segmentation fault

Carrie Poole

unread,

Dec 17, 2012, 4:34:12 PM12/17/12

to ossec...@googlegroups.com

I’m getting segmentation faults across all of my agents when restarting. Nothing is showing connected anymore.

/var/ossec/bin/ossec-control: line 138: 24910 Segmentation fault ${DIR}/bin/${i}

Line 138 in ossec.conf is the active response, which is disabled.

I have checked the ossec.conf and agent.conf for any mistakes and haven’t found any. This was an issue on only a few agents last week, and now it is happening across all agents after the 2,6 upgrade. All agents are showing not connected. None of the configuration files have changed.

Any help would be appreciated!

Ossec V 2.6 RedHat Linux (server and agents with 5 windows agents)

Carrie P

CONFIDENTIALITY NOTICE: This e-mail is confidential and intended
solely for the use of the individual or entity to which it is addressed. If
you are not the intended recipient, be advised that you have received
this email in error and that any use, dissemination, forwarding, printing
or copying of this e-mail is strictly prohibited. If you received this e-mail
in error, please delete it from your computer and contact the sender.

dan (ddp)

unread,

Dec 17, 2012, 4:41:28 PM12/17/12

to ossec...@googlegroups.com

On Dec 17, 2012 4:37 PM, "Carrie Poole" <carrie...@andesaservices.com> wrote:
>
> I’m getting segmentation faults across all of my agents when restarting. Nothing is showing connected anymore.
>
>
>
>
>
> /var/ossec/bin/ossec-control: line 138: 24910 Segmentation fault ${DIR}/bin/${i}
>
>

What's line 138 in ossec-control?
Anything in the ossec.log for the failing agent?

Carrie Poole

unread,

Dec 17, 2012, 7:17:37 PM12/17/12

to ossec...@googlegroups.com

Line 138 in ossec.conf is the active response, which is disabled:

<active-response>

<!-- This response is going to execute the host-deny

- command for every event that fires a rule with

- level (severity) >= 6.

- The IP is going to be blocked for 600 seconds.

-->

<location>local</location>

</active-response>

<active-response>

<!-- Firewall Drop response. Block the IP for

- 600 seconds on the firewall (iptables,

- ipfilter, etc).

-->

<command>firewall-drop</command>

<location>local</location>

</active-response>

All of the ossec logs on the agent say they can’t reach the server, but this wasn’t the case last week. The ossec server log doesn’t say anything, it acts as if the agents aren’t even there. It does syscheck but no longer sees the agents.

~ Carrie

dan (ddp)

unread,

Dec 17, 2012, 10:06:15 PM12/17/12

to ossec...@googlegroups.com

So it looks like line 138 in ossec-control should be something like:
for i in ${SDAEMONS}; do

which goes through the list of daemons and tries to start them. One of
them is failing, and you have to figure out which one.

> All of the ossec logs on the agent say they can’t reach the server, but this
> wasn’t the case last week. The ossec server log doesn’t say anything, it
> acts as if the agents aren’t even there. It does syscheck but no longer sees
> the agents.
>
>

Check the system logs, Linux usually logs segfaults. You could also
see which daemons are running after the segfault. If no traffic is
passing between the agents and the server, ossec-agentd may have
crashed. But real troubleshooting can't really happen until the basics
are taken care of, namely finding out which daemon is crashing.

Carrie Poole

unread,

Dec 17, 2012, 10:40:06 PM12/17/12

to ossec...@googlegroups.com

This is the only line that matches the segfault error in the logs:

testconfig()
{
# We first loop to check the config.

for i in ${SDAEMONS}; do

${DIR}/bin/${i} -t ${DEBUG_CLI};
if [ $? != 0 ]; then
echo "${i}: Configuration error. Exiting"
unlock;
exit 1;
fi
done

~ Carrie

Carrie Poole

unread,

Dec 17, 2012, 10:31:57 PM12/17/12

to ossec...@googlegroups.com

The segfaults in /var/log/messages are:
Dec 17 15:45:24 abeossecpr kernel: ossec-remoted[6378]: segfault at
00000000000002d1 rip 000000000042191b rsp 00007fff87247e90 error 4
Dec 17 15:48:56 abeossecpr kernel: ossec-remoted[6627]: segfault at
00000000000002d1 rip 000000000042191b rsp 00007fff76959dc0 error 4

