The segfaults in /var/log/messages are: Dec 17 15:45:24 abeossecpr kernel: ossec-remoted[6378]: segfault at 00000000000002d1 rip 000000000042191b rsp 00007fff87247e90 error 4 Dec 17 15:48:56 abeossecpr kernel: ossec-remoted[6627]: segfault at 00000000000002d1 rip 000000000042191b rsp 00007fff76959dc0 error 4
~ Carrie -----Original Message----- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Monday, December 17, 2012 10:06 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] segmentation fault On Mon, Dec 17, 2012 at 7:17 PM, Carrie Poole <carrie.po...@andesaservices.com> wrote: > Line 138 in ossec.conf is the active response, which is disabled: > > <!-- Active Response Config --> > > <active-response> > > <disabled>yes</disabled> > > <!-- This response is going to execute the host-deny > > - command for every event that fires a rule with > > - level (severity) >= 6. > > - The IP is going to be blocked for 600 seconds. > > --> > > <command>host-deny</command> > > <location>local</location> > > <level>6</level> > > <timeout>600</timeout> > > </active-response> > > <active-response> > > <disabled>yes</disabled> > > <!-- Firewall Drop response. Block the IP for > > - 600 seconds on the firewall (iptables, > > - ipfilter, etc). > > --> > > <command>firewall-drop</command> > > <location>local</location> > > <level>6</level> > > <timeout>600</timeout> > > </active-response> > So it looks like line 138 in ossec-control should be something like: for i in ${SDAEMONS}; do which goes through the list of daemons and tries to start them. One of them is failing, and you have to figure out which one. > All of the ossec logs on the agent say they can't reach the server, > but this wasn't the case last week. The ossec server log doesn't say > anything, it acts as if the agents aren't even there. It does syscheck > but no longer sees the agents. > > Check the system logs, Linux usually logs segfaults. You could also see which daemons are running after the segfault. If no traffic is passing between the agents and the server, ossec-agentd may have crashed. But real troubleshooting can't really happen until the basics are taken care of, namely finding out which daemon is crashing. > > > > ~ Carrie > > > > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] > On Behalf Of dan (ddp) > Sent: Monday, December 17, 2012 4:41 PM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] segmentation fault > > > > > On Dec 17, 2012 4:37 PM, "Carrie Poole" > <carrie.po...@andesaservices.com> > wrote: >> >> I'm getting segmentation faults across all of my agents when restarting. >> Nothing is showing connected anymore. >> >> >> >> >> >> /var/ossec/bin/ossec-control: line 138: 24910 Segmentation fault >> ${DIR}/bin/${i} >> >> > > What's line 138 in ossec-control? > Anything in the ossec.log for the failing agent? > >> >> Line 138 in ossec.conf is the active response, which is disabled. >> >> >> >> I have checked the ossec.conf and agent.conf for any mistakes and >> haven't found any. This was an issue on only a few agents last week, >> and now it is happening across all agents after the 2,6 upgrade. All >> agents are showing not connected. None of the configuration files have changed. >> >> >> >> Any help would be appreciated! >> >> >> >> Ossec V 2.6 RedHat Linux (server and agents with 5 windows agents) >> >> >> >> >> >> >> >> Carrie P >> >> >> >> CONFIDENTIALITY NOTICE: This e-mail is confidential and intended >> solely for the use of the individual or entity to which it is addressed. >> If >> you are not the intended recipient, be advised that you have received >> this email in error and that any use, dissemination, forwarding, >> printing or copying of this e-mail is strictly prohibited. If you >> received this e-mail in error, please delete it from your computer >> and contact the sender. > > CONFIDENTIALITY NOTICE: This e-mail is confidential and intended > solely for the use of the individual or entity to which it is > addressed. If you are not the intended recipient, be advised that you > have received this email in error and that any use, dissemination, > forwarding, printing or copying of this e-mail is strictly prohibited. > If you received this e-mail in error, please delete it from your > computer and contact the sender. CONFIDENTIALITY NOTICE: This e-mail is confidential and intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please delete it from your computer and contact the sender.
