ossec-syscheckd crashed using agent centralized configuration

149 views
Skip to first unread message

carlopmart

unread,
Feb 24, 2011, 11:28:46 AM2/24/11
to ossec...@googlegroups.com
Hi all,

Like I explain in another email I need to setup agent centralized configuration
for my ossec client. With one ossec client that previously I have installed withou
configuring this feature at first time, all works ok, but with a new ossec client
installed, ossec-syscheckd crash.

Error:

Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)...
Started ossec-execd...
ossec-agentd already running...
ossec-logcollector already running...
2011/02/24 17:14:40 ossec-syscheckd(1702): INFO: No directory provided for syscheck
to monitor.
/var/ossec/bin/ossec-control: line 138: 11552 Segmentation fault ${DIR}/bin/${i}

oosec.conf for this new agent is:

<ossec_config>
<client>
<server-ip>172.17.47.27</server-ip>
<server-ip>172.17.47.28</server-ip>
<port>55111</port>
</client>

<active-response>
<disabled>yes</disabled>
</active-response>
</ossec_config>

same config file like in another client that works. On the server side:

[root@ossecsrv02 ~]# /opt/ossec/bin/agent_control -i 002

OSSEC HIDS agent_control. Agent information:
Agent ID: 002
Agent Name: rhelclunode01
IP address: 172.25.50.14
Status: Active

Operating system: Linux imladris.hpulabs.org 2.6.32-71.14.1.el6.x86_64..
Client version: OSSEC HIDS v2.5.1 / fe733799af75bad0d08c5e031be22c77
Last keep alive: Thu Feb 24 17:11:33 2011

Syscheck last started at: Unknown
Rootcheck last started at: Unknown

That seems correct, like md5sum command shows:

[root@ossecsrv02 ~]# md5sum /opt/ossec/etc/shared/agent.conf
fe733799af75bad0d08c5e031be22c77 /opt/ossec/etc/shared/agent.conf

And last, ossec.log from the client:

2011/02/24 17:11:17 ossec-logcollector: INFO: Started (pid: 8043).
2011/02/24 17:11:32 ossec-agentd: INFO: Unable to connect to the active response
queue (disabled).
2011/02/24 17:11:33 ossec-agentd(4102): INFO: Connected to the server
(172.17.47.27:55111).
2011/02/24 17:14:40 ossec-execd(1350): INFO: Active response disabled. Exiting.
2011/02/24 17:14:40 ossec-syscheckd(1702): INFO: No directory provided for syscheck
to monitor.

Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com

carlopmart

unread,
Feb 24, 2011, 12:32:13 PM2/24/11
to ossec...@googlegroups.com
On 02/24/2011 05:54 PM, carlopmart wrote:
> Sorry on the aother node, fails too ... I think the problem maybe agent.conf when
> using this type of configuration: <agent_config name="agent01|agent02">
>
> I will try to make a separate configuration ...
>
>

Corfimed. Problem is the agent_config param on agent.conf. I have changed to
<agent_config name="agent01"> and <agent_config name="agent02"> and all works ok.

Daniel, can you change this on manual:
http://www.ossec.net/doc/manual/agent/agent-configuration.html?? Almost in 2.5.1
version doesn't works.

carlopmart

unread,
Feb 24, 2011, 11:54:02 AM2/24/11
to ossec...@googlegroups.com
On 02/24/2011 05:28 PM, carlopmart wrote:

Sorry on the aother node, fails too ... I think the problem maybe agent.conf when

using this type of configuration: <agent_config name="agent01|agent02">

I will try to make a separate configuration ...

Reply all
Reply to author
Forward
0 new messages