It's entirely possible you never experienced it on 5.5. I had a four or five different servers on RHEL/CentOS 5.5 and only 2 of them exhibited this behavior. These 2 were the busiest OSSEC servers I had, so it could be related to number of agents and/or alerts. But again, both of these servers have been upgraded to 5.6 and I haven't seen the issue since. -- Doug Burks, GSE, CISSP President, Greater Augusta ISSA http://augusta.issa.org http://securityonion.blogspot.com
On Wed, May 4, 2011 at 2:35 PM, dan (ddp) <ddp...@gmail.com> wrote: > Thanks for the heads up. I think I may have a copy of 5.5. I don't > remember having an issue like that, but it's been a while. > > On Wed, May 4, 2011 at 2:27 PM, Doug Burks <doug.bu...@gmail.com> wrote: >> I experienced the issue with CentOS 5.5, which may be easier to find >> than 5.2 or 5.3. >> >> Thanks, >> -- >> Doug Burks, GSE, CISSP >> President, Greater Augusta ISSA >> http://augusta.issa.org >> http://securityonion.blogspot.com >> >> On Wed, May 4, 2011 at 2:19 PM, dan (ddp) <ddp...@gmail.com> wrote: >>> I'm trying to find a CentOS 5.2 or 5.3 ISO right now to see if I can >>> reproduce this. No luck so far. >>> >>> I don't think it's a packet thing, I think one of the components in >>> ossec-analysisd is interacting poorly with something in CentOS that >>> was updated (to a version that doesn't have a problem with what's in >>> OSSEC) between 5.3 and 5.6. >>> I haven't had time to track down the CentOS changelogs for clues though. >>> >>> On Wed, May 4, 2011 at 1:43 PM, Kat <uncommon...@gmail.com> wrote: >>>> PS - I can packet capture on both ends - what would you want to see??? >>>> >>>> On May 4, 11:11 am, Kat <uncommon...@gmail.com> wrote: >>>>> RHEL 5.3 >>>>> >>>>> Only "special" update is PHP 5.3, which would have nothing to do with >>>>> OSSEC, but mentioning it. >>>>> >>>>> I would be happy to supply some debug info. >>>>> >>>>> It was working flawlessly when first installed, then they just started >>>>> dropping off. Agents are a mixture of AIX 6.1 , RHEL 5.3 and Solaris >>>>> 10 >>>>> The only agents that have never exhibited any problems are the Windoze >>>>> boxes. >>>>> >>>>> -k >>>>> >>>>> On May 4, 10:59 am, "dan (ddp)" <ddp...@gmail.com> wrote: >>>>> >>>>> > What OS/distro/revision are you using on your manager system? >>>>> > Daniel Cid has offered to help track it down, but he needs access to a >>>>> > system showing this issue. >>>>> > dan >>> >> >