On Tue, Nov 26, 2013 at 10:39 AM, Darin Perusich <[email protected]> wrote: > On Tue, Nov 26, 2013 at 10:18 AM, dan (ddp) <[email protected]> wrote: >> On Tue, Nov 26, 2013 at 10:07 AM, Darin Perusich <[email protected]> wrote: >>> On Tue, Nov 26, 2013 at 8:22 AM, dan (ddp) <[email protected]> wrote: >>>> On Mon, Nov 25, 2013 at 11:04 AM, Darin Perusich <[email protected]> wrote: >>>>> >>>>> >>>>> On Monday, November 25, 2013 10:18:58 AM UTC-5, dan (ddpbsd) wrote: >>>>>> >>>>>> On Mon, Nov 25, 2013 at 10:13 AM, Andrew Strozyk <[email protected]> >>>>>> wrote: >>>>>> > We actually are running 2.7.1. And since i am new to ossec i did not >>>>>> > create >>>>>> > any specific remoted configuration. I just used all the defaults. >>>>>> > >>>>>> >>>>>> And that configuration would be what exactly? (help me out so I don't >>>>>> have to do a fresh install just to see the final configuration) >>>>> >>>>> >>>>> <remote> >>>>> <connection>secure</connection> >>>>> </remote> >>>>> >>>>> >>>>>> >>>>>> If you run `/var/ossec/bin/ossec-remoted -d` are there any more useful >>>>>> logs (possibly in /var/ossec/logs/ossec.log)? >>>>> >>>>> >>>>> Here's the logs with debug turned on, doesn't tell us much. >>>>> >>>>> 2013/11/25 10:58:36 ossec-remoted: DEBUG: Starting ... >>>>> 2013/11/25 10:58:36 ossec-remoted: INFO: Started (pid: 4314). >>>>> 2013/11/25 10:58:36 ossec-remoted: DEBUG: Forking remoted: '0'. >>>>> 2013/11/25 10:58:36 ossec-remoted: INFO: Started (pid: 4315). >>>>> 2013/11/25 10:58:36 ossec-remoted: DEBUG: Running manager_init >>>>> 2013/11/25 10:58:36 ossec-remoted: INFO: (unix_domain) Maximum send buffer >>>>> set to: '212992'. >>>>> 2013/11/25 10:58:36 ossec-remoted(4111): INFO: Maximum number of agents >>>>> allowed: '256'. >>>>> 2013/11/25 10:58:36 ossec-remoted(1410): INFO: Reading authentication keys >>>>> file. >>>>> 2013/11/25 10:58:36 ossec-remoted: DEBUG: OS_StartCounter. >>>>> 2013/11/25 10:58:36 ossec-remoted: OS_StartCounter: keysize: 1 >>>>> >>>>> >>>>>> >>>>>> Does it crash immediately? >>>>> >>>>> >>>>> Yes, it crashes immediately on startup. >>>>> >>>>>> >>>>>> Is udp port 1514 currently occupied? >>>>> >>>>> >>>>> It it not being used. >>>>> >>>>>> >>>>>> Can you run it under gdb? >>>>>> gdb /var/ossec/bin/ossec-remoted >>>>>> set follow-fork-mode child >>>>>> run -d >>>>>> CRASH >>>>>> bt >>>>>> >>>>> >>>>> gdb /var/ossec/bin/ossec-remoted >>>>> Reading symbols from /var/ossec/bin/ossec-remoted...done. >>>>> (gdb) set follow-fork-mode child >>>>> (gdb) run -d >>>>> Starting program: /var/ossec/bin/ossec-remoted -d >>>>> [Thread debugging using libthread_db enabled] >>>>> Using host libthread_db library "/lib64/libthread_db.so.1". >>>>> 2013/11/25 11:02:34 ossec-remoted: DEBUG: Starting ... >>>>> [New process 4494] >>>>> [Thread debugging using libthread_db enabled] >>>>> Using host libthread_db library "/lib64/libthread_db.so.1". >>>>> [New process 4495] >>>>> [Thread debugging using libthread_db enabled] >>>>> Using host libthread_db library "/lib64/libthread_db.so.1". >>>>> [New process 4496] >>>>> [Thread debugging using libthread_db enabled] >>>>> Using host libthread_db library "/lib64/libthread_db.so.1". >>>>> [New Thread 0x7ffff6fd8700 (LWP 4497)] >>>>> [New Thread 0x7ffff67d7700 (LWP 4498)] >>>>> >>>>> Program received signal SIGSEGV, Segmentation fault. >>>>> [Switching to Thread 0x7ffff7fdf700 (LWP 4496)] >>>>> 0x0000000000420002 in OS_StartCounter (keys=0x64b5a0 <keys>) at msgs.c:89 >>>>> 89 msgs.c: No such file or directory. >>>>> >>>> >>>> How many agents do you have? What limits are you setting on file >>>> descriptors? >>> >>> One agent. >>> >>> Here are the limits, nofile defaults to 1024 but I've increased it to 8196. >>> >>> ulimit -a >>> core file size (blocks, -c) 0 >>> data seg size (kbytes, -d) unlimited >>> scheduling priority (-e) 0 >>> file size (blocks, -f) unlimited >>> pending signals (-i) 47683 >>> max locked memory (kbytes, -l) 64 >>> max memory size (kbytes, -m) unlimited >>> open files (-n) 8196 >>> pipe size (512 bytes, -p) 8 >>> POSIX message queues (bytes, -q) 819200 >>> real-time priority (-r) 0 >>> stack size (kbytes, -s) 8192 >>> cpu time (seconds, -t) unlimited >>> max user processes (-u) 47683 >>> virtual memory (kbytes, -v) unlimited >>> file locks (-x) unlimited >>> >>> >>>>> >>>>> Interesting if I run " strace -f /var/ossec/bin/ossec-remoted" the daemon >>>>> will start, and I'm not sure why that is yet. >>>>> >> >> Has the strace provided any clues? >> >> I'm not familiar with this distro, could selinux or apparmor be >> crashing remoted? >> > > Neither selinux or apparmor are enabled or running. The strace isn't > telling my much, othen then when I tell it to chase forks the forks > are running as root and not ossecr. > > One thing I'm doing differently is I'm not building w/the provided > zlib but using what's included in the distro, version 1.2.7. I'm doing > this so it can eventually be included in the distro. >
Try it with the correct zlib to see if that fixes things. > Here's the full backtrack, I just realize I didn't include it before. > > # gdb /var/ossec/bin/ossec-remoted > GNU gdb (GDB) SUSE (7.5.1-2.1.1) > Copyright (C) 2012 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. Type "show copying" > and "show warranty" for details. > This GDB was configured as "x86_64-suse-linux". > For bug reporting instructions, please see: > <http://www.gnu.org/software/gdb/bugs/>... > Reading symbols from /var/ossec/bin/ossec-remoted...done. > (gdb) set follow-fork-mode child > (gdb) bt full > No stack. > (gdb) run > Starting program: /var/ossec/bin/ossec-remoted > [Thread debugging using libthread_db enabled] > Using host libthread_db library "/lib64/libthread_db.so.1". > [New process 16151] > [Thread debugging using libthread_db enabled] > Using host libthread_db library "/lib64/libthread_db.so.1". > [New process 16152] > [Thread debugging using libthread_db enabled] > Using host libthread_db library "/lib64/libthread_db.so.1". > [New process 16153] > [Thread debugging using libthread_db enabled] > Using host libthread_db library "/lib64/libthread_db.so.1". > [New Thread 0x7ffff6fd8700 (LWP 16154)] > [New Thread 0x7ffff67d7700 (LWP 16155)] > > Program received signal SIGSEGV, Segmentation fault. > [Switching to Thread 0x7ffff7fdf700 (LWP 16153)] > 0x0000000000420002 in OS_StartCounter (keys=0x64b5a0 <keys>) at msgs.c:89 > 89 msgs.c: No such file or directory. > (gdb) bt full > #0 0x0000000000420002 in OS_StartCounter (keys=0x64b5a0 <keys>) at msgs.c:89 > my_error = 13 > i = 0 > rids_file = "/queue/rids/001", '\000' <repeats 57 times>, > "\002\005C", '\000' <repeats 46 times>, > "\004C\000\000\000\000\000H\000\000\000\000\000\000\000@\002\000\000\000\000\000\000\001\000\000\000\000\000\000\000\005", > '\000' <repeats 88 times>"\256, > \377\377\377\177\000\000צ\377\377\377\177\000\000" > #1 0x0000000000404845 in HandleSecure () at secure.c:85 > agentid = 0 > buffer = '\000' <repeats 1928 times>, > "\002\030\336\367\377\177", '\000' <repeats 67 times>"\300, > \000\000\000\000\000\000\254\260\000\000\000\000\000\000\254\260", > '\000' <repeats 14 times>, "\005\000\000\000\000\000\000\000\000\260 > \000\000\000\000\000\000\320 \000\000\000\000\000\030\303 > \000\000\000\000\000H\307 > \000\000\000\000\000\000\260\000\000\000\000\000\000\003", '\000' > <repeats 31 times>"\320, \004", '\000' <repeats 14 times>, "P", '\000' > <repeats 39 times>, > "\003\000\000\000\060\000\000\000[\000\000\000n\000\000\000w\000\000\000|", > '\000' <repeats 11 times>, > "@\226\273\367\377\177\000\000\031\000\000\000\000\000\000\000\260\fe\000\000\000\000\000\240\342d\000\000\000\000\000\031", > '\000' <repeats 15 times>, > "3\366\210\367\377\177\000\000\260\fe\000\000\000\000\000@\347"... > cleartext_msg = '\000' <repeats 5264 times>, "@", '\000' > <repeats 35 