On Mon, Feb 3, 2014 at 5:23 PM, fddi <f...@yahoo.com> wrote:

> Hi,
>

Hello Tim,


>      I'm trying to get psad working on RHEL6.5.
>
> I am using the generic psad.conf file with IPV6 disabled.  I have rsyslog
> configured and running.
>
> (a rebuilt src.rpm from Fedora 20)
>
> My version is:
> [+] psad v2.2.1 by Michael Rash <m...@cipherdyne.org>
>
> When I service psad start I will see the following message in
> /var/log/messages every 5 seconds (as defined in the conf file)
> psad(psadwatchd): restarting psad on localhost
>
> If I look at the processes, I see:
> root     401767      1  0 17:15 ?        00:00:00 /usr/bin/perl -w
> /usr/sbin/psad
> root     401772      1  0 17:15 ?        00:00:00 /usr/sbin/psadwatchd -c
> /etc/psad/psad.conf
> root     401779 401772  0 17:15 ?        00:00:00 /usr/sbin/psadwatchd -c
> /etc/psad/psad.conf
> root     402083 401779  0 17:15 ?        00:00:00 /usr/sbin/psadwatchd -c
> /etc/psad/psad.conf
> root     402127 351908  0 17:15 pts/0    00:00:00 grep psad
> and it will keep spawning more psadwatcheds.
>
> psad does seem to work but psadwatchd just keeps growing and logging in
> /var/log/messages.
>
> I see the the pid runfiles get updated:
> -rw-------.  1 root root    1 Feb  3 17:15 psad.cmd
> -rw-------.  1 root root    7 Feb  3 17:15 psad.pid
> -rw-------.  1 root root    7 Feb  3 17:15 psadwatchd.pid
>
> If I run psad in debug mode, it looks like psadwatchd never starts and
> doesn't keep spawning more processes.
>
>
psad itself starts psadwatchd, but only when not running in debug mode.  My
guess is that the init script for psad is starting psadwatchd independently
of psad, and there is a race condition going for which one will win
(although I would have thought that the pid file check would still have
worked).  How was psad installed on your system?  The current RPM does not
have an init script that is compatible with the upstart daemon since that
looks to be a relatively new change for RHEL to switch to upstart from
sysvinit.  Can you send me the psad init script on your system?


> Now the weird part.  I have rebooted before and psad has worked fine.
> Could this be a race condition in my syslog that psadwatchd is picking up?
>
>
There should only be one psadwatchd process running at any given time.


> I only have iptables rules on my OUTPUT chain since all I want to do is
> see who on the inside is doing what on this system.  This worked great for
> several days.
>
>
Sure, psad is compatible with this deployment model.  We'll get it working.

Thanks,

--Mike




> Any tips on how to debug would be greatly appreciated.
>
> Thank you
>
> Tim
>
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>
>
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to