OSSEC - real time file monitoring - realtime monitoring request on unsupported system for '/example'

[Stephen Vemi]

OSSEC-agent real-time file integrity is showing me this error in */logs/ossec.logs. 

OSSEC - real time file monitoring - realtime monitoring request on unsupported system for '/example'

The file system for /example is ext2. Can anyone help me?

Thanks in advance!

Stephen 

[Chema Martinez]

Hi Stephen,

This error appears when the Inotify API is not compiled in the monitored system, could be that it is not compiled in your Linux system? Which Linux distribution are you using?

Inotify is a requirement for Linux agents to be able to run the real-time FIM.

Best regards,

Chema.

Chema Martinez | IT Engineer — Wazuh, Inc.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1528c9c2-632b-4348-9e6a-991924f5dc37%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Stephen Vemi]

Hello Chema, I've added the Inotify package to the build and still throwing this error. I am using buildroot(kernel version 4.11.8) and trying to install/comply the agent on build time. Do we have a list of tools and packages that are required for ossec agent? 

Thanks

Stephen

[Chema Martinez]

Hi Stephen,

If Inotify is present in your system now, the Wazuh agent should be rebuilt to enable that feature.

Could you follow the following steps in your Wazuh code folder?

# make -C src clean

# make -C TARGET=agent 

# ./install.sh

Updating your rebuilt agent after cleaning it.

Please, tell me if it works for you. No external package is necessary to the agent for working fine.

Regards,

Chema.

Chema Martinez | IT Engineer — Wazuh, Inc.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5c72d288-1b17-4192-8712-b5d7b70947ab%40googlegroups.com.

[Stephen Vemi]

Hi, I am getting this message now after executing ./ossec-syscheckd 

2018/06/27 13:35:27 ossec-syscheckd: WARNING: Ignoring flag for real time monitoring on directory: '/example'.

Thanks

[Chema Martinez]

Hi, it seems the Wazuh agent is not recognizing the Inotify package yet. Could you ensure that it is working in your system properly?

# lsof | grep -i inotify

This must show you the watchers enabled by Inotify in your system.

In addition, the problem could be located on the agent when building it due to it is possible that the Makefile doesn`t recognize the system as a Linux distribution.

Could you tell me the output of the command "uname -a" on your system?

You could force to enable the Inotify flag when building Wazuh by running the following:

# make -C src TARGET=agent USE_INOTIFY=yes

I hope it helps.

Regards,

Chema.

Chema Martinez | IT Engineer — Wazuh, Inc.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1a0e43dd-0b83-44bc-875f-1f353456353b%40googlegroups.com.

[Chema Martinez]

Hi again Stephen,

Let me clarify my previous answer and give you more information.

Maybe since you are using a custom Linux, Inotify (the kernel component) is not supported by it. To verify that your kernel supports Inotify could you move to the "/usr" folder and show me the output of the command:

# find . -name "inotify.h"

It is possible that the installed Inotify package you have installed is only the client package to communicate with the kernel component, that doesn`t ensure that the Kernel supports Inotify.

Chema Martinez | IT Engineer — Wazuh, Inc.

[Stephen Vemi]

 lsof | grep -i inotify :

udevd       183           root    7r  a_inode       0,11        0       5416 inotify

agetty     3524           root    4r  a_inode       0,11        0       5416 inotify

agetty     3525           root    4r  a_inode       0,11        0       5416 inotify

agetty     3526           root    4r  a_inode       0,11        0       5416 inotify

agetty     3528           root    4r  a_inode       0,11        0       5416 inotify

agetty     3529           root    4r  a_inode       0,11        0       5416 inotify

agetty     3530           root    4r  a_inode       0,11        0       5416 inotify

agetty     3531           root    4r  a_inode       0,11        0       5416 inotify

dnsmasq    6321         nobody    8r  a_inode       0,11        0       5416 inotify

find . -name "inotify.h"

nothing there. Thanks.

[Chema Martinez]

Hi Stephen,

The agent Makefile needs to know whether it is into a Linux distribution to enable the Inotify flag. This check is done by the following command:

# sh -c 'uname -s 2>/dev/null || echo not'

If the output of that command is "not" could mean two things: It is not a Linux distribution, or in your custom OS there is not installed 'uname' (which could explain why the agent is not compiled whit Inotify).

