Dan,
Thanks for your help.
Is ossec-remoted listed in the DAEMONS variable in the script?
>
It was *not*, but I added it after noticing it wasn't in there. If I tell
ossec-control to stop, remoted stops as expected:
[root@logger01 limits.d]# /var/ossec/bin/ossec-control stop
Killing ossec-monitord ..
Killing ossec-logcollector ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
Killing ossec-remoted ..
Killing ossec-execd ..
Wazuh v1.2 Stopped
However, if I tell ossec-control to start, it starts everything but I don't
see remoted referenced:
[root@logger01 limits.d]# /var/ossec/bin/ossec-control start
Starting Wazuh v1.2 (maintained by Wazuh Inc.)...
Started wazuh-moduled...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
2016/12/09 11:22:51 rootcheck: Rootcheck disabled. Exiting.
2016/12/09 11:22:51 ossec-syscheckd: WARN: Rootcheck module disabled.
Started ossec-syscheckd...
Started ossec-monitord...
Completed.
The only thing I *removed* from that list of modules was the ossec-wuzuh
module because I do not currently use it.
> What is your remote condiguration in your ossec.conf?
<remote>
<connection>secure</connection>
</remote>
<remote>
<connection>syslog</connection>
<protocol>tcp</protocol>
<port>514</port>
<allowed-ips>10.0.0.0/8</allowed-ips>
</remote>
<remote>
<connection>syslog</connection>
<protocol>udp</protocol>
<port>514</port>
<allowed-ips>10.0.0.0/8</allowed-ips>
</remote>
Dave's comment jogged my memory about why remoted is running 3 separate
processes - 1514/udp, 514/udp and 514/tcp.
On Friday, December 9, 2016 at 10:33:50 AM UTC-5, dan (ddpbsd) wrote:
>
>
>
> On Dec 9, 2016 9:17 AM, "Chris Decker" <ch...@chris-decker.com
> <javascript:>> wrote:
>
> Victor,
>
> On Friday, December 9, 2016 at 6:42:27 AM UTC-5, Victor Fernandez wrote:
>>
>> Hi,
>>
>> Agents should send a keepalive each 10 minutes (600 seconds) by default,
>> and this should be enough. But you can go down that time at the agent's
>> ossec.conf:
>>
>>
>> <ossec_config>
>> <client>
>> <server-ip>1.2.3.4</server-ip>
>> *<notify_time>60</notify_time>*
>> </client>
>>
>>
>> If you see any agent disconnected, check its ossec.log file.
>>
>> On the other hand, as Dan says, the manager will discard two identical
>> consecutive messages, so you should generate different messages for the
>> logs (using a random string or the date).
>>
> These events were from auditd and were unique enough that OSSEC should
> treat them as such.
>
>
> Sorry, I thought you wrote that the logs were the same.
>
>
>
>> If you think that there could be network congestion, you may try to
>> connect using TCP, adding, at the agent's ossec.conf:
>>
>> <ossec_config>
>> <client>
>> <server-ip>1.2.3.4</server-ip>
>> *<protocol>tcp</protocol>*
>> </client>
>>
>> And, on the manager's ossec.conf:
>>
>> <ossec_config>
>> <remote>
>> <connection>secure</connection>
>> *<protocol>tcp</protocol>*
>> </remote>
>>
>> I'm going to give this a try.
>
> One thing I've noticed is that the ossec-control script isn't starting up
> remoted. If I start remoted by hand it starts, but then I see 3 remoted
> processes. I've never come across this issue before. Do you know what
> could be causing it?
>
>
>
> Is ossec-remoted listed in the DAEMONS variable in the script?
> What is your remote condiguration in your ossec.conf?
>
>
>> Please test it and write back to us if this doesn't solve the problem.
>> All feedback is welcome.
>>
>> Hope it helps.
>> Best regards.
>>
>>
>> On Friday, December 9, 2016 at 6:30:08 AM UTC+1, dan (ddpbsd) wrote:
>>>
>>>
>>>
>>> On Dec 8, 2016 4:41 PM, "Chris Decker" <ch...@chris-decker.com> wrote:
>>>
>>> All,
>>>
>>> I have an OSSEC instance (running the latest/greatest Wuzuh code cloned
>>> from GitHub) that has about 1k active hosts. I've noticed recently that
>>> hosts are flipping back and forth between *Active* and *Disconnected*.
>>>
>>>
>>> Perhaps the manager is too busy? I can't remember the host limit
>>> offhand, but I believe ossec limits the number of agents to a number
>>> smaller than 1000.
>>>
>>>
>>> I've also noticed that not all of the log messages from "*Active" *hosts
>>> are being received by the Manager. For example, I have an agent that
>>> generates the same log message every second. I have debug enabled on the
>>> Agent and I can see logcollector reading each message, but only *some*
>>> of the messages are received on the Manager (I monitored it for awhile and
>>> it's not that the messages show up later due to network congestion--I don't
>>> see the messages ever being received). I tried disabling the agent ID
>>> checks on both the Manager and Agent but that didn't have any impact.
>>>
>>>
>>> Ossec will discard some repeated messages. I forget the timeframe
>>> offhand though.
>>>
>>>
>>>
>>> I suspect there is a misconfiguration or limit I am running into on my
>>> Manager running RHEL 7, but I haven't been able to track it down. I did a
>>> simple netcat test between the same two hosts and there was no lag in
>>> transmissions.
>>>
>>> Any suggestions/thoughts from the community?
>>>
>>>
>>>
>>>
>>> Thanks,
>>> Chris
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>>
>>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com <javascript:>.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
