csyslogd crashed when trying to read alerts.log file, at the line starting with '** Alert'. For example, ** Alert 1368839704.12015: - pam,syslog,authentication_success,
It was trying to allocate memory for the alertid (e.g., 1368839704.12015) but failed to do so. If you can identify the alerts.log file lines when this happened, it may be useful. Also, which XML tag was causing it? On Saturday, May 11, 2013 8:32:55 AM UTC-7, Xme wrote: > > Hi Jb, > > FYI, I'm working on a patch for OSSEC and it makes my csyslogd crashing > too! > It coredumps here: > > (gdb) bt > #0 0x0025af40 in ?? () from /lib/tls/i686/cmov/libc.so.6 > #1 0x0025cd4c in malloc () from /lib/tls/i686/cmov/libc.so.6 > #2 0x0805a5e8 in GetAlertData (flag=0, fp=0x80791d0) at read-alert.c:246 > #3 0x08058843 in Read_FileMon (fileq=0x807ddd8, p=0x3486a0, timeout=5) at > file-queue.c:225 > #4 0x0804abab in OS_CSyslogD (syslog_config=0x807dfb0) at csyslogd.c:91 > #5 0x0804b4f7 in main (argc=3, argv=0xbffff854) at main.c:185 > > My patch uses a new XML directive in ossec.conf (global). When I disable > the new XML tag, csyslogd works like a charm > (version 2.7) > > Note: Branch is 2.7 stable and csyslogd code was NOT patched! > > On Thursday, April 18, 2013 2:28:40 AM UTC+2, Jb Cheng wrote: >> >> Dominique, >> >> Could you try 2.7.1 Alpha build from http://www.ossec.net/?page_id=19 and >> see it the issue is still there? >> >> On Tuesday, April 9, 2013 12:00:23 PM UTC-7, Dominique Derrier wrote: >>> >>> Hi all, >>> On a fresh Install I've got : >>> >>> ./ossec-csyslogd -D /var/ossec -f >>> 2013/04/09 14:57:07 ossec-csyslogd: INFO: Started (pid: 17899). >>> *** glibc detected *** ./ossec-csyslogd: malloc(): memory corruption: >>> 0x08798990 *** >>> Aborted >>> >>> But no trouble with: -d flag >>> ./ossec-csyslogd -D /var/ossec -f -d >>> >>> Regards, >>> Dominique >>> >>> Le lundi 18 février 2013 08:07:45 UTC-5, Uldis Biks a écrit : >>>> >>>> Hi everyone, >>>> >>>> I`m trying to enable log forwarding from ossec server to syslog by >>>> enabling client-syslog option from ossec-control script. Running >>>> ossec-control >>>> start shows that ossec-csyslogd is started but after that running >>>> ossec-control >>>> status ossec-csyslogd dies. When debug is enabled everything is >>>> working as it should and syslog receives messages. Ossec server 2.7, OS >>>> RHEL5.9 i386, selinux disabled. >>>> Any idea anyone where could be a problem? >>>> >>>> [root@~ bin]# ./ossec-control enable client-syslog >>>> [root@~ bin]# ./ossec-control restart >>>> Killing ossec-monitord .. >>>> Killing ossec-logcollector .. >>>> Killing ossec-remoted .. >>>> Killing ossec-syscheckd .. >>>> Killing ossec-analysisd .. >>>> ossec-maild not running .. >>>> ossec-execd not running .. >>>> ossec-csyslogd not running .. >>>> OSSEC HIDS v2.7 Stopped >>>> Starting OSSEC HIDS v2.7 (by Trend Micro Inc.)... >>>> Started ossec-csyslogd... >>>> 2013/02/18 14:14:25 ossec-maild: INFO: E-Mail notification disabled. >>>> Clean Exit. >>>> Started >>>> ossec-maild... >>>> Started >>>> ossec-execd... >>>> Started >>>> ossec-analysisd... >>>> Started >>>> ossec-logcollector... >>>> Started >>>> ossec-remoted... >>>> Started >>>> ossec-syscheckd... >>>> Started >>>> ossec-monitord... >>>> Completed. >>>> [root@~ bin]# ./ossec-control status >>>> ossec-monitord is running... >>>> ossec-logcollector is running... >>>> ossec-remoted is