We could check which case is yours by running the command: # uname -s 

Regards,

Chema.

Chema Martinez | IT Engineer — Wazuh, Inc.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fc411827-77e0-495b-9903-a329870de84d%40googlegroups.com.

[Stephen Vemi]

Hi uname is there and showing "Linux" 

Thanks,

Stephen

[Chema Martinez]

Hi again Stephen,

We are missing something that not make sense, let's try to debug how is your agent compiled.

To appear this log message: "realtime monitoring request on unsupported system for '/example'" means by mandatory that the agent wasn't built with the "INOTIFY_ENABLED" flag, as we can see in the source code:

    /* Check for real time flag */

    if (opts & CHECK_REALTIME) {

#if defined(INOTIFY_ENABLED) || defined(WIN32)

        realtime_adddir(dir_name);

#else

        mwarn("realtime monitoring request on unsupported system for '%s'", dir_name);

#endif

    }

On the other hand, in the Makefile it checks if we are in a Linux system to enable that flag:

uname_S := $(shell sh -c 'uname -s 2>/dev/null || echo not')

...

ifeq (${uname_S},Linux)

DEFINES+=-DINOTIFY_ENABLED -D_XOPEN_SOURCE=600 -D_GNU_SOURCE

So I think something is not working when building the Wazuh agent, could you move to the Wazuh source code folder where you built the agent and run this command?

# make -C src settings

It should show us all the settings and flags enabled when building the agent. Here we have the output of this command in a Linux system:

localhost wazuh (3.3) # make -C src settings

make: se ingresa al directorio `/root/wazuh/src'

General settings:

    TARGET:           failtarget

    V:

    DEBUG:

    DEBUGAD

    PREFIX:           /var/ossec

    MAXAGENTS:        14000

    REUSE_ID:         no

    DATABASE:

    ONEWAY:           no

    CLEANFULL:        no

User settings:

    OSSEC_GROUP:      ossec

    OSSEC_USER:       ossec

    OSSEC_USER_MAIL:  ossecm

    OSSEC_USER_REM:   ossecr

Lua settings:

    LUA_PLAT:         posix

USE settings:

    USE_ZEROMQ:       no

    USE_GEOIP:        no

    USE_PRELUDE:      no

    USE_INOTIFY:      no

    USE_BIG_ENDIAN:   no

Mysql settings:

    includes:

    libs:

Pgsql settings:

    includes:

    libs:

Defines:

    -DMAX_AGENTS=14000 -DOSSECHIDS -DDEFAULTDIR="/var/ossec" -DUSER="ossec" -DREMUSER="ossecr" -DGROUPGLOBAL="ossec" -DMAILUSER="ossecm" -DLinux -DINOTIFY_ENABLED -D_XOPEN_SOURCE=600 -D_GNU_SOURCE -DENABLE_SYSC -DENABLE_CISCAT

Compiler:

    CFLAGS          -Wl,--start-group -O2 -DMAX_AGENTS=14000 -DOSSECHIDS -DDEFAULTDIR="/var/ossec" -DUSER="ossec" -DREMUSER="ossecr" -DGROUPGLOBAL="ossec" -DMAILUSER="ossecm" -DLinux -DINOTIFY_ENABLED -D_XOPEN_SOURCE=600 -D_GNU_SOURCE -DENABLE_SYSC -DENABLE_CISCAT -pipe -Wall -Wextra -I./ -I./headers/ -Iexternal/openssl/include

    LDFLAGS         -Lexternal/openssl/ -lm -lssl -lcrypto  -pthread -lrt -ldl

    CC              cc

    MAKE            make

make: se sale del directorio `/root/wazuh/src'

Where we can see the flags "-DLinux -DINOTIFY_ENABLED".

Regards,

Chema.

Chema Martinez | IT Engineer — Wazuh, Inc.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/79bfcf1e-96e0-4479-b464-9e450b5bc733%40googlegroups.com.

[Stephen Vemi]

Hi Chema, I was missing Inotify from the build....thanks for your help! It is working now as expected!