search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.34k stars 1.02k forks source link

ossec-maild crashes during unavailability of the smtp server - V3.6.0-12034buster #1890

Open kinimoas opened 4 years ago

kinimoas commented 4 years ago

Our smtp-Server was down last night for about 20 minutes, starting at 01:01

Once, the server was working again, ossec server did not send any emails. I assume maild crashed in some way.

Ossec-Log:

2020/07/09 00:17:36 ossec-maild: DEBUG: Running OS_Sendmail()
2020/07/09 01:02:09 ossec-maild: DEBUG: Running OS_Sendmail()
2020/07/09 01:02:28 ossec-maild [dns]: ERROR: connect() failed.
2020/07/09 01:02:29 ossec-maild: ERROR: DNS failure for smtpserver
2020/07/09 01:02:29 ossec-maild: ERROR: No socket.
2020/07/09 01:03:47 ossec-maild(1261): ERROR: Waiting for child process. (status: 256).
2020/07/09 01:03:47 ossec-maild(1223): ERROR: Error Sending email to 10.33.33.25 (smtp server)
2020/07/09 01:04:58 ossec-maild: DEBUG: Running OS_Sendmail()
2020/07/09 01:05:01 ossec-maild [dns]: ERROR: connect() failed.
2020/07/09 01:05:01 ossec-maild: ERROR: DNS failure for smtpserver
2020/07/09 01:05:01 ossec-maild: ERROR: No socket.
2020/07/09 01:06:30 ossec-maild(1261): ERROR: Waiting for child process. (status: 256).
2020/07/09 01:06:30 ossec-maild(1223): ERROR: Error Sending email to 10.33.33.25 (smtp server)
2020/07/09 01:08:13 ossec-maild: DEBUG: Running OS_Sendmail()
2020/07/09 01:08:16 ossec-maild [dns]: ERROR: connect() failed.
2020/07/09 01:08:16 ossec-maild: ERROR: DNS failure for smtpserver
2020/07/09 01:08:16 ossec-maild: ERROR: No socket.
2020/07/09 01:08:23 ossec-maild(1261): ERROR: Waiting for child process. (status: 256).
2020/07/09 01:08:23 ossec-maild(1223): ERROR: Error Sending email to 10.33.33.25 (smtp server)
2020/07/09 01:08:33 ossec-maild: DEBUG: Running OS_Sendmail()
2020/07/09 01:08:36 ossec-maild [dns]: ERROR: connect() failed.
2020/07/09 01:08:36 ossec-maild: ERROR: DNS failure for smtpserver
2020/07/09 01:08:36 ossec-maild: ERROR: No socket.
2020/07/09 01:08:43 ossec-maild(1261): ERROR: Waiting for child process. (status: 256).
2020/07/09 01:08:43 ossec-maild(1223): ERROR: Error Sending email to 10.33.33.25 (smtp server)
2020/07/09 01:08:43 ossec-maild: DEBUG: Running OS_Sendmail()
2020/07/09 01:08:46 ossec-maild [dns]: ERROR: connect() failed.
2020/07/09 01:08:46 ossec-maild: ERROR: DNS failure for smtpserver
2020/07/09 01:08:46 ossec-maild: ERROR: No socket.
2020/07/09 01:08:53 ossec-maild(1261): ERROR: Waiting for child process. (status: 256).
2020/07/09 01:08:53 ossec-maild(1223): ERROR: Error Sending email to 10.33.33.25 (smtp server)
2020/07/09 01:08:53 ossec-maild: DEBUG: Running OS_Sendmail()
2020/07/09 01:08:56 ossec-maild [dns]: ERROR: connect() failed.
2020/07/09 01:08:56 ossec-maild: ERROR: DNS failure for smtpserver
2020/07/09 01:08:56 ossec-maild: ERROR: No socket.
2020/07/09 01:10:29 ossec-maild(1261): ERROR: Waiting for child process. (status: 256).
2020/07/09 01:10:29 ossec-maild(1223): ERROR: Error Sending email to 10.33.33.25 (smtp server)
2020/07/09 01:10:39 ossec-maild: DEBUG: Running OS_Sendmail()
2020/07/09 01:10:42 ossec-maild [dns]: ERROR: connect() failed.
2020/07/09 01:10:42 ossec-maild: ERROR: DNS failure for smtpserver
2020/07/09 01:10:42 ossec-maild: ERROR: No socket.
2020/07/09 01:12:09 ossec-maild(1261): ERROR: Waiting for child process. (status: 256).
2020/07/09 01:12:09 ossec-maild(1223): ERROR: Error Sending email to 10.33.33.25 (smtp server)
2020/07/09 01:12:09 ossec-maild(1262): ERROR: Too many errors waiting for child process(es).
2020/07/09 01:12:09 ossec-maild(1223): ERROR: Error Sending email to 10.33.33.25 (smtp server)
2020/07/09 03:17:06 ossec-remoted: ERROR: Unable to create merged file: '/etc/shared/merged.mg'.
2020/07/09 03:17:06 ossec-remoted: ERROR: Unable to append merged file: '/etc/shared/merged.mg'.

And no more messages from ossec-maild afterwards.

Later, I saw one process ossec-maild:

ps -A | grep ossec
 1031 ?        11:11:09 ossec-maild
 1035 ?        00:00:00 ossec-execd
 1038 ?        00:04:05 ossec-analysisd
 1045 ?        00:00:07 ossec-logcollec
 1052 ?        00:08:48 ossec-remoted
 1060 ?        00:00:33 ossec-syscheckd
 1065 ?        00:00:19 ossec-monitord

In addition:

sudo /var/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild: Process 1030 not used by ossec, removing ..
ossec-maild is running...
ossec-execd is running...

I restarted ossec and everything works again. However ossec-maild should "survive" a period when the smtp server is down and resume operation as expected.

Greetings Dominik

kinimoas commented 3 years ago

Can you tell when a fix will make it to the debian packages. If this takes a while, I will use the workaround.

Greetings Dominik