times>, > "\001\000\000\000\002\000\000\000\060\000\000\000[\000\000\000n\000\000\000w\000\000\000|", > '\000' <repeats 11 times>, > "@\226\273\367\377\177\000\000\200\305\377\377\377\177\000\000\020\320d\000\000\000\000\000\200\305\377\377\377\177\000\000\220)@\000\000\000\000\000\020\320d\000\000\000\000\000Ȉ\210\367\377\177\000\000\000\000\000\000\000\000\000\000\020\320d\000\000\000\000\000\200\305\377\377\377\177\000\000\376\226\210\367\377\177\000\000\020\320d\000\000\000\000\000WK\210\367\377\177\000\000\000\000\000\000\000\000\000\000\370\260B\000\000\000\000\000\000\000\000\000\002\000\000\000\020\320d\000\000\000\000\000\020\320d\000\000\000\000\000\000\000\000\000\377\377\377\377\000\336\377\377\377\177\000\000a\273B", > '\000' <repeats 13 times>, > "0\337\377\377\377\177\000\000\000\000\000\000\000\000\000\000\020\320d", > '\000' <repeats 613 times> > srcip = '\000' <repeats 16 times> > tmp_msg = 0x6f <Address 0x6f out of bounds> > srcmsg = '\000' <repeats 256 times> > recv_b = 32767 > peer_info = {sin_family = 0, sin_port = 0, sin_addr = {s_addr > = 0}, sin_zero = "\000\000\000\000\000\000\000"} > peer_size = 0 > #2 0x0000000000404708 in HandleRemote (position=0, uid=493) at remoted.c:102 > No locals. > #3 0x0000000000403234 in main (argc=1, argv=0x7fffffffe1d8) at main.c:151 > i = 0 > c = -1 > uid = 493 > gid = 494 > test_config = 0 > run_foreground = 0 > cfg = 0x42f8a0 "/var/ossec/etc/ossec.conf" > dir = 0x42f8ba "/var/ossec" > user = 0x42f8c5 "ossecr" > group = 0x42f8cc "ossec" > > >>>>>> >>>>>> > On Friday, November 22, 2013 2:58:07 PM UTC-5, dan (ddpbsd) wrote: >>>>>> >> >>>>>> >> On Fri, Nov 22, 2013 at 2:47 PM, Andrew Strozyk <[email protected]> >>>>>> >> wrote: >>>>>> >> > Hi, >>>>>> >> > >>>>>> >> > I am running into some problems with ossec. I am testing out some >>>>>> >> > HIDS >>>>>> >> > pilots at my work as we are in need of one for our systems. I am >>>>>> >> > very >>>>>> >> > interested in using ossec but i have been having problems connecting >>>>>> >> > the >>>>>> >> > agents to the server. I checked on the server in /var/log/messages >>>>>> >> > and >>>>>> >> > this >>>>>> >> > is the output i get: >>>>>> >> > >>>>>> >> > [3886011.217396] ossec-remoted[20994]: >>>>>> >> > segfault >>>>>> >> > at 61 ip 0000000000420002 sp 00007fff6b9e5ca0 error 4 in >>>>>> >> > ossec-remoted[400000+4b000] >>>>>> >> > >>>>>> >> > The remoted service keeps crashing. I restart it manually using >>>>>> >> > /var/ossec/bin/ossec-control restart and then the above error shows >>>>>> >> > up. >>>>>> >> > We >>>>>> >> > currently use openSUSE-12.3 on all our systems. >>>>>> >> > >>>>>> >> >>>>>> >> Try 2.7.1. Also, please provide your remoted configuration. >>>>>> >> >>>>>> >> > Just for more information, the agent is sending this error back as >>>>>> >> > well: >>>>>> >> > >>>>>> >> > 2013/11/22 14:44:28 ossec-agentd: INFO: Trying to connect to server >>>>>> >> > (10.100.90.58:1514). >>>>>> >> > 2013/11/22 14:44:28 ossec-agentd: INFO: Using IPv4 for: 10.100.90.58 >>>>>> >> > . >>>>>> >> > 2013/11/22 14:44:38 ossec-agentd(1218): ERROR: Unable to send >>>>>> >> > message >>>>>> >> > to >>>>>> >> > server. >>>>>> >> > 2013/11/22 14:44:50 ossec-agentd(1218): ERROR: Unable to send >>>>>> >> > message >>>>>> >> > to >>>>>> >> > server. >>>>>> >> > 2013/11/22 14:44:51 ossec-agentd(4101): WARN: Waiting for server >>>>>> >> > reply >>>>>> >> > (not >>>>>> >> > started). Tried: '10.100.90.58'. >>>>>> >> > >>>>>> >> > 10.100.90.58 is the server's correct ip address. >>>>>> >> > >>>>>> >> > Appreciate any incite on this. Thanks! >>>>>> >> > >>>>>> >> > -- >>>>>> >> > >>>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google Groups >>>>> "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send an >>>>> email to [email protected]. >>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google Groups >>>> "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to [email protected]. >>>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
