Victor, ossec-init.conf is showing the the installation is a *local* installation.
However, I know that I performed a server installation per my notes and bash history… make clean make TARGET=server Obviously I could change this value back to 'server', but will this fix the issue? Thanks, Chris On Saturday, December 10, 2016 at 6:04:45 AM UTC-5, Victor Fernandez wrote: > > Hi Chris, > > as you guessed, there is one *remoted* process for each <remote> > configuration. Although it's strange that "ossec-control stop" does stop > the *remoted *processes but "ossec-control start" doesn't run them. > > How did you install Wazuh? Please make sure that the file " > /var/ossec/etc/ossec-init.conf" has the line: > > TYPE="server" > > > Regards. > > > On Friday, December 9, 2016 at 5:24:38 PM UTC+1, Chris Decker wrote: >> >> Dan, >> >> Thanks for your help. >> >> Is ossec-remoted listed in the DAEMONS variable in the script? >>> >> It was *not*, but I added it after noticing it wasn't in there. If I >> tell ossec-control to stop, remoted stops as expected: >> >> [root@logger01 limits.d]# /var/ossec/bin/ossec-control stop >> Killing ossec-monitord .. >> Killing ossec-logcollector .. >> Killing ossec-syscheckd .. >> Killing ossec-analysisd .. >> Killing ossec-maild .. >> Killing ossec-remoted .. >> Killing ossec-execd .. >> Wazuh v1.2 Stopped >> >> >> However, if I tell ossec-control to start, it starts everything but I >> don't see remoted referenced: >> [root@logger01 limits.d]# /var/ossec/bin/ossec-control start >> >> Starting Wazuh v1.2 (maintained by Wazuh Inc.)... >> Started wazuh-moduled... >> Started ossec-maild... >> Started ossec-execd... >> Started ossec-analysisd... >> Started ossec-logcollector... >> 2016/12/09 11:22:51 rootcheck: Rootcheck disabled. Exiting. >> 2016/12/09 11:22:51 ossec-syscheckd: WARN: Rootcheck module disabled. >> Started ossec-syscheckd... >> Started ossec-monitord... >> Completed. >> >> >> The only thing I *removed* from that list of modules was the ossec-wuzuh >> module because I do not currently use it. >> >> >>> What is your remote condiguration in your ossec.conf? >> >> >> <remote> >> <connection>secure</connection> >> </remote> >> >> >> <remote> >> <connection>syslog</connection> >> <protocol>tcp</protocol> >> <port>514</port> >> <allowed-ips>10.0.0.0/8</allowed-ips> >> </remote> >> <remote> >> <connection>syslog</connection> >> <protocol>udp</protocol> >> <port>514</port> >> <allowed-ips>10.0.0.0/8</allowed-ips> >> </remote> >> >> Dave's comment jogged my memory about why remoted is running 3 separate >> processes - 1514/udp, 514/udp and 514/tcp. >> >> >> >> On Friday, December 9, 2016 at 10:33:50 AM UTC-5, dan (ddpbsd) wrote: >>> >>> >>> >>> On Dec 9, 2016 9:17 AM, "Chris Decker" <[email protected]> wrote: >>> >>> Victor, >>> >>> On Friday, December 9, 2016 at 6:42:27 AM UTC-5, Victor Fernandez wrote: >>>> >>>> Hi, >>>> >>>> Agents should send a keepalive each 10 minutes (600 seconds) by >>>> default, and this should be enough. But you can go down that time at the >>>> agent's ossec.conf: >>>> >>>> >>>> <ossec_config> >>>> <client> >>>> <server-ip>1.2.3.4</server-ip> >>>> *<notify_time>60</notify_time>* >>>> </client> >>>> >>>> >>>> If you see any agent disconnected, check its ossec.log file. >>>> >>>> On the other hand, as Dan says, the manager will discard two identical >>>> consecutive messages, so you should generate different messages for the >>>> logs (using a random string or the date). >>>> >>> These events were from auditd and were unique enough that OSSEC should >>> treat them as such. >>> >>> >>> Sorry, I thought you wrote that the logs were the same. >>> >>> >>> >>>> If you think that there could be network congestion, you may try to >>>> connect using TCP, adding, at the agent's ossec.conf: >>>> >>>> <ossec_config> >>>> <client> >>>> <server-ip>1.2.3.4</server-ip> >>>> *<protocol>tcp</protocol>* >>>> </client> >>>> >>>> And, on the manager's ossec.conf: >>>> >>>> <ossec_config> >>>> <remote> >>>> <connection>secure</connection> >>>> *<protocol>tcp</protocol>* >>>> </remote> >>>> >>>> I'm going to give this a try. >>> >>> One thing I've noticed is that the ossec-control script isn't starting >>> up remoted. If I start remoted by hand it starts, but then I see 3 remoted >>> processes. I've never come across this issue before. Do you know what >>> could be causing it? >>> >>> >>> >>> Is ossec-remoted listed in the DAEMONS variable in the script? >>> What is your remote condiguration in your ossec.conf? >>> >>> >>>> Please test it and write back to us if this doesn't solve the problem. >>>> All feedback is welcome. >>>> >>>> Hope it helps. >>>> Best regards. >>>> >>>> >>>> On Friday, December 9, 2016 at 6:30:08 AM UTC+1, dan (ddpbsd) wrote: >>>>> >>>>> >>>>> >>>>> On Dec 8, 2016 4:41 PM, "Chris Decker" <[email protected]> wrote: >>>>> >>>>> All, >>>>> >>>>> I have an OSSEC instance (running the latest/greatest Wuzuh code >>>>> cloned from GitHub) that has about 1k active hosts. I've noticed >>>>> recently >>>>> that hosts are flipping back and forth between *Active* and >>>>> *Disconnected*. >>>>> >>>>> >>>>> Perhaps the manager is too busy? I can't remember the host limit >>>>> offhand, but I believe ossec limits the number of agents to a number >>>>> smaller than 1000. >>>>> >>>>> >>>>> I've also noticed that not all of the log messages from "*Active" *hosts >>>>> are being received by the Manager. For example, I have an agent that >>>>> generates the same log message every second. I have debug enabled on the >>>>> Agent and I can see logcollector reading each message, but only *some* >>>>> of the messages are received on the Manager (I monitored it for awhile >>>>> and >>>>> it's not that the messages show up later due to network congestion--I >>>>> don't >>>>> see the messages ever being received). I tried disabling the agent ID >>>>> checks on both the Manager and Agent but that didn't have any impact. >>>>> >>>>> >>>>> Ossec will discard some repeated messages. I forget the timeframe >>>>> offhand though. >>>>> >>>>> >>>>> >>>>> I suspect there is a misconfiguration or limit I am running into on my >>>>> Manager running RHEL 7, but I haven't been able to track it down. I did >>>>> a >>>>> simple netcat test between the same two hosts and there was no lag in >>>>> transmissions. >>>>> >>>>> Any suggestions/thoughts from the community? >>>>> >>>>> >>>>> >>>>> >>>>> Thanks, >>>>> Chris >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>>> >>>>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