~ Carrie

dan (ddp)

unread,

Dec 17, 2012, 10:41:49 PM12/17/12

to ossec...@googlegroups.com

On Mon, Dec 17, 2012 at 10:31 PM, Carrie Poole
<carrie...@andesaservices.com> wrote:
> The segfaults in /var/log/messages are:
> Dec 17 15:45:24 abeossecpr kernel: ossec-remoted[6378]: segfault at
> 00000000000002d1 rip 000000000042191b rsp 00007fff87247e90 error 4
> Dec 17 15:48:56 abeossecpr kernel: ossec-remoted[6627]: segfault at
> 00000000000002d1 rip 000000000042191b rsp 00007fff76959dc0 error 4
>
> ~ Carrie
>

Ok, I was thinking the segfaults were on the agents. Please post the
remote section of the ossec.conf.

Carrie Poole

unread,

Dec 18, 2012, 6:56:07 AM12/18/12

to ossec...@googlegroups.com

Yes, you are correct though, the segfault errors would show up when I
started the ossec agents, but the segfault error in the logs is in the
ossec server's /var/log/messages. It doesn't show up in the agent logs,
just at agent start-up.

<remote>
<connection>secure</connection>
<port>1514</port>
<allowed-ips>172.17.3.0/24</allowed-ips>
<allowed-ips>172.17.103.0/24</allowed-ips>
<allowed-ips>172.17.33.0/24</allowed-ips>
</remote>

~ Carrie

Carrie Poole

unread,

Dec 18, 2012, 1:03:05 PM12/18/12

to ossec...@googlegroups.com

Turned out to be permissions on queue folder that caused the
disconnection issues. Still looking into the segfaults when restarting
agents.

~ Carrie

dan (ddp)

unread,

Dec 18, 2012, 1:35:16 PM12/18/12

to ossec...@googlegroups.com

On Dec 18, 2012 1:13 PM, "Carrie Poole" <carrie...@andesaservices.com> wrote:
>
> Turned out to be permissions on queue folder that caused the
> disconnection issues. Still looking into the segfaults when restarting
> agents.
>
> ~ Carrie
>

Which daemon is segfaulting on the agents?

Carrie Poole

unread,

Dec 18, 2012, 1:54:08 PM12/18/12

to ossec...@googlegroups.com

syscheckd daemon… is crashing because it says there is no syscheck file to monitor…..there is a syscheck file, but it’s in the agent.conf, not the ossec.conf.

All of my agents have the same files (ossec.conf & agent.conf), and only a few of them do the segfault error on startup.

dan (ddp)

unread,

Dec 18, 2012, 3:21:38 PM12/18/12

to ossec...@googlegroups.com

On Dec 18, 2012 3:08 PM, "Carrie Poole" <carrie...@andesaservices.com> wrote:
>
> syscheckd daemon… is crashing because it says there is no syscheck file to monitor…..there is a syscheck file, but it’s in the agent.conf, not the ossec.conf.
>
> All of my agents have the same files (ossec.conf & agent.conf), and only a few of them do the segfault error on startup.
>
>
>
> ~ Carrie
>

I think these issues were fixed in 2.7. Not sure why the agent.conf isn't working correctly though. Can you post the ossec.conf and agent.conf?

Carrie Poole

unread,

Dec 18, 2012, 4:28:27 PM12/18/12

to ossec...@googlegroups.com

Ossec.conf:

