On Mon, Dec 17, 2012 at 7:17 PM, Carrie Poole
<carrie.po...@andesaservices.com> wrote:
> Line 138 in ossec.conf is the active response, which is disabled:
>
> <!-- Active Response Config -->
>
> <active-response>
>
> <disabled>yes</disabled>
>
> <!-- This response is going to execute the host-deny
>
> - command for every event that fires a rule with
>
> - level (severity) >= 6.
>
> - The IP is going to be blocked for 600 seconds.
>
> -->
>
> <command>host-deny</command>
>
> <location>local</location>
>
> <level>6</level>
>
> <timeout>600</timeout>
>
> </active-response>
>
> <active-response>
>
> <disabled>yes</disabled>
>
> <!-- Firewall Drop response. Block the IP for
>
> - 600 seconds on the firewall (iptables,
>
> - ipfilter, etc).
>
> -->
>
> <command>firewall-drop</command>
>
> <location>local</location>
>
> <level>6</level>
>
> <timeout>600</timeout>
>
> </active-response>
>
So it looks like line 138 in ossec-control should be something like:
for i in ${SDAEMONS}; do
which goes through the list of daemons and tries to start them. One of
them is failing, and you have to figure out which one.
> All of the ossec logs on the agent say they can’t reach the server, but this
> wasn’t the case last week. The ossec server log doesn’t say anything, it
> acts as if the agents aren’t even there. It does syscheck but no longer sees
> the agents.
>
>
Check the system logs, Linux usually logs segfaults. You could also
see which daemons are running after the segfault. If no traffic is
passing between the agents and the server, ossec-agentd may have
crashed. But real troubleshooting can't really happen until the basics
are taken care of, namely finding out which daemon is crashing.
>
>
>
> ~ Carrie
>
>
>
> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
> Behalf Of dan (ddp)
> Sent: Monday, December 17, 2012 4:41 PM
> To: ossec-list@googlegroups.com
> Subject: Re: [ossec-list] segmentation fault
>
>
>
>
> On Dec 17, 2012 4:37 PM, "Carrie Poole" <carrie.po...@andesaservices.com>
> wrote:
>>
>> I’m getting segmentation faults across all of my agents when restarting.
>> Nothing is showing connected anymore.
>>
>>
>>
>>
>>
>> /var/ossec/bin/ossec-control: line 138: 24910 Segmentation fault
>> ${DIR}/bin/${i}
>>
>>
>
> What's line 138 in ossec-control?
> Anything in the ossec.log for the failing agent?
>
>>
>> Line 138 in ossec.conf is the active response, which is disabled.
>>
>>
>>
>> I have checked the ossec.conf and agent.conf for any mistakes and haven’t
>> found any. This was an issue on only a few agents last week, and now it is
>> happening across all agents after the 2,6 upgrade. All agents are showing
>> not connected. None of the configuration files have changed.
>>
>>
>>
>> Any help would be appreciated!
>>
>>
>>
>> Ossec V 2.6 RedHat Linux (server and agents with 5 windows agents)
>>
>>
>>
>>
>>
>>
>>
>> Carrie P
>>
>>
>>
>> CONFIDENTIALITY NOTICE: This e-mail is confidential and intended
>> solely for the use of the individual or entity to which it is addressed.
>> If
>> you are not the intended recipient, be advised that you have received
>> this email in error and that any use, dissemination, forwarding, printing
>> or copying of this e-mail is strictly prohibited. If you received this
>> e-mail
>> in error, please delete it from your computer and contact the sender.
>
> CONFIDENTIALITY NOTICE: This e-mail is confidential and intended
> solely for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, be advised that you have received
> this email in error and that any use, dissemination, forwarding, printing
> or copying of this e-mail is strictly prohibited. If you received this
> e-mail
> in error, please delete it from your computer and contact the sender.
