On Tue, Nov 26, 2013 at 10:18 AM, dan (ddp) <[email protected]> wrote: > On Tue, Nov 26, 2013 at 10:07 AM, Darin Perusich <[email protected]> wrote: >> On Tue, Nov 26, 2013 at 8:22 AM, dan (ddp) <[email protected]> wrote: >>> On Mon, Nov 25, 2013 at 11:04 AM, Darin Perusich <[email protected]> wrote: >>>> >>>> >>>> On Monday, November 25, 2013 10:18:58 AM UTC-5, dan (ddpbsd) wrote: >>>>> >>>>> On Mon, Nov 25, 2013 at 10:13 AM, Andrew Strozyk <[email protected]> >>>>> wrote: >>>>> > We actually are running 2.7.1. And since i am new to ossec i did not >>>>> > create >>>>> > any specific remoted configuration. I just used all the defaults. >>>>> > >>>>> >>>>> And that configuration would be what exactly? (help me out so I don't >>>>> have to do a fresh install just to see the final configuration) >>>> >>>> >>>> <remote> >>>> <connection>secure</connection> >>>> </remote> >>>> >>>> >>>>> >>>>> If you run `/var/ossec/bin/ossec-remoted -d` are there any more useful >>>>> logs (possibly in /var/ossec/logs/ossec.log)? >>>> >>>> >>>> Here's the logs with debug turned on, doesn't tell us much. >>>> >>>> 2013/11/25 10:58:36 ossec-remoted: DEBUG: Starting ... >>>> 2013/11/25 10:58:36 ossec-remoted: INFO: Started (pid: 4314). >>>> 2013/11/25 10:58:36 ossec-remoted: DEBUG: Forking remoted: '0'. >>>> 2013/11/25 10:58:36 ossec-remoted: INFO: Started (pid: 4315). >>>> 2013/11/25 10:58:36 ossec-remoted: DEBUG: Running manager_init >>>> 2013/11/25 10:58:36 ossec-remoted: INFO: (unix_domain) Maximum send buffer >>>> set to: '212992'. >>>> 2013/11/25 10:58:36 ossec-remoted(4111): INFO: Maximum number of agents >>>> allowed: '256'. >>>> 2013/11/25 10:58:36 ossec-remoted(1410): INFO: Reading authentication keys >>>> file. >>>> 2013/11/25 10:58:36 ossec-remoted: DEBUG: OS_StartCounter. >>>> 2013/11/25 10:58:36 ossec-remoted: OS_StartCounter: keysize: 1 >>>> >>>> >>>>> >>>>> Does it crash immediately? >>>> >>>> >>>> Yes, it crashes immediately on startup. >>>> >>>>> >>>>> Is udp port 1514 currently occupied? >>>> >>>> >>>> It it not being used. >>>> >>>>> >>>>> Can you run it under gdb? >>>>> gdb /var/ossec/bin/ossec-remoted >>>>> set follow-fork-mode child >>>>> run -d >>>>> CRASH >>>>> bt >>>>> >>>> >>>> gdb /var/ossec/bin/ossec-remoted >>>> Reading symbols from /var/ossec/bin/ossec-remoted...done. >>>> (gdb) set follow-fork-mode child >>>> (gdb) run -d >>>> Starting program: /var/ossec/bin/ossec-remoted -d >>>> [Thread debugging using libthread_db enabled] >>>> Using host libthread_db library "/lib64/libthread_db.so.1". >>>> 2013/11/25 11:02:34 ossec-remoted: DEBUG: Starting ... >>>> [New process 4494] >>>> [Thread debugging using libthread_db enabled] >>>> Using host libthread_db library "/lib64/libthread_db.so.1". >>>> [New process 4495] >>>> [Thread debugging using libthread_db enabled] >>>> Using host libthread_db library "/lib64/libthread_db.so.1". >>>> [New process 4496] >>>> [Thread debugging using libthread_db enabled] >>>> Using host libthread_db library "/lib64/libthread_db.so.1". >>>> [New Thread 0x7ffff6fd8700 (LWP 4497)] >>>> [New Thread 0x7ffff67d7700 (LWP 4498)] >>>> >>>> Program received signal SIGSEGV, Segmentation fault. >>>> [Switching to Thread 0x7ffff7fdf700 (LWP 4496)] >>>> 0x0000000000420002 in OS_StartCounter (keys=0x64b5a0 <keys>) at msgs.c:89 >>>> 89 msgs.c: No such file or directory. >>>> >>> >>> How many agents do you have? What limits are you setting on file >>> descriptors? >> >> One agent. >> >> Here are the limits, nofile defaults to 1024 but I've increased it to 8196. >> >> ulimit -a >> core