> > up. >>> >> > We >>> >> > currently use openSUSE-12.3 on all our systems. >>> >> > >>> >> >>> >> Try 2.7.1. Also, please provide your remoted configuration. >>> >> >>> >> > Just for more information, the agent is sending this error back as >>> >> > well: >>> >> > >>> >> > 2013/11/22 14:44:28 ossec-agentd: INFO: Trying to connect to server >>> >> > (10.100.90.58:1514). >>> >> > 2013/11/22 14:44:28 ossec-agentd: INFO: Using IPv4 for: 10.100.90.58 >>> >> > . >>> >> > 2013/11/22 14:44:38 ossec-agentd(1218): ERROR: Unable to send message >>> >> > to >>> >> > server. >>> >> > 2013/11/22 14:44:50 ossec-agentd(1218): ERROR: Unable to send message >>> >> > to >>> >> > server. >>> >> > 2013/11/22 14:44:51 ossec-agentd(4101): WARN: Waiting for server >>> >> > reply >>> >> > (not >>> >> > started). Tried: '10.100.90.58'. >>> >> > >>> >> > 10.100.90.58 is the server's correct ip address. >>> >> > >>> >> > Appreciate any incite on this. Thanks! >>> >> > >>> >> > -- >>> >> > >>> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
