Hi Chris, since you compiled the project with "TARGET=server", maybe you chose "local" when installed it. A local installation is a profile like a server but without Remoted, that's why that daemon doesn't start with "ossec-control start".
The line at ossec-init.conf has only informational purposes, changing it will be useless. The local profile compiles OSSEC with option "TARGET=local", copies the script at "src/init/ossec-local.sh" as " /var/ossec/bin/ossec-control" and applies a local setting template (without <remote> configuration, for example). The best option would be to uninstall OSSEC, clean the compilation (make clean) and re-install it. If you can't uninstall it, these steps may help you: 1. Change to the "Wazuh" directory. 2. Clean the project: make -C src clean 3. Compile and install again: make -C src TARGET=server install 4. Create a default remote setting on /var/ossec/etc/ossec.conf: <ossec_config> <!-- (...) --> *<remote>* * <connection>secure</connection>* * </remote>* <!-- (...) --> </ossec_config> 5. Restart OSSEC: /var/ossec/bin/ossec-control restart This may fix your problem. Best regards. On Monday, December 12, 2016 at 7:11:07 PM UTC+1, Chris Decker wrote: > > Victor, > > ossec-init.conf is showing the the installation is a *local* installation. > > However, I know that I performed a server installation per my notes and > bash history… > > make clean > > make TARGET=server > > > > Obviously I could change this value back to 'server', but will this fix > the issue? > > > > Thanks, > Chris > > > On Saturday, December 10, 2016 at 6:04:45 AM UTC-5, Victor Fernandez wrote: >> >> Hi Chris, >> >> as you guessed, there is one *remoted* process for each <remote> >> configuration. Although it's strange that "ossec-control stop" does stop >> the *remoted *processes but "ossec-control start" doesn't run them. >> >> How did you install Wazuh? Please make sure that the file " >> /var/ossec/etc/ossec-init.conf" has the line: >> >> TYPE="server" >> >> >> Regards. >> >> >> On Friday, December 9, 2016 at 5:24:38 PM UTC+1, Chris Decker wrote: >>> >>> Dan, >>> >>> Thanks for your help. >>> >>> Is ossec-remoted listed in the DAEMONS variable in the script? >>>> >>> It was *not*, but I added it after noticing it wasn't in there. If I >>> tell ossec-control to stop, remoted stops as expected: >>> >>> [root@logger01 limits.d]# /var/ossec/bin/ossec-control stop >>> Killing ossec-monitord .. >>> Killing ossec-logcollector .. >>> Killing ossec-syscheckd .. >>> Killing ossec-analysisd .. >>> Killing ossec-maild .. >>> Killing ossec-remoted .. >>> Killing ossec-execd .. >>> Wazuh v1.2 Stopped >>> >>> >>> However, if I tell ossec-control to start, it starts everything but I >>> don't see remoted referenced: >>> [root@logger01 limits.d]# /var/ossec/bin/ossec-control start >>> >>> Starting Wazuh v1.2 (maintained by Wazuh Inc.)... >>> Started wazuh-moduled... >>> Started ossec-maild... >>> Started ossec-execd... >>> Started ossec-analysisd... >>> Started ossec-logcollector... >>> 2016/12/09 11:22:51 rootcheck: Rootcheck disabled. Exiting. >>> 2016/12/09 11:22:51 ossec-syscheckd: WARN: Rootcheck module disabled. >>> Started ossec-syscheckd... >>> Started ossec-monitord... >>> Completed. >>> >>> >>> The only thing I *removed* from that list of modules was the >>> ossec-wuzuh module because I do not currently use it. >>> >>> >>>> What is your remote condiguration in your ossec.conf? >>> >>> >>> <remote> >>> <connection>secure</connection> >>> </remote> >>> >>> >>> <remote> >>> <connection>syslog</connection> >>> <protocol>tcp</protocol> >>> <port>514</port> >>> <allowed-ips>10.0.0.0/8</allowed-ips> >>> </remote> >>> <remote> >>> <connection>syslog</connection> >>> <protocol>udp</protocol> >>> <port>514</port> >>> <allowed-ips>10.0.0.0/8</allowed-ips> >>> </remote> >>> >>> Dave's comment jogged my memory about why remoted is running 3 separate >>> processes - 1514/udp, 514/udp and 514/tcp. >>> >>> >>> >>> On Friday, December 9, 2016 at 10:33:50 AM UTC-5, dan (ddpbsd) wrote: >>>> >>>> >>>> >>>> On Dec 9, 2016 9:17 AM, "Chris Decker" <ch...