<ossec_config>

<email_notification>yes</email_notification>

<email_to>osse...@andesaservices.com</email_to>

<smtp_server> helpdesk.com</smtp_server>

<email_from>oss...@abeossecpr.com</email_from>

<white_list>127.0.0.1</white_list>

<white_list>localhost.localdomain$</white_list>

<white_list>xxx.xx.3.75</white_list>

<white_list>xxx.xx.3.6</white_list>

<white_list>xxx.xx.23.4</white_list>

<white_list>xxx.xx.50.6</white_list>

<white_list>xxx.xx.3.0</white_list>

<white_list>xxx.xx.23.0</white_list>

<white_list>xxx.xx.33.0</white_list>

<white_list>192.168.0.0</white_list>

<white_list>xxx.xx.101.0</white_list>

<white_list>172.19.10.0</white_list>

<white_list>172.20.10.0</white_list>

<white_list>10.10.0.0</white_list>

</global>

<alert_new_files>yes</alert_new_files>

<auto_ignore>no</auto_ignore>

<directories check_all="yes">/etc/hosts,/etc/shadow,/etc/sudoers</directories>

</syscheck>

<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>

<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>

<windows_malware>./shared/win_malware_rcl.txt</windows_malware>

</rootcheck>

<connection>secure</connection>

<allowed-ips>xxx.xx.3.0/24</allowed-ips>

<allowed-ips>xxx.xx.103.0/24</allowed-ips>

<allowed-ips>xxx.xx.33.0/24</allowed-ips>

</remote>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>firewall-drop</name>

<executable>firewall-drop.sh</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>disable-account</name>

<executable>disable-account.sh</executable>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>restart-ossec</name>

<executable>restart-ossec.sh</executable>

</command>

<name>route-null</name>

<executable>route-null.sh</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<active-response>

<!-- This response is going to execute the host-deny

- command for every event that fires a rule with

- level (severity) >= 6.

- The IP is going to be blocked for 600 seconds.

-->

<location>local</location>

</active-response>

<active-response>

<!-- Firewall Drop response. Block the IP for

- 600 seconds on the firewall (iptables,

- ipfilter, etc).

-->

<command>firewall-drop</command>

<location>local</location>

</active-response>

<log_alert_level>1</log_alert_level>

<email_alert_level>7</email_alert_level>

</alerts>

<email_alerts>

<email_to>help...@andesaservices.com</email_to>

<do_not_delay/>

</email_alerts>

<email_alerts>

<email_to>cz...@andesaservices.com</email_to>

<do_not_delay/>

</email_alerts>

<email_alerts>

<email_to>Discr...@andesaservices.com</email_to>

<do_not_delay/>

</email_alerts>

<email_alerts>

<email_to>xxxxxx...@andesaservices.com</email_to>

<do_not_delay/>

</email_alerts>

<email_alerts>

<email_to>Discr...@andesaservices.com</email_to>

<do_not_delay/>

</email_alerts>

<email_alerts>

<email_to>xxxxxx...@andesaservices.com</email_to>

<do_not_delay/>

</email_alerts>

<email_alerts>

<email_to>Discr...@andesaservices.com</email_to>

<do_not_delay/>

</email_alerts>

<email_alerts>

<email_to>xxxxxx...@andesaservices.com</email_to>

<do_not_delay/>

</email_alerts>

<email_alerts>

<email_to>Discr...@andesaservices.com</email_to>

<do_not_delay/>

</email_alerts>

<email_alerts>

<email_to>xxxxxx...@andesaservices.com</email_to>

<do_not_delay/>

</email_alerts>

<email_alerts>

<email_to>Discr...@andesaservices.com</email_to>

<do_not_delay/>

</email_alerts>

<email_alerts>

<email_to>xxx...@andesaservices.com</email_to>

<do_not_delay/>

</email_alerts>

<email_alerts>

<email_to>xxx...@andesaservices.com</email_to>

<do_not_delay/>

</email_alerts>

<email_alerts>

<email_to>xxx...@andesaservices.com</email_to>

<event_location>xxxxxxx001|xxxxxxx002|xxxxxxx003|xxxxxxx004</event_location>

<do_not_delay/>

</email_alerts>

<email_alerts>

<email_to>xxx...@andesaservices.com</email_to>

<do_not_delay/>

</email_alerts>

<email_alerts>

<email_to>xxx...@andesaservices.com</email_to>

<event_location>xxxxxxxrppr1|xxxxxxxrep2|xxxxxxxrep194|xxxxxxxpr1|xxxxxxxpr2</event_location>

