On Tue, Nov 26, 2013 at 10:51 AM, dan (ddp) <ddp...@gmail.com> wrote: > On Tue, Nov 26, 2013 at 10:39 AM, Darin Perusich <da...@darins.net> wrote: >> On Tue, Nov 26, 2013 at 10:18 AM, dan (ddp) <ddp...@gmail.com> wrote: >>> On Tue, Nov 26, 2013 at 10:07 AM, Darin Perusich <da...@darins.net> wrote: >>>> On Tue, Nov 26, 2013 at 8:22 AM, dan (ddp) <ddp...@gmail.com> wrote: >>>>> On Mon, Nov 25, 2013 at 11:04 AM, Darin Perusich <da...@darins.net> wrote: >>>>>> >>>>>> >>>>>> On Monday, November 25, 2013 10:18:58 AM UTC-5, dan (ddpbsd) wrote: >>>>>>> >>>>>>> On Mon, Nov 25, 2013 at 10:13 AM, Andrew Strozyk <astro...@gmail.com> >>>>>>> wrote: >>>>>>> > We actually are running 2.7.1. And since i am new to ossec i did not >>>>>>> > create >>>>>>> > any specific remoted configuration. I just used all the defaults. >>>>>>> > >>>>>>> >>>>>>> And that configuration would be what exactly? (help me out so I don't >>>>>>> have to do a fresh install just to see the final configuration) >>>>>> >>>>>> >>>>>> <remote> >>>>>> <connection>secure</connection> >>>>>> </remote> >>>>>> >>>>>> >>>>>>> >>>>>>> If you run `/var/ossec/bin/ossec-remoted -d` are there any more useful >>>>>>> logs (possibly in /var/ossec/logs/ossec.log)? >>>>>> >>>>>> >>>>>> Here's the logs with debug turned on, doesn't tell us much. >>>>>> >>>>>> 2013/11/25 10:58:36 ossec-remoted: DEBUG: Starting ... >>>>>> 2013/11/25 10:58:36 ossec-remoted: INFO: Started (pid: 4314). >>>>>> 2013/11/25 10:58:36 ossec-remoted: DEBUG: Forking remoted: '0'. >>>>>> 2013/11/25 10:58:36 ossec-remoted: INFO: Started (pid: 4315). >>>>>> 2013/11/25 10:58:36 ossec-remoted: DEBUG: Running manager_init >>>>>> 2013/11/25 10:58:36 ossec-remoted: INFO: (unix_domain) Maximum send >>>>>> buffer >>>>>> set to: '212992'. >>>>>> 2013/11/25 10:58:36 ossec-remoted(4111): INFO: Maximum number of agents >>>>>> allowed: '256'. >>>>>> 2013/11/25 10:58:36 ossec-remoted(1410): INFO: Reading authentication >>>>>> keys >>>>>> file. >>>>>> 2013/11/25 10:58:36 ossec-remoted: DEBUG: OS_StartCounter. >>>>>> 2013/11/25 10:58:36 ossec-remoted: OS_StartCounter: keysize: 1 >>>>>> >>>>>> >>>>>>> >>>>>>> Does it crash immediately? >>>>>> >>>>>> >>>>>> Yes, it crashes immediately on startup. >>>>>> >>>>>>> >>>>>>> Is udp port 1514 currently occupied? >>>>>> >>>>>> >>>>>> It it not being used. >>>>>> >>>>>>> >>>>>>> Can you run it under gdb? >>>>>>> gdb /var/ossec/bin/ossec-remoted >>>>>>> set follow-fork-mode child >>>>>>> run -d >>>>>>> CRASH >>>>>>> bt >>>>>>> >>>>>> >>>>>> gdb /var/ossec/bin/ossec-remoted >>>>>> Reading symbols from /var/ossec/bin/ossec-remoted...done. >>>>>> (gdb) set follow-fork-mode child >>>>>> (gdb) run -d >>>>>> Starting program: /var/ossec/bin/ossec-remoted -d >>>>>> [Thread debugging using libthread_db enabled] >>>>>> Using host libthread_db library "/lib64/libthread_db.so.1". >>>>>> 2013/11/25 11:02:34 ossec-remoted: DEBUG: Starting ... >>>>>> [New process 4494] >>>>>> [Thread debugging using libthread_db enabled] >>>>>> Using host libthread_db library "/lib64/libthread_db.so.1". >>>>>> [New process 4495] >>>>>> [Thread debugging using libthread_db enabled] >>>>>> Using host libthread_db library "/lib64/libthread_db.so.1". >>>>>> [New process 4496] >>>>>> [Thread debugging using libthread_db enabled] >>>>>> Using host libthread_db library "/lib64/libthread_db.so.1". >>>>>> [New Thread 0x7ffff6fd8700 (LWP 4497)] >>>>>> [New Thread 0x7ffff67d7700 (LWP 4498)] >>>>>> >>>>>> Program received signal SIGSEGV, Segmentation fault. >>>>>> [Switching to Thread 0x7ffff7fdf700 (LWP 4496)] >>>>>> 0x0000000000420002 in OS_StartCounter (keys=0x64b5a0 <keys>) at msgs.c:89 >>>>>> 89 msgs.c: No such file or directory. >>>>>> >>>>> >>>>> How many agents do you have? What limits are you setting on file >>>>> descriptors? >>>> >>>> One agent. >>>> >>>> Here are the limits, nofile defaults to 1024 but I've increased it to 8196. >>>> >>>> ulimit -a >>>> core file size (blocks, -c) 0 >>>> data seg size (kbytes, -d) unlimited >>>> scheduling priority (-e) 0 >>>> file size (blocks, -f) unlimited >>>> pending signals (-i) 47683 >>>> max locked memory (kbytes, -l) 64 >>>> max memory size (kbytes, -m) unlimited >>>> open files (-n) 8196 >>>> pipe size (512 bytes, -p) 8 >>>> POSIX message queues (bytes, -q) 819200 >>>> real-time priority (-r) 0 >>>> stack size (kbytes, -s) 8192 >>>> cpu time (seconds, -t) unlimited >>>> max user processes (-u) 47683 >>>> virtual memory (kbytes, -v) unlimited >>>> file locks (-x) unlimited >>>> >>>> >>>>>> >>>>>> Interesting if I run " strace -f /var/ossec/bin/ossec-remoted" the daemon >>>>>> will start, and I'm not sure why that is yet. >>>>>> >>> >>> Has the strace provided any clues? >>> >>> I'm not familiar with this distro, could selinux or apparmor be >>> crashing remoted? >>> >> >> Neither selinux or apparmor are enabled or running. The strace isn't >> telling my much, othen then when I tell it to chase forks the forks >> are running as root and not ossecr. >> >> One thing I'm doing differently is I'm not building w/the provided >> zlib but using what's included in the distro, version 1.2.7. I'm doing >> this so it can eventually be included in the distro. >> > > Try it with the correct zlib to see if that fixes things.
This "fixed" remoted. What's so special about this included zlib, other then being 8.5 years old and getting ever more unmaintained? I haven't had a chance to diff it against upstream yet. -- Later, Darin -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