@chris-decker.com> wrote: >>>> >>>> Victor, >>>> >>>> On Friday, December 9, 2016 at 6:42:27 AM UTC-5, Victor Fernandez wrote: >>>>> >>>>> Hi, >>>>> >>>>> Agents should send a keepalive each 10 minutes (600 seconds) by >>>>> default, and this should be enough. But you can go down that time at the >>>>> agent's ossec.conf: >>>>> >>>>> >>>>> <ossec_config> >>>>> <client> >>>>> <server-ip>1.2.3.4</server-ip> >>>>> *<notify_time>60</notify_time>* >>>>> </client> >>>>> >>>>> >>>>> If you see any agent disconnected, check its ossec.log file. >>>>> >>>>> On the other hand, as Dan says, the manager will discard two identical >>>>> consecutive messages, so you should generate different messages for the >>>>> logs (using a random string or the date). >>>>> >>>> These events were from auditd and were unique enough that OSSEC should >>>> treat them as such. >>>> >>>> >>>> Sorry, I thought you wrote that the logs were the same. >>>> >>>> >>>> >>>>> If you think that there could be network congestion, you may try to >>>>> connect using TCP, adding, at the agent's ossec.conf: >>>>> >>>>> <ossec_config> >>>>> <client> >>>>> <server-ip>1.2.3.4</server-ip> >>>>> *<protocol>tcp</protocol>* >>>>> </client> >>>>> >>>>> And, on the manager's ossec.conf: >>>>> >>>>> <ossec_config> >>>>> <remote> >>>>> <connection>secure</connection> >>>>> *<protocol>tcp</protocol>* >>>>> </remote> >>>>> >>>>> I'm going to give this a try. >>>> >>>> One thing I've noticed is that the ossec-control script isn't starting >>>> up remoted. If I start remoted by hand it starts, but then I see 3 >>>> remoted >>>> processes. I've never come across this issue before. Do you know what >>>> could be causing it? >>>> >>>> >>>> >>>> Is ossec-remoted listed in the DAEMONS variable in the script? >>>> What is your remote condiguration in your ossec.conf? >>>> >>>> >>>>> Please test it and write back to us if this doesn't solve the problem. >>>>> All feedback is welcome. >>>>> >>>>> Hope it helps. >>>>> Best regards. >>>>> >>>>> >>>>> On Friday, December 9, 2016 at 6:30:08 AM UTC+1, dan (ddpbsd) wrote: >>>>>> >>>>>> >>>>>> >>>>>> On Dec 8, 2016 4:41 PM, "Chris Decker" <ch...@chris-decker.com> >>>>>> wrote: >>>>>> >>>>>> All, >>>>>> >>>>>> I have an OSSEC instance (running the latest/greatest Wuzuh code >>>>>> cloned from GitHub) that has about 1k active hosts. I've noticed >>>>>> recently >>>>>> that hosts are flipping back and forth between *Active* and >>>>>> *Disconnected*. >>>>>> >>>>>> >>>>>> Perhaps the manager is too busy? I can't remember the host limit >>>>>> offhand, but I believe ossec limits the number of agents to a number >>>>>> smaller than 1000. >>>>>> >>>>>> >>>>>> I've also noticed that not all of the log messages from "*Active" *hosts >>>>>> are being received by the Manager. For example, I have an agent that >>>>>> generates the same log message every second. I have debug enabled on >>>>>> the >>>>>> Agent and I can see logcollector reading each message, but only >>>>>> *some* of the messages are received on the Manager (I monitored it >>>>>> for awhile and it's not that the messages show up later due to network >>>>>> congestion--I don't see the messages ever being received). I tried >>>>>> disabling the agent ID checks on both the Manager and Agent but that >>>>>> didn't >>>>>> have any impact. >>>>>> >>>>>> >>>>>> Ossec will discard some repeated messages. I forget the timeframe >>>>>> offhand though. >>>>>> >>>>>> >>>>>> >>>>>> I suspect there is a misconfiguration or limit I am running into on >>>>>> my Manager running RHEL 7, but I haven't been able to track it down. I >>>>>> did >>>>>> a simple netcat test between the same two hosts and there was no lag in >>>>>> transmissions. >>>>>> >>>>>> Any suggestions/thoughts from the community? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Thanks, >>>>>> Chris >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to ossec-list+...@googlegroups.com. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>>> >>>>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ossec-list+...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> >>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.