Error starting an agent under FreeBSD
21 views
Skip to first unread message
Carlos Lopez
May 25, 2019, 1:39:05 PM5/25/19
to ossec...@googlegroups.com
Hi all,
I have installed Ossec 3.3.0 from source in a FreeBSD 12 host to work
as an agent, but when I try to start ossec daemons via ossec-control
script returns this error:
Starting OSSEC HIDS v3.3.0...
OSSEC analysisd: Testing rules failed. Configuration error. Exiting.
My ossec.conf in this agent is pretty simple:
<ossec_config>
<client>
<server>
<address>172.22.59.11</address>
<port>2312</port>
<protocol>udp</protocol>
</server>
</client>
</ossec_config>
Any tips?
--
Regards,
C. L. Martinez
I have installed Ossec 3.3.0 from source in a FreeBSD 12 host to work
as an agent, but when I try to start ossec daemons via ossec-control
script returns this error:
Starting OSSEC HIDS v3.3.0...
OSSEC analysisd: Testing rules failed. Configuration error. Exiting.
My ossec.conf in this agent is pretty simple:
<ossec_config>
<client>
<server>
<address>172.22.59.11</address>
<port>2312</port>
<protocol>udp</protocol>
</server>
</client>
</ossec_config>
Any tips?
--
Regards,
C. L. Martinez
Carlos Lopez
May 25, 2019, 1:53:06 PM5/25/19
to ossec...@googlegroups.com
cd ossec-hids-*/src
gmake TARGET=agent PCRE2_SYSTEM=yes ZLIB_SYSTEM=yes USE_INOTIFY=yes
gmake install-agent
Gordon Ewasiuk
May 25, 2019, 7:17:22 PM5/25/19
to ossec-list
(sorry for top-posting but im stuck in the list web-interface)
Protocol and probably port are invalid options on agents. The server
defines the port and protocol, not the agent.
I tested this on one of my agents:
(from ossec.log)
2019/05/25 18:59:54 ossec-agentd(1230): ERROR: Invalid element in the
configuration: 'protocol'.
2019/05/25 18:59:54 ossec-agentd(1202): ERROR: Configuration error at
'/usr/local/ossec-hids/etc/ossec.conf'. Exiting.
2019/05/25 18:59:54 ossec-agentd(1215): ERROR: No client configured.
Exiting.
Gordon Ewasiuk
May 25, 2019, 7:24:45 PM5/25/19
to ossec-list
Also, ensure you are using 900.local.conf and not editing ossec.conf directly on agents. On FreeBSD, and probably other operating systems, upgrades to OSSEC might overwrite ossec.conf.
The full path is /usr/local/ossec-hids/etc/ossec.conf.d/900.local.conf
-Gordon
dan (ddp)
May 29, 2019, 7:15:11 AM5/29/19
to ossec...@googlegroups.com
On Sat, May 25, 2019 at 1:53 PM Carlos Lopez <clo...@outlook.com> wrote:
>
>
>
>
>
> On 25/05/2019 18:52, Carlos Lopez wrote:
> > Hi all,
> >
> > I have installed Ossec 3.3.0 from source in a FreeBSD 12 host to work
> > as an agent, but when I try to start ossec daemons via ossec-control
> > script returns this error:
> >
> > Starting OSSEC HIDS v3.3.0...
> > OSSEC analysisd: Testing rules failed. Configuration error. Exiting.
> >
This error should only happen on Server and Local installations.
>
>
>
>
>
> On 25/05/2019 18:52, Carlos Lopez wrote:
> > Hi all,
> >
> > I have installed Ossec 3.3.0 from source in a FreeBSD 12 host to work
> > as an agent, but when I try to start ossec daemons via ossec-control
> > script returns this error:
> >
> > Starting OSSEC HIDS v3.3.0...
> > OSSEC analysisd: Testing rules failed. Configuration error. Exiting.
> >
> > My ossec.conf in this agent is pretty simple:
> >
> > <ossec_config>
> > <client>
> > <server>
> > <address>172.22.59.11</address>
> > <port>2312</port>
> > <protocol>udp</protocol>
> > </server>
> > </client>
> > </ossec_config>
> >
> > Any tips?
> >
>
> My install options was:
>
> cd ossec-hids-*/src
> gmake TARGET=agent PCRE2_SYSTEM=yes ZLIB_SYSTEM=yes USE_INOTIFY=yes
> gmake install-agent
>
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/VI1PR10MB22536682B88E2CFA0A9B2994DB030%40VI1PR10MB2253.EURPRD10.PROD.OUTLOOK.COM.
> For more options, visit https://groups.google.com/d/optout.
Carlos Lopez
Jun 1, 2019, 12:06:52 PM6/1/19
to ossec...@googlegroups.com, dan (ddp)
Sorry for this late response. Problem continues. When I try to start
agent using ossec-control command, same error is returned:
Starting OSSEC HIDS v3.3.0...
OSSEC analysisd: Testing rules failed. Configuration error. Exiting.
On the other side, removing entries about port and protocol in agent
ossec.conf's file like Gordon said, it doesn't work also.
More ideas?
