You can poke through client.keys file by hand. Finding odd entries may
be easy, depending on what's wrong with them.
I'd also take a look at the ossec user's limits. Some systems limit
the numb er of open files and things.
Other than that, I've got no ideas. Adding logging messages in the
code to see what it's choking on.
On Tue, Mar 27, 2012 at 7:22 PM, MDACC-Luckie luckief...@gmail.com wrote:
Not long by max length standards 15 characters or so. Are there
any other of those type of things I could check data corruption
somewhere that I might need to look for that isnt obvious to me. I
dont think it is with ossec-maild but something with the extra 60 or
so agent keys I generated that might be causing some type of issue.
The reason I ask is that used list_agents and saw a device name as
being an agent but when I looked for it in a manage_agents listed of
keys, it wasnt there. Some type of consistency check that can be run
that looks for possible issues?
On Mar 27, 3:58 pm, dan (ddp) ddp...@gmail.com wrote:
Kind of off the wall: Do you have very long agent names?
On Tue, Mar 27, 2012 at 4:46 PM, MDACC-Luckie luckief...@gmail.com wrote:
Our config is pretty standard with respect to the ossec.conf. The
only non-standard thing we have is that we are usiing port 9025 for
SMTP on the mail server we are using rather than 25. We have that
changed in the sendmail.c file that is used when everything is
compiled:
OSSEC.CONF
global
email_notificationyes/email_notification
email_toos...@xx.xxx/email_to
smtp_serverdcprpafszenoss2.xx.xxx/smtp_server
email_fromoss...@xx.xxx/email_from
email_maxperhour1000/email_maxperhour
/global
SENDMAIL.C
/* Default values use to connect */
#define SMTP_DEFAULT_PORT 9025
#define HELOMSG Helo notify.ossec.net\r\n
#define MAILFROM Mail From: %s\r\n
#define RCPTTO Rcpt To: %s\r\n
#define DATAMSG DATA\r\n
#define FROM From: OSSEC HIDS %s\r\n
#define TO To: %s\r\n
#define CC Cc: %s\r\n
#define SUBJECT Subject: %s\r\n
#define ENDDATA \r\n.\r\n
#define QUITMSG QUIT\r\n
It was working prior to the increase of the number of agents supported
and the recompile. I ran a tcpdump on the manager and don't see the
manager even attempting to try to connect to the SMTP host on port
9025, only using the agent/manager connection between the two boxes.
On Mar 27, 3:36 pm, dan (ddp) ddp...@gmail.com wrote:
What's your mail configuration in the manager's ossec.conf?
I wish ossec was compiled with -ggdb by default. It might make the gdb
information a bit easier to follow.
On Thu, Mar 22, 2012 at 1:47 PM, MDACC-Luckie luckief...@gmail.com
wrote:
I increased the number of agents my installation was capable of
supporting, reinstalled and then copied my saved ossec.conf file and
internal_options.conf into the ossec/etc directory and restarted
ossec. My ossec-maild daemon starts, runs for a few seconds and then
dies.
I ran the following based on a previous email thread I saw and have
attached the results. Please let me know if anyone has ideas on why
it is happening:
[root@dcprpoemprddb1 logs]# gdb /opt/ossec/bin/ossec-maild
GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-23.el5_5.2)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/
gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type show
copying
and show warranty for details.
This GDB was configured as x86_64-redhat-linux-gnu.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/...
Reading symbols from /opt/ossec/bin/ossec-maild...done.
(gdb) set follow-fork-mode child
(gdb) run
Starting program: /opt/ossec/bin/ossec-maild
[New process 2615]
[New process 2616]
Program received signal SIGSEGV, Segmentation fault.
[Switching to process 2616]
0x00387c879b60 in strlen () from /lib64/libc.so.6
(gdb) bt
#0 0x00387c879b60 in strlen () from /lib64/libc.so.6
#1 0x00387c846cb9 in vfprintf () from /lib64/libc.so.6
#2 0x00387c8699da in vsnprintf () from /lib64/libc.so.6
#3 0x00387c84d5e3 in snprintf () from /lib64/libc.so.6
#4 0x00402d66 in OS_RecvMailQ (fileq=0x635640,
p=0x387cb56cc0, Mail=0x7fffe870, msg_sms=0x7fffe7e0)
at os_maild_client.c:96
#5 0x00402848 in OS_Run (mail=0x7fffe870) at maild.c:381
#6 0x004023d0 in main (argc=1, argv=0x7fffe9f8) at
maild.c:171
(gdb)- Hide quoted text -
- Show quoted text -- Hide quoted text -
- Show quoted text -