On Tue, Nov 26, 2013 at 10:07 AM, Darin Perusich <[email protected]> wrote: > On Tue, Nov 26, 2013 at 8:22 AM, dan (ddp) <[email protected]> wrote: >> On Mon, Nov 25, 2013 at 11:04 AM, Darin Perusich <[email protected]> wrote: >>> >>> >>> On Monday, November 25, 2013 10:18:58 AM UTC-5, dan (ddpbsd) wrote: >>>> >>>> On Mon, Nov 25, 2013 at 10:13 AM, Andrew Strozyk <[email protected]> >>>> wrote: >>>> > We actually are running 2.7.1. And since i am new to ossec i did not >>>> > create >>>> > any specific remoted configuration. I just used all the defaults. >>>> > >>>> >>>> And that configuration would be what exactly? (help me out so I don't >>>> have to do a fresh install just to see the final configuration) >>> >>> >>> <remote> >>> <connection>secure</connection> >>> </remote> >>> >>> >>>> >>>> If you run `/var/ossec/bin/ossec-remoted -d` are there any more useful >>>> logs (possibly in /var/ossec/logs/ossec.log)? >>> >>> >>> Here's the logs with debug turned on, doesn't tell us much. >>> >>> 2013/11/25 10:58:36 ossec-remoted: DEBUG: Starting ... >>> 2013/11/25 10:58:36 ossec-remoted: INFO: Started (pid: 4314). >>> 2013/11/25 10:58:36 ossec-remoted: DEBUG: Forking remoted: '0'. >>> 2013/11/25 10:58:36 ossec-remoted: INFO: Started (pid: 4315). >>> 2013/11/25 10:58:36 ossec-remoted: DEBUG: Running manager_init >>> 2013/11/25 10:58:36 ossec-remoted: INFO: (unix_domain) Maximum send buffer >>> set to: '212992'. >>> 2013/11/25 10:58:36 ossec-remoted(4111): INFO: Maximum number of agents >>> allowed: '256'. >>> 2013/11/25 10:58:36 ossec-remoted(1410): INFO: Reading authentication keys >>> file. >>> 2013/11/25 10:58:36 ossec-remoted: DEBUG: OS_StartCounter. >>> 2013/11/25 10:58:36 ossec-remoted: OS_StartCounter: keysize: 1 >>> >>> >>>> >>>> Does it crash immediately? >>> >>> >>> Yes, it crashes immediately on startup. >>> >>>> >>>> Is udp port 1514 currently occupied? >>> >>> >>> It it not being used. >>> >>>> >>>> Can you run it under gdb? >>>> gdb /var/ossec/bin/ossec-remoted >>>> set follow-fork-mode child >>>> run -d >>>> CRASH >>>> bt >>>> >>> >>> gdb /var/ossec/bin/ossec-remoted >>> Reading symbols from /var/ossec/bin/ossec-remoted...done. >>> (gdb) set follow-fork-mode child >>> (gdb) run -d >>> Starting program: /var/ossec/bin/ossec-remoted -d >>> [Thread debugging using libthread_db enabled] >>> Using host libthread_db library "/lib64/libthread_db.so.1". >>> 2013/11/25 11:02:34 ossec-remoted: DEBUG: Starting ... >>> [New process 4494] >>> [Thread debugging using libthread_db enabled] >>> Using host libthread_db library "/lib64/libthread_db.so.1". >>> [New process 4495] >>> [Thread debugging using libthread_db enabled] >>> Using host libthread_db library "/lib64/libthread_db.so.1". >>> [New process 4496] >>> [Thread debugging using libthread_db enabled] >>> Using host libthread_db library "/lib64/libthread_db.so.1". >>> [New Thread 0x7ffff6fd8700 (LWP 4497)] >>> [New Thread 0x7ffff67d7700 (LWP 4498)] >>> >>> Program received signal SIGSEGV, Segmentation fault. >>> [Switching to Thread 0x7ffff7fdf700 (LWP 4496)] >>> 0x0000000000420002 in OS_StartCounter (keys=0x64b5a0 <keys>) at msgs.c:89 >>> 89 msgs.c: No such file or directory. >>> >> >> How many agents do you have? What limits are you setting on file descriptors? > > One agent. > > Here are the limits, nofile defaults to 1024 but I've increased it to 8196. > > ulimit -a > core file size (blocks, -c) 0 > data seg size (kbytes, -d) unlimited > scheduling priority (-e) 0 > file size (blocks, -f) unlimited > pending signals (-i) 47683 > max locked memory (kbytes, -l) 64 > max memory size (kbytes, -m) unlimited > open files (-n) 8196 > pipe size (512 bytes, -p) 8 > POSIX message queues (bytes, -q) 819200 > real-time priority (-r) 0 > stack size (kbytes, -s) 8192 > cpu time (seconds, -t) unlimited > max user processes (-u) 47683 > virtual memory (kbytes, -v) unlimited > file locks (-x) unlimited > > >>> >>> Interesting if I run " strace -f /var/ossec/bin/ossec-remoted" the daemon >>> will start, and I'm not sure why that is yet. >>>
Has the strace provided any clues? I'm not familiar with this distro, could selinux or apparmor be crashing remoted? >>>> >>>> > On Friday, November 22, 2013 2:58:07 PM UTC-5, dan (ddpbsd) wrote: >>>> >> >>>> >> On Fri, Nov 22, 2013 at 2:47 PM, Andrew Strozyk <[email protected]> >>>> >> wrote: >>>> >> > Hi, >>>> >> > >>>> >> > I am running into some problems with ossec. I am testing out some >>>> >> > HIDS >>>> >> > pilots at my work as we are in need of one for our systems. I am very >>>> >> > interested in using ossec but i have been having problems connecting >>>> >> > the >>>> >> > agents to the server. I checked on the server in /var/log/messages >>>> >> > and >>>> >> > this >>>> >> > is the output i get: >>>> >> > >>>> >> > [3886011.217396] ossec-remoted[20994]: >>>> >> > segfault >>>> >> > at 61 ip 0000000000420002 sp 00007fff6b9e5ca0 error 4 in >>>> >> > ossec-remoted[400000+4b000] >>>> >> > >>>> >> > The remoted service keeps crashing. I restart it manually using >>>> >> > /var/ossec/bin/ossec-control restart and then the above error shows >>>> >> > up. >>>> >> > We >>>> >> > currently use openSUSE-12.3 on all our systems. >>>> >> > >>>> >> >>>> >> Try 2.7.1. Also, please provide your remoted configuration. >>>> >> >>>> >> > Just for more information, the agent is sending this error back as >>>> >> > well: >>>> >> > >>>> >> > 2013/11/22 14:44:28 ossec-agentd: INFO: Trying to connect to server >>>> >> > (10.100.90.58:1514). >>>> >> > 2013/11/22 14:44:28 ossec-agentd: INFO: Using IPv4 for: 10.100.90.58 >>>> >> > . >>>> >> > 2013/11/22 14:44:38 ossec-agentd(1218): ERROR: Unable to send message >>>> >> > to >>>> >> > server. >>>> >> > 2013/11/22 14:44:50 ossec-agentd(1218): ERROR: Unable to send message >>>> >> > to >>>> >> > server. >>>> >> > 2013/11/22 14:44:51 ossec-agentd(4101): WARN: Waiting for server >>>> >> > reply >>>> >> > (not >>>> >> > started). Tried: '10.100.90.58'. >>>> >> > >>>> >> > 10.100.90.58 is the server's correct ip address. >>>> >> > >>>> >> > Appreciate any incite on this. Thanks! >>>> >> > >>>> >> > -- >>>> >> > >>>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
