OSSEC version? Platform? Configuration? On Mon, Jan 9, 2012 at 8:18 AM, Bruno Plantier <bruno.plant...@lyra-network.com> wrote: > Hello folks. > > I'm facing the same problem with ossec-csyslogd daemon. > Every time I start the process, it crashes after a few minutes. > > I've tried to get some gdb traces as asked and here is what I get: >
I don't know if it will make the backtrace useful, but did you try "set follow-fork-mode child" in gdb before running? > Starting program: /var/ossec/bin/ossec-csyslogd > warning: no loadable sections found in added symbol-file system-supplied DSO > at 0x2aaaaaaab000 > [New process 503] > Program received signal SIGSEGV, Segmentation fault. > [Switching to process 504] > 0x000000000040219f in inet_addr () > > > (gdb) backtrace > #0 0x000000000040219f in inet_addr () > #1 0x00000000004024bd in inet_addr () > #2 0x000000000040289f in inet_addr () > #3 0x00000031c081d994 in __libc_start_main () from /lib64/libc.so.6 > #4 0x0000000000401d79 in inet_addr () > #5 0x00007fffffffea38 in ?? () > #6 0x0000000000000000 in ?? () > > The version installed is : > Thanks, > > Regards > - > Bruno > > -----Message d'origine----- > De : ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] De la > part de blacklight > Envoyé : mardi 7 juin 2011 23:43 > À : ossec-list > Objet : [ossec-list] Re: Concern about the ossec-csyslogd daemon > > If I were to put this daemon under gdb, I am concerned that I could be > accumulating debugger data this for weeks before this daemon crashes again. > Hopefully, this daemon crash is a once in a blue moon event. On the other > hand, once in a blue moon events are very hard to troubleshoot. If it's > indeed a once in a blue moon event, I'll live with that. BTW, I haven't > found anything in the /var/log/messages that even hint at a crash. And from > reading the /var/ossec/logs/ossec.log at the time of the crash, you'd think > that the OSSEC service was the picture of health. > > On Jun 7, 2:16 pm, Daniel Cid <daniel....@gmail.com> wrote: >> It shouldn't segfault even during a package update... If any of you >> can run it under gdb, it would be awesome :) >> >> thanks, >> >> On Tue, Jun 7, 2011 at 1:44 PM, Jefferson, Shawn >> >> >> >> >> >> >> >> <shawn.jeffer...@bcferries.com> wrote: >> > I looked back through my logs and here is the alert: >> >> > ossec-alerts-06.log:Jun 6 10:12:55 bcfossec kernel: [501421.634671] >> > ossec-csyslogd[3014]: segfault at 0 ip b7775821 sp bfc4ffbc error 4 >> > in libc-2.11.1.so[b7702000+153000] >> >> > To the original poster: what OS are you running your OSSEC server on? > I'm on Ubuntu 10.04.2 LTS. I wonder if the segfault was caused by some > package being updated/upgraded? >> >> > -----Original Message----- >> > From: ossec-list@googlegroups.com >> > [mailto:ossec-list@googlegroups.com] On Behalf Of Daniel Cid >> > Sent: Monday, June 06, 2011 6:48 PM >> > To: ossec-list@googlegroups.com >> > Subject: Re: [ossec-list] Concern about the ossec-csyslogd daemon >> >> > At least OSSEC is reporting it :) And yes, try to run it under gdb >> > so we can see where it is crashing. Or try the latest snapshot to >> > see if it works there. >> >> > Thanks, >> >> > On Mon, Jun 6, 2011 at 6:58 PM, dan (ddp) <ddp...@gmail.com> wrote: >> >> Please try running it under gdb: >> >> >> gdb ossec-csyslogd >> >> >> (gdb) set follow-fork-mode child >> >> (gdb) run >> >> >> On Mon, Jun 6, 2011 at 5:50 PM, Jefferson, Shawn >> >> <shawn.jeffer...@bcferries.com> wrote: >> >>> Hey, I had the same crash too! >> >> >>> -----Original Message----- >> >>> From: ossec-list@googlegroups.com >> >>> [mailto:ossec-list@googlegroups.com] On Behalf Of blacklight >> >>> Sent: Monday, June 06, 2011 2:36 PM >> >>> To: ossec-list >> >>> Subject: [ossec-list] Concern about the ossec-csyslogd daemon >> >> >>> Hello Folks, >> >> >>> I have a concern about the csyslogd demon: >> >> >>> 2011 Jun 04 13:51:03 Rule Id: 151601 level: 7 >> >>> Location: ossec-server->/var/log/messages Grouping of kernel error >> >>> rules. >> >>> Jun 4 13:51:02 ossec-server kernel: ossec-csyslogd[21507]: >> >>> segfault at >> >>> 0000000000000000 rip 0000003dd8479a30 rsp 00007fff23ba3a88 error 4 >> >> >>> The ossec-csyslogd daemon crashed over the weekend over a single >> >>> segfault. I have no idea what caused this segfault. I am worried >> >>> that this daemon is less than rock solid. >> >> >>> Regards, >