[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] OSSEC seems to die occasionally

Subject: [Ossec-list] OSSEC seems to die occasionally
From: daniel.cid at gmail.com (Daniel Cid)
Date: Tue, 18 Apr 2006 21:41:54 -0300

Oops. The "analysisd" process dying without a trace is not good. It just
needs to be able to read from the queue, so permissions on this
case shouldn't be a problem (it wouldn't even start properly).
Can you enable system call tracing on the analysisd process? If running
BSD systems you will probably need to use ktrace -p <analysisd pid>
or if linux use systrace (systrace -p <analysisd pid>. With that we will
be able to see what kind of signal (or whatever) is happening.

Just a few questions to help me understand:

-Which version are you using (7p1)?
-Can you show us (or send me privately) your logs between 23:00 and
23:12 of that day? From all the files that log collector is reading(all 6).
I don't think a "strange" (abnormal) log would cause that, but we never know.

Thanks for the report and hopefully we will be able to figure it out.

--
Daniel B. Cid
dcid @ ( at ) ossec.net
http://www.ossec.net


On 4/18/06, Kayvan A. Sylvan <kayvan at sylvan.com> wrote:
> On Tue, Apr 18, 2006 at 01:39:11AM -0500, Thomas M. Jett wrote:
> >
> > Check the file permissions on /var/ossec/queue  I had the same problem
> > when I first installed ossec, and it became obvious pretty quick that
> > that directory was the problem. All you'll have to do is change the
> > permissions so that ossec can write to it.
>
> I don't think that's the issue. I did not change the permissions
> and OSSEC has been running just fine since it last crashed.
>
> I think the ossec user just needs to be able to read what's in
> /var/ossec/queue, not write to it. Daniel or someone else who knows,
> please correct me if I am wrong.
>
> # ls -l /var/ossec
> total 72
> dr-xr-x---  3 root  ossec 4096 Apr  5 11:14 active-response
> dr-xr-x---  2 root  ossec 4096 Apr  5 11:14 bin
> dr-xr-x---  3 root  ossec 4096 Apr 10 14:16 etc
> drwxr-x---  5 ossec ossec 4096 Apr  5 11:14 logs
> dr-xr-x---  8 root  ossec 4096 Apr  5 11:14 queue
> dr-xr-x---  2 root  ossec 4096 Apr 15 11:10 rules
> drwxr-x---  5 ossec ossec 4096 Apr  5 11:21 stats
> dr-xr-x---  2 root  ossec 4096 Apr  5 11:14 tmp
> dr-xr-x---  3 root  ossec 4096 Apr  5 11:14 var
>
> # ps | grep oss
> ossecm    7268     1  0 Apr17 ?        00:00:00 /var/ossec/bin/ossec-maild
> root      7272     1  0 Apr17 ?        00:00:00 /var/ossec/bin/ossec-execd
> ossec     7276     1  0 Apr17 ?        00:01:52 /var/ossec/bin/ossec-analysisd
> root      7280     1  0 Apr17 ?        00:00:00 /var/ossec/bin/ossec-logcollector
> root      7286     1  0 Apr17 ?        00:01:20 /var/ossec/bin/ossec-syscheckd
>
> --
> Kayvan A. Sylvan          | Proud husband of       | Father to my kids:
> Sylvan Associates, Inc.   | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
> http://sylvan.com/~kayvan | my beautiful Queen.    | Robin Gregory (2/28/92)
> _______________________________________________
> ossec-list mailing list
> ossec-list at ossec.net
> http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
>

Follow-Ups:
- [Ossec-list] OSSEC seems to die occasionally
  - From: Kayvan A. Sylvan

References:
- [Ossec-list] Projects news
  - From: Daniel Cid
- [Ossec-list] OSSEC seems to die occasionally
  - From: Kayvan A. Sylvan
- [Ossec-list] OSSEC seems to die occasionally
  - From: Thomas M. Jett
- [Ossec-list] OSSEC seems to die occasionally
  - From: Kayvan A. Sylvan

Prev by Date: [Ossec-list] OSSEC seems to die occasionally
Next by Date: [Ossec-list] OSSEC seems to die occasionally
Previous by thread: [Ossec-list] OSSEC seems to die occasionally
Next by thread: [Ossec-list] OSSEC seems to die occasionally
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.