</email_alerts>

<email_alerts>

<email_to>xxx...@andesaservices.com</email_to>

<event_location>xxxxxxxlog</event_location>

<do_not_delay/>

</email_alerts>

<log_format>syslog</log_format>

<location>/var/log/messages</location>

</localfile>

<log_format>syslog</log_format>

<location>/var/log/secure</location>

</localfile>

<log_format>syslog</log_format>

<location>/var/log/maillog</location>

</localfile>

</ossec_config>

Agent .conf:

npadr005|xxxxxdr006|xxxxxdr007|xxxxxdr008|xxxxxdr009">

<alert_new_files>yes</alert_new_files>

</syscheck>

<active-response>

</active-response>

<log_alert_level>1</log_alert_level>

<email_alert_level>7</email_alert_level>

</alerts>

</agent_config>

eadpr016|xxxxxpr017">

<alert_new_files>yes</alert_new_files>

</syscheck>

<active-response>

</active-response>

<log_alert_level>1</log_alert_level>

<email_alert_level>7</email_alert_level>

</alerts>

</agent_config>

<agent_config name="webconpr01">

<alert_new_files>yes</alert_new_files>

<directories realtime="yes" check_all="yes">/andesa</directories>

</syscheck>

<active-response>

</active-response>

<log_alert_level>1</log_alert_level>

<email_alert_level>7</email_alert_level>

</alerts>

<agent_config name="xxxxxlog">

<location>C:\Program Files\ossec-agent\ossec.log</location>

<log_format>syslog</log_format>

</localfile>

<alert_new_files>yes</alert_new_files>

<directories realtime="yes" check_all="yes">D:\jboss\server\andesa\farm</directories>

</syscheck>

<active-response>

</active-response>

<log_alert_level>1</log_alert_level>

<email_alert_level>7</email_alert_level>

</alerts>

</agent_config>

<agent_config name="xxxxxpr1|xxxxxpr2">

<location>C:\Program Files\ossec-agent\ossec.log</location>

<log_format>syslog</log_format>

</localfile>

<alert_new_files>yes</alert_new_files>

<directories realtime="yes" check_all="yes">C:\orion\applications</directories>

<ignore>C:\orion\applications/OrionEar/META-INF/application</ignore>

</syscheck>

<active-response>

</active-response>

<log_alert_level>1</log_alert_level>

<email_alert_level>7</email_alert_level>

</alerts>

</agent_config>

<agent_config name="xxxxxep194|xxxxxep2|xxxxxppr1">

<location>C:\Program Files\ossec-agent\ossec.log</location>

<log_format>syslog</log_format>

</localfile>

<alert_new_files>yes</alert_new_files>

<directories realtime="yes" check_all="yes">C:\JRentServer\Reports\Catalogs</directories>

<ignore>C:\JREntServer\Reports\Catalogs\.svn</ignore>

</syscheck>

<active-response>

</active-response>

<log_alert_level>1</log_alert_level>

<email_alert_level>7</email_alert_level>

</alerts>

</agent_config>

dan (ddp)

unread,

Dec 19, 2012, 9:24:38 AM12/19/12

to ossec...@googlegroups.com

On Tue, Dec 18, 2012 at 4:28 PM, Carrie Poole
<carrie...@andesaservices.com> wrote:
> Ossec.conf:
>

This is the server's ossec.conf. I'm only interested in the ossec.conf
of a system with a segfaulting syscheckd.

With the agent.conf, which sections do the failing agents fall under?
Can you verify that they are picking up those configurations?

Carrie Poole

unread,

Dec 20, 2012, 9:35:19 AM12/20/12

to ossec...@googlegroups.com

This is the only thing in all of the agent's ossec.conf:

<ossec_config>
<client>
<server-ip>172.xx.x.xxx</server-ip>
</client>
</ossec_config>

And all of the agents have the current version of the agent.conf.

I have a cron job that runs (staggered times) every morning to restart
the agents, and then the server so I can make sure everything is
listening before the server pushes the config out.
Right now, it all seems to be functioning, except for a few agents
that go disconnected until I log in and restart ossec (even after the
cron job restarts them in the morning)...those are the only ones showing
the seg fault at restart, at this time.

~ Carrie

-----Original Message-----
From: ossec...@googlegroups.com [mailto:ossec...@googlegroups.com]
On Behalf Of dan (ddp)
Sent: Wednesday, December 19, 2012 9:25 AM
To: ossec...@googlegroups.com
Subject: Re: [ossec-list] segmentation fault

Reply all

Reply to author

Forward