On Tue, Nov 26, 2013 at 8:22 AM, dan (ddp) <[email protected]> wrote: > On Mon, Nov 25, 2013 at 11:04 AM, Darin Perusich <[email protected]> wrote: >> >> >> On Monday, November 25, 2013 10:18:58 AM UTC-5, dan (ddpbsd) wrote: >>> >>> On Mon, Nov 25, 2013 at 10:13 AM, Andrew Strozyk <[email protected]> >>> wrote: >>> > We actually are running 2.7.1. And since i am new to ossec i did not >>> > create >>> > any specific remoted configuration. I just used all the defaults. >>> > >>> >>> And that configuration would be what exactly? (help me out so I don't >>> have to do a fresh install just to see the final configuration) >> >> >> <remote> >> <connection>secure</connection> >> </remote> >> >> >>> >>> If you run `/var/ossec/bin/ossec-remoted -d` are there any more useful >>> logs (possibly in /var/ossec/logs/ossec.log)? >> >> >> Here's the logs with debug turned on, doesn't tell us much. >> >> 2013/11/25 10:58:36 ossec-remoted: DEBUG: Starting ... >> 2013/11/25 10:58:36 ossec-remoted: INFO: Started (pid: 4314). >> 2013/11/25 10:58:36 ossec-remoted: DEBUG: Forking remoted: '0'. >> 2013/11/25 10:58:36 ossec-remoted: INFO: Started (pid: 4315). >> 2013/11/25 10:58:36 ossec-remoted: DEBUG: Running manager_init >> 2013/11/25 10:58:36 ossec-remoted: INFO: (unix_domain) Maximum send buffer >> set to: '212992'. >> 2013/11/25 10:58:36 ossec-remoted(4111): INFO: Maximum number of agents >> allowed: '256'. >> 2013/11/25 10:58:36 ossec-remoted(1410): INFO: Reading authentication keys >> file. >> 2013/11/25 10:58:36 ossec-remoted: DEBUG: OS_StartCounter. >> 2013/11/25 10:58:36 ossec-remoted: OS_StartCounter: keysize: 1 >> >> >>> >>> Does it crash immediately? >> >> >> Yes, it crashes immediately on startup. >> >>> >>> Is udp port 1514 currently occupied? >> >> >> It it not being used. >> >>> >>> Can you run it under gdb? >>> gdb /var/ossec/bin/ossec-remoted >>> set follow-fork-mode child >>> run -d >>> CRASH >>> bt >>> >> >> gdb /var/ossec/bin/ossec-remoted >> Reading symbols from /var/ossec/bin/ossec-remoted...done. >> (gdb) set follow-fork-mode child >> (gdb) run -d >> Starting program: /var/ossec/bin/ossec-remoted -d >> [Thread debugging using libthread_db enabled] >> Using host libthread_db library "/lib64/libthread_db.so.1". >> 2013/11/25 11:02:34 ossec-remoted: DEBUG: Starting ... >> [New process 4494] >> [Thread debugging using libthread_db enabled] >> Using host libthread_db library "/lib64/libthread_db.so.1". >> [New process 4495] >> [Thread debugging using libthread_db enabled] >> Using host libthread_db library "/lib64/libthread_db.so.1". >> [New process 4496] >> [Thread debugging using libthread_db enabled] >> Using host libthread_db library "/lib64/libthread_db.so.1". >> [New Thread 0x7ffff6fd8700 (LWP 4497)] >> [New Thread 0x7ffff67d7700 (LWP 4498)] >> >> Program received signal SIGSEGV, Segmentation fault. >> [Switching to Thread 0x7ffff7fdf700 (LWP 4496)] >> 0x0000000000420002 in OS_StartCounter (keys=0x64b5a0 <keys>) at msgs.c:89 >> 89 msgs.c: No such file or directory. >> > > How many agents do you have? What limits are you setting on file descriptors?
One agent. Here are the limits, nofile defaults to 1024 but I've increased it to 8196. ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 47683 max locked memory (kbytes, -l) 64 max memory size (kbytes, -m) unlimited open files (-n) 8196 pipe size (512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 47683 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited >> >> Interesting if I run " strace -f /var/ossec/bin/ossec-remoted" the daemon >> will start, and I'm not sure why that is yet. >> >>> >>> > On Friday, November 22, 2013 2:58:07 PM UTC-5, dan (ddpbsd) wrote: >>> >> >>> >> On Fri, Nov 22, 2013 at 2:47 PM, Andrew Strozyk <[email protected]> >>> >> wrote: >>> >> > Hi, >>> >> > >>> >> > I am running into some problems with ossec. I am testing out some >>> >> > HIDS >>> >> > pilots at my work as we are in need of one for our systems. I am very >>> >> > interested in using ossec but i have been having problems connecting >>> >> > the >>> >> > agents to the server. I checked on the server in /var/log/messages >>> >> > and >>> >> > this >>> >> > is the output i get: >>> >> > >>> >> > [3886011.217396] ossec-remoted[20994]: >>> >> > segfault >>> >> > at 61 ip 0000000000420002 sp 00007fff6b9e5ca0 error 4 in >>> >> > ossec-remoted[400000+4b000] >>> >> > >>> >> > The remoted service keeps crashing. I restart it manually using >>> >> > /var/ossec/bin/ossec-control restart and then the above error shows >>> >> > up. >>> >> > We >>> >> > currently use openSUSE-12.3 on all our systems. >>> >> > >>> >> >>> >> Try 2.7.1. Also, please provide your remoted configuration. >>> >> >>> >> > Just for more information, the agent is sending this error back as >>> >> > well: >>> >> > >>> >> > 2013/11/22 14:44:28 ossec-agentd: INFO: Trying to connect to server >>> >> > (10.100.90.58:1514). >>> >> > 2013/11/22 14:44:28 ossec-agentd: INFO: Using IPv4 for: 10.100.90.58 >>> >> > . >>> >> > 2013/11/22 14:44:38 ossec-agentd(1218): ERROR: Unable to send message >>> >> > to >>> >> > server. >>> >> > 2013/11/22 14:44:50 ossec-agentd(1218): ERROR: Unable to send message >>> >> > to >>> >> > server. >>> >> > 2013/11/22 14:44:51 ossec-agentd(4101): WARN: Waiting for server >>> >> > reply >>> >> > (not >>> >> > started). Tried: '10.100.90.58'. >>> >> > >>> >> > 10.100.90.58 is the server's correct ip address. >>> >> > >>> >> > Appreciate any incite on this. Thanks! >>> >> > >>> >> > -- >>> >> > >>> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