file size (blocks, -c) 0 >> data seg size (kbytes, -d) unlimited >> scheduling priority (-e) 0 >> file size (blocks, -f) unlimited >> pending signals (-i) 47683 >> max locked memory (kbytes, -l) 64 >> max memory size (kbytes, -m) unlimited >> open files (-n) 8196 >> pipe size (512 bytes, -p) 8 >> POSIX message queues (bytes, -q) 819200 >> real-time priority (-r) 0 >> stack size (kbytes, -s) 8192 >> cpu time (seconds, -t) unlimited >> max user processes (-u) 47683 >> virtual memory (kbytes, -v) unlimited >> file locks (-x) unlimited >> >> >>>> >>>> Interesting if I run " strace -f /var/ossec/bin/ossec-remoted" the daemon >>>> will start, and I'm not sure why that is yet. >>>> > > Has the strace provided any clues? > > I'm not familiar with this distro, could selinux or apparmor be > crashing remoted? >
Neither selinux or apparmor are enabled or running. The strace isn't telling my much, othen then when I tell it to chase forks the forks are running as root and not ossecr. One thing I'm doing differently is I'm not building w/the provided zlib but using what's included in the distro, version 1.2.7. I'm doing this so it can eventually be included in the distro. Here's the full backtrack, I just realize I didn't include it before. # gdb /var/ossec/bin/ossec-remoted GNU gdb (GDB) SUSE (7.5.1-2.1.1) Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-suse-linux". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /var/ossec/bin/ossec-remoted...done. (gdb) set follow-fork-mode child (gdb) bt full No stack. (gdb) run Starting program: /var/ossec/bin/ossec-remoted [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". [New process 16151] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". [New process 16152] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". [New process 16153] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". [New Thread 0x7ffff6fd8700 (LWP 16154)] [New Thread 0x7ffff67d7700 (LWP 16155)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff7fdf700 (LWP 16153)] 0x0000000000420002 in OS_StartCounter (keys=0x64b5a0 <keys>) at msgs.c:89 89 msgs.c: No such file or directory. (gdb) bt full #0 0x0000000000420002 in OS_StartCounter (keys=0x64b5a0 <keys>) at msgs.c:89 my_error = 13 i = 0 rids_file = "/queue/rids/001", '\000' <repeats 57 times>, "\002\005C", '\000' <repeats 46 times>, "\004C\000\000\000\000\000H\000\000\000\000\000\000\000@\002\000\000\000\000\000\000\001\000\000\000\000\000\000\000\005", '\000' <repeats 88 times>"\256, \377\377\377\177\000\000צ\377\377\377\177\000\000" #1 0x0000000000404845 in HandleSecure () at secure.c:85 agentid = 0 buffer = '\000' <repeats 1928 times>, "\002\030\336\367\377\177", '\000' <repeats 67 times>"\300, \000\000\000\000\000\000\254\260\000\000\000\000\000\000\254\260", '\000' <repeats 14 times>, "\005\000\000\000\000\000\000\000\000\260 \000\000\000\000\000\000\320 \000\000\000\000\000\030\303 \000\000\000\000\000H\307 \000\000\000\000\000\000\260\000\000\000\000\000\000\003", '\000' <repeats 31 times>"\320, \004", '\000' <repeats 14 times>, "P", '\000' <repeats 39 times>, "\003\000\000\000\060\000\000\000[\000\000\000n\000\000\000w\000\000\000|", '\000' <repeats 11 times>, "@\226\273\367\377\177\000\000\031\000\000\000\000\000\000\000\260\fe\000\000\000\000\000\240\342d\000\000\000\000\000\031", '\000' <repeats 15 times>, "3\366\210\367\377\177\000\000\260\fe\000\000\000\000\000@\347"... cleartext_msg = '\000' <repeats 5264 times>, "@", '\000' <repeats 35 times>, "\001\000\000\000\002\000\000\000\060\000\000\000[\000\000\000n\000\000\000w\000\000\000|", '\000' <repeats 