Was running wazuh 2.8.1 agent on "most" systems, with the wazuh ossec
docker container for a master server.
Upgraded to 2.8.3 to try to resolve this problem, with no luck.
Out of about 160 machines, 4-5 of them will reliably wedge themselves after
some amount of time with messages akin to:
Followup. ossec-syscheckd appears to be doing some bind operation:
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 6
bind(6, {sa_family=AF_INET, sin_port=htons(12310),
sin_addr=inet_addr("0.0.0.0")}, 16) = 0
close(6) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 6
bind(6, {sa_family=AF_INET,
Upgrading has not solved the problem.
Still appears to be some form of port / bind issue based on the backtrace.
To obfuscate things, this was my ossec master (wazuh docker image), so it
was running in a docker container, on a virtual machine under VMWare.
Nothing complicated there, right?
Running the ossec server in a docker container, makes sense, and I run the
Wazuh fork of ossec in their provided container with logstash / kibana4.
Running ossec agent in a container makes no sense to me.
I would suggest instead that you use the docker logging driver to reroute
stdout from
to follow up to my own post-- First, the problem was indeed happening
during ossec-rootcheck, but I was unable to determine what was failing.
Secondly, the affected servers all were at one time or another, exporting a
CIFS or NFS share. Disabling the share didn't prevent ossec-rootcheck from
As the default audit plugins for MySQL are somewhat horrific (XML is not a
log format), and the log syntax for MySQL is multi-line, I've been looking
for other options.
The MariaDB audit plugin so far looks very nice-- It's highly tunable in
terms of what it can report and it plays nice with
Link to the MariaDB audit plugin format:
https://mariadb.com/kb/en/mariadb/about-the-mariadb-audit-plugin/#audit-log-format
syslog format:
[timestamp][syslog_host][syslog_ident]:[syslog_info][serverhost],[username],[host],
On Friday, November 10, 2017 at 3:00:36 PM UTC-5, Josmell Chavarri wrote:
>
> Hi, can you help me with a problem?
>
> I have a ossec-wazuh Server with 20 agents connected with active response
> for agent id 001.
>
>
> Ossec.conf --- the server
>
>
>
> firewall-drop
>