Hi Chris, as you guessed, there is one *remoted* process for each <remote> configuration. Although it's strange that "ossec-control stop" does stop the *remoted *processes but "ossec-control start" doesn't run them.
How did you install Wazuh? Please make sure that the file " /var/ossec/etc/ossec-init.conf" has the line: TYPE="server" Regards. On Friday, December 9, 2016 at 5:24:38 PM UTC+1, Chris Decker wrote: > > Dan, > > Thanks for your help. > > Is ossec-remoted listed in the DAEMONS variable in the script? >> > It was *not*, but I added it after noticing it wasn't in there. If I > tell ossec-control to stop, remoted stops as expected: > > [root@logger01 limits.d]# /var/ossec/bin/ossec-control stop > Killing ossec-monitord .. > Killing ossec-logcollector .. > Killing ossec-syscheckd .. > Killing ossec-analysisd .. > Killing ossec-maild .. > Killing ossec-remoted .. > Killing ossec-execd .. > Wazuh v1.2 Stopped > > > However, if I tell ossec-control to start, it starts everything but I > don't see remoted referenced: > [root@logger01 limits.d]# /var/ossec/bin/ossec-control start > > Starting Wazuh v1.2 (maintained by Wazuh Inc.)... > Started wazuh-moduled... > Started ossec-maild... > Started ossec-execd... > Started ossec-analysisd... > Started ossec-logcollector... > 2016/12/09 11:22:51 rootcheck: Rootcheck disabled. Exiting. > 2016/12/09 11:22:51 ossec-syscheckd: WARN: Rootcheck module disabled. > Started ossec-syscheckd... > Started ossec-monitord... > Completed. > > > The only thing I *removed* from that list of modules was the ossec-wuzuh > module because I do not currently use it. > > >> What is your remote condiguration in your ossec.conf? > > > <remote> > <connection>secure</connection> > </remote> > > > <remote> > <connection>syslog</connection> > <protocol>tcp</protocol> > <port>514</port> > <allowed-ips>10.0.0.0/8</allowed-ips> > </remote> > <remote> > <connection>syslog</connection> > <protocol>udp</protocol> > <port>514</port> > <allowed-ips>10.0.0.0/8</allowed-ips> > </remote> > > Dave's comment jogged my memory about why remoted is running 3 separate > processes - 1514/udp, 514/udp and 514/tcp. > > > > On Friday, December 9, 2016 at 10:33:50 AM UTC-5, dan (ddpbsd) wrote: >> >> >> >> On Dec 9, 2016 9:17 AM, "Chris Decker" <ch...@chris-decker.com> wrote: >> >> Victor, >> >> On Friday, December 9, 2016 at 6:42:27 AM UTC-5, Victor Fernandez wrote: >>> >>> Hi, >>> >>> Agents should send a keepalive each 10 minutes (600 seconds) by default, >>> and this should be enough. But you can go down that time at the agent's >>> ossec.conf: >>> >>> >>> <ossec_config> >>> <client> >>> <server-ip>1.2.3.4</server-ip> >>> *<notify_time>60</notify_time>* >>> </client> >>> >>> >>> If you see any agent disconnected, check its ossec.log file. >>> >>> On the other hand, as Dan says, the manager will discard two identical >>> consecutive messages, so you should generate different messages for the >>> logs (using a random string or the date). >>> >> These events were from auditd and were unique enough that OSSEC should >> treat them as such. >> >> >> Sorry, I thought you wrote that the logs were the same. >> >> >> >>> If you think that there could be network congestion, you may try to >>> connect using TCP, adding, at the agent's ossec.conf: >>> >>> <ossec_config> >>> <client> >>> <server-ip>1.2.3.4</server-ip> >>> *<protocol>tcp</protocol>* >>> </client> >>> >>> And, on the manager's ossec.conf: >>> >>> <ossec_config> >>> <remote> >>> <connection>secure</connection> >>> *<protocol>tcp</protocol>* >>> </remote> >>> >>> I'm going to give this a try. >> >> One thing I've noticed is that the ossec-control script isn't starting up >> remoted. If I start remoted by hand it starts, but then I see 3 remoted >> processes. I've never come across this issue before. Do you know what >> could be causing it? >> >> >> >> Is ossec-remoted listed in the DAEMONS variable in the script? >> What is your remote condiguration in your ossec.conf? >> >> >>> Please test it and write back to us if this doesn't solve the problem. >>> All feedback is welcome. >>> >>> Hope it helps. >>> Best regards. >>> >>> >>> On Friday, December 9, 2016 at 6:30:08 AM UTC+1, dan (ddpbsd) wrote: >>>> >>>> >>>> >>>> On Dec 8, 2016 4:41 PM, "Chris Decker" <ch...@chris-decker.com> wrote: >>>> >>>> All, >>>> >>>> I have an OSSEC instance (running the latest/greatest Wuzuh code cloned >>>> from GitHub) that has about 1k active hosts. I've noticed recently that >>>> hosts are flipping back and forth between *Active* and *Disconnected*. >>>> >>>> >>>> Perhaps the manager is too busy? I can't remember the host limit >>>> offhand, but I believe ossec limits the number of agents to a number >>>> smaller than 1000. >>>> >>>> >>>> I've also noticed that not all of the log messages from "*Active" *hosts >>>> are being received by the Manager. For example, I have an agent that >>>> generates the same log message every second. I have debug enabled on the >>>> Agent and I can see logcollector reading each message, but only *some* >>>> of the messages are received on the Manager (I monitored it for awhile and >>>> it's not that the messages show up later due to network congestion--I >>>> don't >>>> see the messages ever being received). I tried disabling the agent ID >>>> checks on both the Manager and Agent but that didn't have any impact. >>>> >>>> >>>> Ossec will discard some repeated messages. I forget the timeframe >>>> offhand though. >>>> >>>> >>>> >>>> I suspect there is a misconfiguration or limit I am running into on my >>>> Manager running RHEL 7, but I haven't been able to track it down. I did a >>>> simple netcat test between the same two hosts and there was no lag in >>>> transmissions. >>>> >>>> Any suggestions/thoughts from the community? >>>> >>>> >>>> >>>> >>>> Thanks, >>>> Chris >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ossec-list+...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> >>>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
