Victor, Thanks.
What I was doing was *rm*ing everything in /var/ossec except for queue and logs. Then I was installing the newly-compiled code. When the installer asked if I wanted to update, I answered "yes", which apparently defaults the installation to a local installation (I'm not sure that it even discloses that on the screen). I discovered this after you pointed me towards the fact that it was a local installation, so the last time I installed I actually answered "no" to the update question and then I was able to go through the normal steps and choose "server" as the type. I have the server up and running now. Let's hope my clients become more stable. I'll let you know. Thanks for your continued help! Thanks, Chris On Monday, December 12, 2016 at 3:47:06 PM UTC-5, Victor Fernandez wrote: > > Hi Chris, > > since you compiled the project with "TARGET=server", maybe you chose > "local" when installed it. A local installation is a profile like a server > but without Remoted, that's why that daemon doesn't start with "ossec-control > start". > > The line at ossec-init.conf has only informational purposes, changing it > will be useless. The local profile compiles OSSEC with option " > TARGET=local", copies the script at "src/init/ossec-local.sh" as " > /var/ossec/bin/ossec-control" and applies a local setting template > (without <remote> configuration, for example). > > The best option would be to uninstall OSSEC, clean the compilation (make > clean) and re-install it. If you can't uninstall it, these steps may help > you: > > 1. Change to the "Wazuh" directory. > 2. Clean the project: make -C src clean > 3. Compile and install again: make -C src TARGET=server install > 4. Create a default remote setting on /var/ossec/etc/ossec.conf: > > <ossec_config> > <!-- (...) --> > > *<remote>* > * <connection>secure</connection>* > * </remote>* > > <!-- (...) --> > </ossec_config> > > 5. Restart OSSEC: /var/ossec/bin/ossec-control restart > > This may fix your problem. > > Best regards. > > > > On Monday, December 12, 2016 at 7:11:07 PM UTC+1, Chris Decker wrote: >> >> Victor, >> >> ossec-init.conf is showing the the installation is a *local* >> installation. >> >> However, I know that I performed a server installation per my notes and >> bash history… >> >> make clean >> >> make TARGET=server >> >> >> >> Obviously I could change this value back to 'server', but will this fix >> the issue? >> >> >> >> Thanks, >> Chris >> >> >> On Saturday, December 10, 2016 at 6:04:45 AM UTC-5, Victor Fernandez >> wrote: >>> >>> Hi Chris, >>> >>> as you guessed, there is one *remoted* process for each <remote> >>> configuration. Although it's strange that "ossec-control stop" does >>> stop the *remoted *processes but "ossec-control start" doesn't run them. >>> >>> How did you install Wazuh? Please make sure that the file " >>> /var/ossec/etc/ossec-init.conf" has the line: >>> >>> TYPE="server" >>> >>> >>> Regards. >>> >>> >>> On Friday, December 9, 2016 at 5:24:38 PM UTC+1, Chris Decker wrote: >>>> >>>> Dan, >>>> >>>> Thanks for your help. >>>> >>>> Is ossec-remoted listed in the DAEMONS variable in the script? >>>>> >>>> It was *not*, but I added it after noticing it wasn't in there. If I >>>> tell ossec-control to stop, remoted stops as expected: >>>> >>>> [root@logger01 limits.d]# /var/ossec/bin/ossec-control stop >>>> Killing ossec-monitord .. >>>> Killing ossec-logcollector .. >>>> Killing ossec-syscheckd .. >>>> Killing ossec-analysisd .. >>>> Killing ossec-maild .. >>>> Killing ossec-remoted .. >>>> Killing ossec-execd .. >>>> Wazuh v1.2 Stopped >>>> >>>> >>>> However, if I tell ossec-control to start, it starts everything but I >>>> don't see remoted referenced: >>>> [root@logger01 limits.d]# /var/ossec/bin/ossec-control start >>>> >>>> Starting Wazuh v1.2 (maintained by Wazuh Inc.)... >>>> Started wazuh-moduled... >>>> Started ossec-maild... >>>> Started ossec-execd... >>>> Started ossec-analysisd... >>>> Started ossec-logcollector... >>>> 2016/12/09 11:22:51 rootcheck: Rootcheck disabled. Exiting. >>>> 2016/12/09 11:22:51 ossec-syscheckd: WARN: Rootcheck module disabled. >>>> Started ossec-syscheckd... >>>> Started ossec-monitord... >>>> Completed. >>>> >>>> >>>> The only thing I *removed* from that list of modules was the >>>> ossec-wuzuh module because I do not currently use it. >>>> >>>> >>>>> What is your remote condiguration in your ossec.conf? >>>> >>>> >>>> <remote> >>>> <connection>secure</connection> >>>> </remote> >>>> >>>> >>>> <remote> >>>> <connection>syslog</connection> >>>> <protocol>tcp</protocol> >>>> <port>514</port> >>>> <allowed-ips>10.0.0.0/8</allowed-ips> >>>> </remote> >>>> <remote> >>>> <connection>syslog</connection> >>>> <protocol>udp</protocol> >>>> <port>514</port> >>>> <allowed-ips>10.0.0.0/8</allowed-ips> >>>> </remote> >>>> >>>> Dave's