11 times>, "@\226\273\367\377\177\000\000\200\305\377\377\377\177\000\000\020\320d\000\000\000\000\000\200\305\377\377\377\177\000\000\220)@\000\000\000\000\000\020\320d\000\000\000\000\000Ȉ\210\367\377\177\000\000\000\000\000\000\000\000\000\000\020\320d\000\000\000\000\000\200\305\377\377\377\177\000\000\376\226\210\367\377\177\000\000\020\320d\000\000\000\000\000WK\210\367\377\177\000\000\000\000\000\000\000\000\000\000\370\260B\000\000\000\000\000\000\000\000\000\002\000\000\000\020\320d\000\000\000\000\000\020\320d\000\000\000\000\000\000\000\000\000\377\377\377\377\000\336\377\377\377\177\000\000a\273B", '\000' <repeats 13 times>, "0\337\377\377\377\177\000\000\000\000\000\000\000\000\000\000\020\320d", '\000' <repeats 613 times> srcip = '\000' <repeats 16 times> tmp_msg = 0x6f <Address 0x6f out of bounds> srcmsg = '\000' <repeats 256 times> recv_b = 32767 peer_info = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"} peer_size = 0 #2 0x0000000000404708 in HandleRemote (position=0, uid=493) at remoted.c:102 No locals. #3 0x0000000000403234 in main (argc=1, argv=0x7fffffffe1d8) at main.c:151 i = 0 c = -1 uid = 493 gid = 494 test_config = 0 run_foreground = 0 cfg = 0x42f8a0 "/var/ossec/etc/ossec.conf" dir = 0x42f8ba "/var/ossec" user = 0x42f8c5 "ossecr" group = 0x42f8cc "ossec" >>>>> >>>>> > On Friday, November 22, 2013 2:58:07 PM UTC-5, dan (ddpbsd) wrote: >>>>> >> >>>>> >> On Fri, Nov 22, 2013 at 2:47 PM, Andrew Strozyk <[email protected]> >>>>> >> wrote: >>>>> >> > Hi, >>>>> >> > >>>>> >> > I am running into some problems with ossec. I am testing out some >>>>> >> > HIDS >>>>> >> > pilots at my work as we are in need of one for our systems. I am very >>>>> >> > interested in using ossec but i have been having problems connecting >>>>> >> > the >>>>> >> > agents to the server. I checked on the server in /var/log/messages >>>>> >> > and >>>>> >> > this >>>>> >> > is the output i get: >>>>> >> > >>>>> >> > [3886011.217396] ossec-remoted[20994]: >>>>> >> > segfault >>>>> >> > at 61 ip 0000000000420002 sp 00007fff6b9e5ca0 error 4 in >>>>> >> > ossec-remoted[400000+4b000] >>>>> >> > >>>>> >> > The remoted service keeps crashing. I restart it manually using >>>>> >> > /var/ossec/bin/ossec-control restart and then the above error shows >>>>> >> > up. >>>>> >> > We >>>>> >> > currently use openSUSE-12.3 on all our systems. >>>>> >> > >>>>> >> >>>>> >> Try 2.7.1. Also, please provide your remoted configuration. >>>>> >> >>>>> >> > Just for more information, the agent is sending this error back as >>>>> >> > well: >>>>> >> > >>>>> >> > 2013/11/22 14:44:28 ossec-agentd: INFO: Trying to connect to server >>>>> >> > (10.100.90.58:1514). >>>>> >> > 2013/11/22 14:44:28 ossec-agentd: INFO: Using IPv4 for: 10.100.90.58 >>>>> >> > . >>>>> >> > 2013/11/22 14:44:38 ossec-agentd(1218): ERROR: Unable to send message >>>>> >> > to >>>>> >> > server. >>>>> >> > 2013/11/22 14:44:50 ossec-agentd(1218): ERROR: Unable to send message >>>>> >> > to >>>>> >> > server. >>>>> >> > 2013/11/22 14:44:51 ossec-agentd(4101): WARN: Waiting for server >>>>> >> > reply >>>>> >> > (not >>>>> >> > started). Tried: '10.100.90.58'. >>>>> >> > >>>>> >> > 10.100.90.58 is the server's correct ip address. >>>>> >> > >>>>> >> > Appreciate any incite on this. Thanks! >>>>> >> > >>>>> >> > -- >>>>> >> > >>>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google Groups >>>> "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to [email protected]. >>>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
