Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

安装agent后,重启后无法监控进程 #6

Closed
zj1244 opened this issue Nov 14, 2018 · 2 comments
Closed

安装agent后,重启后无法监控进程 #6

zj1244 opened this issue Nov 14, 2018 · 2 comments

Comments

@zj1244
Copy link
Owner

zj1244 commented Nov 14, 2018

正常安装好agent后,此时执行python s5.py在web端看到告警(功能正常),重启后,再次执行命令发现没有告警(功能异常),手动执行agent ip debug,发现出现如下错误:
connect syshook netlink error
此时查看65530端口是open的,通过对比安装完agent和重启后的端口情况发现:重启后agent少开放了一个随机端口
刚安装完agent的端口情况(功能正常):
udp 0 0 127.0.0.1:65530 0.0.0.0:* 1780/agent
udp 0 0 0.0.0.0:59142 0.0.0.0:* 1780/agent
重启后(功能异常):
udp 0 0 127.0.0.1:65530 0.0.0.0:* 1186/agent

此现象在centos7和6.x都存在

@zj1244
Copy link
Owner Author

zj1244 commented Nov 14, 2018

自己调试后感觉应该是process_linux.go这个文件里的sock_fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_USER);出错,出错信息Protocol not supported。很奇怪为什么不重启的时候好好的,重启后就不行了。
版本:
Linux localhost 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Linux localhost.localdomain 2.6.32-573.el6.x86_64 #1 SMP Thu Jul 23 15:44:03 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

@zj1244
Copy link
Owner Author

zj1244 commented Nov 14, 2018

后来调试后发现,yulong在重启后没有重新加载syshook_execve.ko这个驱动,导致无法监控进程
修改agent.go代码,添加insmod %s/syshook_execve.ko等代码解决

@zj1244 zj1244 closed this as completed Nov 14, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant