There was no information with the segfault? Did you try running ossec-dbd under gdb? What database are you using? Any errors in ossec.log? Any errors in the DB's log?
On Fri, Mar 23, 2012 at 12:37 PM, Nico Bugash <nicobug...@gmail.com> wrote: > I have successfully installed the ossec server on Solaris 10 with one > minor problem as soon as the ossec server beings to write to the > database, ossec-dbd crashes. > > When I restart the ossec server, all of the daemon processes runs > fine: > ======================= > ossec-monitord is running... > ossec-logcollector is running... > ossec-remoted is running... > ossec-syscheckd is running... > ossec-analysisd is running... > ossec-maild is running... > ossec-execd is running... > ossec-dbd is running... > ====================== > However as a test, I try to generate an alert and see if it gets > logged in to the database. But as soon as it tries to write in to the > database, ossec-dbd stops. Here's the steps that I took to generate > the alert: > 1. stop ossec server ( ossec-control stop) > 2. stop the ossec agent. Stopped the agent through Windows services > 3. start the ossec server (ossec-control start) > 4. as soon as I see that all the daemon process are running, I start > the ossec-agent again through Windows Service. However as soon as I > start it, a few seconds after ossec-dbd would just stop running, but > the ossec server was able to send an alert via email (this is how I > now that an alert was generated) > > I investigated further by running ossec-dbd as a foreground process > (ossec-dbd -f) and restarted the ossec agent. As expected as soon as > the agent starts, ossec-dbd stops and outputs a segmentation fault > (with no other verbose but a segmentation fault) > > Another observation that I found out is that, for some reason, ossec- > dbd doesn't crash if I generate a level 9 alert, in particular Rule: > 5302 because when I do a SELECT query on to the alert table, I see > values being inserted. One thing to note here is that, this is the > only level 9 alert that I was able to generate at the moment. If you > can suggest or provide a step-by-step procedure on how generate other > type of alerts as a test, it would be appreciated.