Regards,
C. L. Martinez
agent using ossec-control command, same error is returned:
Starting OSSEC HIDS v3.3.0...
OSSEC analysisd: Testing rules failed. Configuration error. Exiting.
ossec.conf's file like Gordon said, it doesn't work also.
More ideas?
Regards,
C. L. Martinez
Gordon Ewasiuk
Jun 1, 2019, 1:25:07 PM6/1/19
to ossec-list
I think we need more info!
Do any errors appear in ossec.log?
My ossec.log is in /usr/local/ossec-hids/logs
When I've had configuration errors popup, ossec writes some pretty detailed stuff. For example:
2019/05/05 18:42:53 ossec-monitord(1230): ERROR: Invalid element in the configuration: 'smtp_server'.
2019/05/05 18:42:53 ossec-monitord(1202): ERROR: Configuration error at '/usr/local/ossec-hids/etc/ossec.conf'. Exiting.
2019/05/05 18:42:53 ossec-monitord(1202): ERROR: Configuration error at '/usr/local/ossec-hids/etc/ossec.conf'. Exiting.
2019/05/05 18:42:53 ossec-monitord(1202): ERROR: Configuration error at '/usr/local/ossec-hids/etc/ossec.conf'. Exiting.
2019/05/05 18:42:53 ossec-monitord(1202): ERROR: Configuration error at '/usr/local/ossec-hids/etc/ossec.conf'. Exiting.
2019/05/06 00:55:50 ossec-testrule(1226): ERROR: Error reading XML file '/usr/local/ossec-hids/etc/ossec.conf': XMLERR: Element 'rule_id="100400"' not clo
sed. (line 392).
2019/05/06 00:55:50 ossec-testrule(1202): ERROR: Configuration error at '/usr/local/ossec-hids/etc/ossec.conf'. Exiting.
sed. (line 392).
2019/05/06 00:55:50 ossec-testrule(1202): ERROR: Configuration error at '/usr/local/ossec-hids/etc/ossec.conf'. Exiting.
2019/05/16 14:17:32 ossec-testrule(1226): ERROR: Error reading XML file '/usr/local/ossec-hids/etc/ossec.conf': XMLERR: Attribute 'disabled' has no value.
(line 275).
2019/05/16 14:17:32 ossec-testrule(1202): ERROR: Configuration error at '/usr/local/ossec-hids/etc/ossec.conf'. Exiting.
(line 275).
2019/05/16 14:17:32 ossec-testrule(1202): ERROR: Configuration error at '/usr/local/ossec-hids/etc/ossec.conf'. Exiting.
and so on...
check the log...or post it to the list. Let's dig into it!
>> To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.
Carlos Lopez
Jun 2, 2019, 5:47:17 AM6/2/19
to ossec...@googlegroups.com
This is the problem: ossec.log is empty ... The only error is this:
OSSEC analysisd: Testing rules failed. Configuration error. Exiting.
.. and It doesn't make sense because it is an agent ...
Regards,
C. L. Martinez
> it, send an email to ossec...@googlegroups.com <javascript:>.
> <https://groups.google.com/d/optout>.
> <mailto:ossec-list+...@googlegroups.com>.
> <https://groups.google.com/d/msgid/ossec-list/e11018f8-fa46-49f8-bd8d-adf1a1da1c50%40googlegroups.com?utm_medium=email&utm_source=footer>.
OSSEC analysisd: Testing rules failed. Configuration error. Exiting.
Regards,
C. L. Martinez
> >> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/VI1PR10MB22536682B88E2CFA0A9B2994DB030%40VI1PR10MB2253.EURPRD10.PROD.OUTLOOK.COM
> <https://groups.google.com/d/msgid/ossec-list/VI1PR10MB22536682B88E2CFA0A9B2994DB030%40VI1PR10MB2253.EURPRD10.PROD.OUTLOOK.COM>.
> https://groups.google.com/d/msgid/ossec-list/VI1PR10MB22536682B88E2CFA0A9B2994DB030%40VI1PR10MB2253.EURPRD10.PROD.OUTLOOK.COM
> <https://groups.google.com/d/optout>.
> >
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+...@googlegroups.com
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> <mailto:ossec-list+...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/e11018f8-fa46-49f8-bd8d-adf1a1da1c50%40googlegroups.com
> <https://groups.google.com/d/msgid/ossec-list/e11018f8-fa46-49f8-bd8d-adf1a1da1c50%40googlegroups.com?utm_medium=email&utm_source=footer>.
Dave Stoddard
Jun 2, 2019, 3:22:54 PM6/2/19
to ossec-list
I have seen errors like this in FreeBSD. To track them down, you need to use ossec-logtest to find the problem.
Try this command in OSSEC (located in the bin subdirectory of OSSEC):
The error will be apparent once you run this command. Good luck.
ossec-logtest -d -d -d -t -vIf the error is not obvious (usually the last line or two), pipe its output to a file and you can use vi, grep, or some other tool to examine it.
ossec-logtest -d -d -d -t -v 2>&1 > loginfo.txt
grep -i error loginfo.txt
The error will be apparent once you run this command. Good luck.
Dave Stoddard
Network Alarm Corporation
Reply all
Reply to author
Forward
0 new messages