On Mon, Nov 25, 2013 at 11:04 AM, Darin Perusich <da...@darins.net> wrote: > > > On Monday, November 25, 2013 10:18:58 AM UTC-5, dan (ddpbsd) wrote: >> >> On Mon, Nov 25, 2013 at 10:13 AM, Andrew Strozyk <astro...@gmail.com> >> wrote: >> > We actually are running 2.7.1. And since i am new to ossec i did not >> > create >> > any specific remoted configuration. I just used all the defaults. >> > >> >> And that configuration would be what exactly? (help me out so I don't >> have to do a fresh install just to see the final configuration) > > > <remote> > <connection>secure</connection> > </remote> > > >> >> If you run `/var/ossec/bin/ossec-remoted -d` are there any more useful >> logs (possibly in /var/ossec/logs/ossec.log)? > > > Here's the logs with debug turned on, doesn't tell us much. > > 2013/11/25 10:58:36 ossec-remoted: DEBUG: Starting ... > 2013/11/25 10:58:36 ossec-remoted: INFO: Started (pid: 4314). > 2013/11/25 10:58:36 ossec-remoted: DEBUG: Forking remoted: '0'. > 2013/11/25 10:58:36 ossec-remoted: INFO: Started (pid: 4315). > 2013/11/25 10:58:36 ossec-remoted: DEBUG: Running manager_init > 2013/11/25 10:58:36 ossec-remoted: INFO: (unix_domain) Maximum send buffer > set to: '212992'. > 2013/11/25 10:58:36 ossec-remoted(4111): INFO: Maximum number of agents > allowed: '256'. > 2013/11/25 10:58:36 ossec-remoted(1410): INFO: Reading authentication keys > file. > 2013/11/25 10:58:36 ossec-remoted: DEBUG: OS_StartCounter. > 2013/11/25 10:58:36 ossec-remoted: OS_StartCounter: keysize: 1 > > >> >> Does it crash immediately? > > > Yes, it crashes immediately on startup. > >> >> Is udp port 1514 currently occupied? > > > It it not being used. > >> >> Can you run it under gdb? >> gdb /var/ossec/bin/ossec-remoted >> set follow-fork-mode child >> run -d >> CRASH >> bt >> > > gdb /var/ossec/bin/ossec-remoted > Reading symbols from /var/ossec/bin/ossec-remoted...done. > (gdb) set follow-fork-mode child > (gdb) run -d > Starting program: /var/ossec/bin/ossec-remoted -d > [Thread debugging using libthread_db enabled] > Using host libthread_db library "/lib64/libthread_db.so.1". > 2013/11/25 11:02:34 ossec-remoted: DEBUG: Starting ... > [New process 4494] > [Thread debugging using libthread_db enabled] > Using host libthread_db library "/lib64/libthread_db.so.1". > [New process 4495] > [Thread debugging using libthread_db enabled] > Using host libthread_db library "/lib64/libthread_db.so.1". > [New process 4496] > [Thread debugging using libthread_db enabled] > Using host libthread_db library "/lib64/libthread_db.so.1". > [New Thread 0x7ffff6fd8700 (LWP 4497)] > [New Thread 0x7ffff67d7700 (LWP 4498)] > > Program received signal SIGSEGV, Segmentation fault. > [Switching to Thread 0x7ffff7fdf700 (LWP 4496)] > 0x0000000000420002 in OS_StartCounter (keys=0x64b5a0 <keys>) at msgs.c:89 > 89 msgs.c: No such file or directory. > > > Interesting if I run " strace -f /var/ossec/bin/ossec-remoted" the daemon > will start, and I'm not sure why that is yet.
Any thoughts on what's going on with remoted? >> >> > On Friday, November 22, 2013 2:58:07 PM UTC-5, dan (ddpbsd) wrote: >> >> >> >> On Fri, Nov 22, 2013 at 2:47 PM, Andrew Strozyk <astro...@gmail.com> >> >> wrote: >> >> > Hi, >> >> > >> >> > I am running into some problems with ossec. I am testing out some >> >> > HIDS >> >> > pilots at my work as we are in need of one for our systems. I am very >> >> > interested in using ossec but i have been having problems connecting >> >> > the >> >> > agents to the server. I checked on the server in /var/log/messages >> >> > and >> >> > this >> >> > is the output i get: >> >> > >> >> > [3886011.217396] ossec-remoted[20994]: >> >> > segfault >> >> > at 61 ip 0000000000420002 sp 00007fff6b9e5ca0 error 4 in >> >> > ossec-remoted[400000+4b000] >> >> > >> >> > The remoted service keeps crashing. I restart it manually using >> >> > /var/ossec/bin/ossec-control restart and then the above error shows >> >> > up. >> >> > We >> >> > currently use openSUSE-12.3 on all our systems. >> >> > >> >> >> >> Try 2.7.1. Also, please provide your remoted configuration. >> >> >> >> > Just for more information, the agent is sending this error back as >> >> > well: >> >> > >> >> > 2013/11/22 14:44:28 ossec-agentd: INFO: Trying to connect to server >> >> > (10.100.90.58:1514). >> >> > 2013/11/22 14:44:28 ossec-agentd: INFO: Using IPv4 for: 10.100.90.58 >> >> > . >> >> > 2013/11/22 14:44:38 ossec-agentd(1218): ERROR: Unable to send message >> >> > to >> >> > server. >> >> > 2013/11/22 14:44:50 ossec-agentd(1218): ERROR: Unable to send message >> >> > to >> >> > server. >> >> > 2013/11/22 14:44:51 ossec-agentd(4101): WARN: Waiting for server >> >> > reply >> >> > (not >> >> > started). Tried: '10.100.90.58'. >> >> > >> >> > 10.100.90.58 is the server's correct ip address. >> >> > >> >> > Appreciate any incite on this. Thanks! >> >> > >> >> > -- >> >> > >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.