ossec-remoted spawns children to handle syslog over TCP connections. Under heavy log loads, the child never exits because the call to OS_RecvTCPBuffer on line 71 of syslogtcp.c continues to return data.
Even when ossec has been restarted or shut down, the ossec-remoted child continues running, retaining the incoming TCP syslog connections, and spews error messages into ossec.log complaining about not having a queue.
Either the parent ossec-remoted needs to keep track of its children and terminate them properly when it receives a signal, the child needs to check it's parent pid and exit if parent pid changes to 1.
There may also be something wrong with the code on lines 146 to 149 of syslogtcp.c where it tries to StartMQ again after getting an error on SendMSG, but I'm not familiar enough with the ossec internals to say.
Note: This issue has been automatically migrated from Bitbucket
Created by labrown on 2013-12-04 19:25:05+00:00
ossec-remoted spawns children to handle syslog over TCP connections. Under heavy log loads, the child never exits because the call to OS_RecvTCPBuffer on line 71 of syslogtcp.c continues to return data.
Even when ossec has been restarted or shut down, the ossec-remoted child continues running, retaining the incoming TCP syslog connections, and spews error messages into ossec.log complaining about not having a queue.
Either the parent ossec-remoted needs to keep track of its children and terminate them properly when it receives a signal, the child needs to check it's parent pid and exit if parent pid changes to 1.
There may also be something wrong with the code on lines 146 to 149 of syslogtcp.c where it tries to StartMQ again after getting an error on SendMSG, but I'm not familiar enough with the ossec internals to say.
Note: This issue has been automatically migrated from Bitbucket Created by labrown on 2013-12-04 19:25:05+00:00