comment jogged my memory about why remoted is running 3 separate >>>> processes - 1514/udp, 514/udp and 514/tcp. >>>> >>>> >>>> >>>> On Friday, December 9, 2016 at 10:33:50 AM UTC-5, dan (ddpbsd) wrote: >>>>> >>>>> >>>>> >>>>> On Dec 9, 2016 9:17 AM, "Chris Decker" <[email protected]> wrote: >>>>> >>>>> Victor, >>>>> >>>>> On Friday, December 9, 2016 at 6:42:27 AM UTC-5, Victor Fernandez >>>>> wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> Agents should send a keepalive each 10 minutes (600 seconds) by >>>>>> default, and this should be enough. But you can go down that time at the >>>>>> agent's ossec.conf: >>>>>> >>>>>> >>>>>> <ossec_config> >>>>>> <client> >>>>>> <server-ip>1.2.3.4</server-ip> >>>>>> *<notify_time>60</notify_time>* >>>>>> </client> >>>>>> >>>>>> >>>>>> If you see any agent disconnected, check its ossec.log file. >>>>>> >>>>>> On the other hand, as Dan says, the manager will discard two >>>>>> identical consecutive messages, so you should generate different >>>>>> messages >>>>>> for the logs (using a random string or the date). >>>>>> >>>>> These events were from auditd and were unique enough that OSSEC should >>>>> treat them as such. >>>>> >>>>> >>>>> Sorry, I thought you wrote that the logs were the same. >>>>> >>>>> >>>>> >>>>>> If you think that there could be network congestion, you may try to >>>>>> connect using TCP, adding, at the agent's ossec.conf: >>>>>> >>>>>> <ossec_config> >>>>>> <client> >>>>>> <server-ip>1.2.3.4</server-ip> >>>>>> *<protocol>tcp</protocol>* >>>>>> </client> >>>>>> >>>>>> And, on the manager's ossec.conf: >>>>>> >>>>>> <ossec_config> >>>>>> <remote> >>>>>> <connection>secure</connection> >>>>>> *<protocol>tcp</protocol>* >>>>>> </remote> >>>>>> >>>>>> I'm going to give this a try. >>>>> >>>>> One thing I've noticed is that the ossec-control script isn't starting >>>>> up remoted. If I start remoted by hand it starts, but then I see 3 >>>>> remoted >>>>> processes. I've never come across this issue before. Do you know what >>>>> could be causing it? >>>>> >>>>> >>>>> >>>>> Is ossec-remoted listed in the DAEMONS variable in the script? >>>>> What is your remote condiguration in your ossec.conf? >>>>> >>>>> >>>>>> Please test it and write back to us if this doesn't solve the >>>>>> problem. All feedback is welcome. >>>>>> >>>>>> Hope it helps. >>>>>> Best regards. >>>>>> >>>>>> >>>>>> On Friday, December 9, 2016 at 6:30:08 AM UTC+1, dan (ddpbsd) wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Dec 8, 2016 4:41 PM, "Chris Decker" <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>> All, >>>>>>> >>>>>>> I have an OSSEC instance (running the latest/greatest Wuzuh code >>>>>>> cloned from GitHub) that has about 1k active hosts. I've noticed >>>>>>> recently >>>>>>> that hosts are flipping back and forth between *Active* and >>>>>>> *Disconnected*. >>>>>>> >>>>>>> >>>>>>> Perhaps the manager is too busy? I can't remember the host limit >>>>>>> offhand, but I believe ossec limits the number of agents to a number >>>>>>> smaller than 1000. >>>>>>> >>>>>>> >>>>>>> I've also noticed that not all of the log messages from "*Active" >>>>>>> *hosts >>>>>>> are being received by the Manager. For example, I have an agent that >>>>>>> generates the same log message every second. I have debug enabled on >>>>>>> the >>>>>>> Agent and I can see logcollector reading each message, but only >>>>>>> *some* of the messages are received on the Manager (I monitored it >>>>>>> for awhile and it's not that the messages show up later due to network >>>>>>> congestion--I don't see the messages ever being received). I tried >>>>>>> disabling the agent ID checks on both the Manager and Agent but that >>>>>>> didn't >>>>>>> have any impact. >>>>>>> >>>>>>> >>>>>>> Ossec will discard some repeated messages. I forget the timeframe >>>>>>> offhand though. >>>>>>> >>>>>>> >>>>>>> >>>>>>> I suspect there is a misconfiguration or limit I am running into on >>>>>>> my Manager running RHEL 7, but I haven't been able to track it down. I >>>>>>> did >>>>>>> a simple netcat test between the same two hosts and there was no lag in >>>>>>> transmissions. >>>>>>> >>>>>>> Any suggestions/thoughts from the community? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> Chris >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "ossec-list" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>>> >>>>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>>> >>>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
