After update to version 2.7 beta2 my ossec-syscheckd on my servers crashed with coredump. Tried to debug, but no results:
$ gdb ./ossec-syscheckd ./ossec-syscheckd-1350312099-6121.core GNU gdb (GDB) CentOS (7.0.1-42.el5.centos.1) Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /home/opokhvalit/ossec-syscheckd...done. [New Thread 6121] Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libc.so.6 Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7fff13db0000 Core was generated by `/var/ossec/bin/ossec-syscheckd'. Program terminated with signal 11, Segmentation fault. #0 0x0000000000417868 in is_file (file_name=0x7f4430 "\240}\204") at common.c:676 warning: Source file is more recent than executable. 676 if( (stat(file_name, &statbuf) < 0) && (gdb) print file_name $1 = 0x7f4430 "\240}\204" (gdb) frame 1 #1 0x0000000000416b58 in _is_str_in_array (ar=0x0, str=0x7fff13c23730 "") at common.c:33 33 ar++; Latest records in ossec logs: 2012/10/15 10:15:49 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2012/10/15 10:15:49 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2012/10/15 10:15:49 ossec-syscheckd: INFO: Initializing real time file monitoring (not started). 2012/10/15 10:40:45 ossec-syscheckd: INFO: Real time file monitoring started. 2012/10/15 10:40:45 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). 2012/10/15 10:40:59 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database). 2012/10/15 10:41:39 ossec-rootcheck: INFO: Starting rootcheck scan. Looks like syscheckd crash in begin of rootcheck.