running... >>>> ossec-syscheckd is running... >>>> ossec-analysisd is running... >>>> ossec-maild not running... >>>> ossec-execd not running... >>>> ossec-csyslogd: Process 6678 not used by ossec, removing .. >>>> ossec-csyslogd not running... >>>> >>>> ossec.log contains only one record about ossec-csyslogd, otherwise it`s >>>> clean. >>>> 2013/02/18 14:14:25 ossec-csyslogd: INFO: Started (pid: 6678). >>>> >>>> [root@~ bin]# ./ossec-control enable >>>> debug >>>> [root@~ bin]# ./ossec-control >>>> restart >>>> Killing ossec-monitord >>>> .. >>>> >>>> >>>> Killing ossec-logcollector >>>> .. >>>> >>>> >>>> Killing ossec-remoted >>>> .. >>>> >>>> >>>> Killing ossec-syscheckd >>>> .. >>>> >>>> >>>> Killing ossec-analysisd >>>> .. >>>> >>>> >>>> ossec-maild not running >>>> .. >>>> >>>> >>>> ossec-execd not running >>>> .. >>>> >>>> >>>> ossec-csyslogd not running >>>> .. >>>> >>>> >>>> OSSEC HIDS v2.7 >>>> Stopped >>>> >>>> >>>> Starting OSSEC HIDS v2.7 (by Trend Micro >>>> Inc.)... >>>> 2013/02/18 14:15:41 ossec-csyslogd: DEBUG: Starting >>>> ... >>>> Started >>>> ossec-csyslogd... >>>> >>>> >>>> 2013/02/18 14:15:41 ossec-maild: DEBUG: Starting >>>> ... >>>> 2013/02/18 14:15:41 ossec-maild: INFO: E-Mail notification disabled. >>>> Clean Exit. >>>> Started >>>> ossec-maild... >>>> >>>> >>>> Started >>>> ossec-execd... >>>> >>>> >>>> 2013/02/18 14:15:41 ossec-analysisd: DEBUG: Starting >>>> ... >>>> 2013/02/18 14:15:41 ossec-analysisd: DEBUG: Found user/group >>>> ... >>>> 2013/02/18 14:15:41 ossec-analysisd: DEBUG: Active response initialized >>>> ... >>>> 2013/02/18 14:15:41 adding rule: ...... [adding all rules] >>>> >>>> 2013/02/18 14:15:41 ossec-analysisd: DEBUG: Read configuration >>>> ... >>>> Started >>>> ossec-analysisd... >>>> >>>> >>>> 2013/02/18 14:15:41 ossec-logcollector: DEBUG: Starting >>>> ... >>>> Started >>>> ossec-logcollector... >>>> >>>> >>>> 2013/02/18 14:15:41 ossec-remoted: DEBUG: Starting >>>> ... >>>> Started >>>> ossec-remoted... >>>> >>>> >>>> 2013/02/18 14:15:41 ossec-rootcheck: DEBUG: Starting >>>> ... >>>> 2013/02/18 14:15:41 ossec-rootcheck: Starting queue >>>> ... >>>> 2013/02/18 14:15:42 ossec-syscheckd: INFO: (unix_domain) Maximum send >>>> buffer set to: '110592'. >>>> Started >>>> ossec-syscheckd... >>>> >>>> >>>> 2013/02/18 14:15:42 ossec-monitord: DEBUG: Starting >>>> ... >>>> Started >>>> ossec-monitord... >>>> >>>> >>>> Completed. >>>> [root@~ bin]# ./ossec-control >>>> status >>>> ossec-monitord is >>>> running... >>>> ossec-logcollector is >>>> running... >>>> ossec-remoted is >>>> running... >>>> ossec-syscheckd is >>>> running... >>>> ossec-analysisd is >>>> running... >>>> ossec-maild not >>>> running... >>>> ossec-execd not >>>> running... >>>> ossec-csyslogd is running... >>>> >>>> ossec.log shows a bit more info now: >>>> 2013/02/18 14:15:41 ossec-csyslogd: DEBUG: Starting >>>> ... >>>> >>>> >>>> >>>> 2013/02/18 14:15:41 ossec-csyslogd: INFO: Chrooted to directory: >>>> /usr2/ossec, using user: >>>> ossecm >>>> >>>> >>>> 2013/02/18 14:15:41 ossec-csyslogd: INFO: Started (pid: >>>> 6883). >>>> >>>> >>>> >>>> 2013/02/18 14:15:41 ossec-csyslogd: INFO: File queue >>>> connected. >>>> >>>> >>>> >>>> 2013/02/18 14:15:41 ossec-csyslogd: INFO: Forwarding alerts via syslog >>>> to: '[syslog servr ip]:514'. >>>> >>>> After disabling debug on status query process dies again. >>>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
