Wazuh installation problem
647 views
Skip to first unread message
Hans-Ulrich Hohn
Sep 4, 2017, 6:18:29 AM9/4/17
to wa...@googlegroups.com
Dear List,
starting to install wazuh according to the documentation, I got the
following error message:
yum install wazuh-manager
Loaded plugins: fastestmirror, priorities
epel | 4.3 kB 00:00:00
gridka-sl-mirror | 3.7 kB 00:00:00
gridka-sl-security-mirror | 2.9 kB 00:00:00
gridka_augeas | 951 B 00:00:00
kit-icinga | 2.9 kB 00:00:00
https://packages.wazuh.com/yum/rhel/7/x86_64/repodata/repomd.xml: [Errno
14] HTTPS Error 403 - Forbidden
Trying other mirror.
Your system is not authorized to use this resource.
Please contact the resource provider.
...
failure: repodata/repomd.xml from wazuh_repo: [Errno 256] No more
mirrors to try.
https://packages.wazuh.com/yum/rhel/7/x86_64/repodata/repomd.xml: [Errno
14] HTTPS Error 403 - Forbidden
The OS is Scientific Linux release 7.3 (Nitrogen).
Opening the URL (
https://packages.wazuh.com/yum/rhel/7/x86_64/repodata/repomd.xml ) in
any WEB-browser leads to a similar error situation:
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>EF759B26E0F91676</RequestId>
<HostId>5dTUojoTQut4x6JrOKIh7n2UKHkmFW4BWMQLxRUM7nejLspRTB3RAsd0R8cr9NjH3LYdJKWMmdI=</HostId>
</Error>
Thank you for your help,
Hans-Ulrich
--
--------------------------------------------------------------
Karlsruhe Institute of Technology (KIT)
Steinbuch Centre for Computing (SCC)
Hans-Ulrich Hohn
Hermann-von-Helmholtz-Platz 1, Gebaeude 449, Raum 225
D-76344 Eggenstein-Leopoldshafen
Tel: +49 721 608 2 4955
Fax: +49 721 608 92 4955
+49 721 608 2 4972
Email: hans-ulr...@kit.edu
www.kit.edu
KIT - Universitaet des Landes Baden-Wuerttemberg und
nationales Grossforschungszentrum in der Helmholtz-Gemeinschaft
starting to install wazuh according to the documentation, I got the
following error message:
yum install wazuh-manager
Loaded plugins: fastestmirror, priorities
epel | 4.3 kB 00:00:00
gridka-sl-mirror | 3.7 kB 00:00:00
gridka-sl-security-mirror | 2.9 kB 00:00:00
gridka_augeas | 951 B 00:00:00
kit-icinga | 2.9 kB 00:00:00
https://packages.wazuh.com/yum/rhel/7/x86_64/repodata/repomd.xml: [Errno
14] HTTPS Error 403 - Forbidden
Trying other mirror.
Your system is not authorized to use this resource.
Please contact the resource provider.
...
failure: repodata/repomd.xml from wazuh_repo: [Errno 256] No more
mirrors to try.
https://packages.wazuh.com/yum/rhel/7/x86_64/repodata/repomd.xml: [Errno
14] HTTPS Error 403 - Forbidden
The OS is Scientific Linux release 7.3 (Nitrogen).
Opening the URL (
https://packages.wazuh.com/yum/rhel/7/x86_64/repodata/repomd.xml ) in
any WEB-browser leads to a similar error situation:
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>EF759B26E0F91676</RequestId>
<HostId>5dTUojoTQut4x6JrOKIh7n2UKHkmFW4BWMQLxRUM7nejLspRTB3RAsd0R8cr9NjH3LYdJKWMmdI=</HostId>
</Error>
Thank you for your help,
Hans-Ulrich
--
--------------------------------------------------------------
Karlsruhe Institute of Technology (KIT)
Steinbuch Centre for Computing (SCC)
Hans-Ulrich Hohn
Hermann-von-Helmholtz-Platz 1, Gebaeude 449, Raum 225
D-76344 Eggenstein-Leopoldshafen
Tel: +49 721 608 2 4955
Fax: +49 721 608 92 4955
+49 721 608 2 4972
Email: hans-ulr...@kit.edu
www.kit.edu
KIT - Universitaet des Landes Baden-Wuerttemberg und
nationales Grossforschungszentrum in der Helmholtz-Gemeinschaft
Pedro Sánchez
Sep 4, 2017, 6:34:26 AM9/4/17
to Hans-Ulrich Hohn, Wazuh mailing list
Hi Hans,
1. Open /etc/yum.repos.d/wazuh.repo
When adding the repository in your OS, $releasever variable in wazuh.repo file will be populated with your RHEL version, in you case, it has been filled with version "7" instead version "7Server", this last one if what we are currently covering in our online repositories.
Let me get some details about it, I think we should have both versions covered in our repositories (7Server and 7, 6Server and 6), packages contained in those folders will be identical. I will get back to you in few hours.
In the meantime, you can fix your issue by replacing manually your baseURL like this:
2. Replace the current content by:
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=RHEL-7Server - Wazuh
baseurl=https://packages.wazuh.com/yum/rhel/7Server/$basearch
protect=1
3. Try to install again the manager:
yum install wazuh-manager
Best regards,
Pedro.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0b1e50ff-dcbf-3827-a3a3-e3146703807f%40kit.edu.
For more options, visit https://groups.google.com/d/optout.
Hans-Ulrich Hohn
Sep 4, 2017, 6:41:57 AM9/4/17
to Pedro Sánchez, Wazuh mailing list
Dear Pedro,
thank you for the super fast answer and the workaround (which worked perfect for me).
With best regards, Hans-Ulrich
thank you for the super fast answer and the workaround (which worked perfect for me).
With best regards, Hans-Ulrich
Hans-Ulrich Hohn
Sep 5, 2017, 9:29:56 AM9/5/17
to wa...@googlegroups.com
Dear List,
starting to configure Wazuh for the first time I wonder because of
missing e-mail alerts about new, changed or deleted files. What I did is
on the manager:
vi /var/ossec/etc/ossec.conf
<ossec_config>
...
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>
<smtp_server>mailhost.anywhere.on.earth.</smtp_server>
<email_from>WazuhServer...@anywhere.on.earth</email_from>
<email_to>m...@anywhere.on.earth</email_to>
<email_maxperhour>32</email_maxperhour>
</global>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<email_alerts>
<email_to>m...@anywhere.on.earth</email_to>
<event_location>001|a01-210-210|10.97.210.210</event_location>
<do_not_delay />
<do_not_group />
</email_alerts>
<!-- 550 changed, 553 deleted, 554 added -->
<email_alerts>
<email_to>m...@anywhere.on.earth</email_to>
<event_location>001|a01-210-210|10.97.210.210</event_location>
<rule_id>550, 553, 554</rule_id>
<do_not_delay />
<do_not_group />
</email_alerts>
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>3600</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 3 times -->
<auto_ignore>no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes" report_changes="yes"
realtime="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes" report_changes="yes"
realtime="yes">/bin,/sbin,/boot</directories>
</syscheck>
...
</ossec_config>
On Manager and on Agent (a01-210-210) I did a
"/var/ossec/bin/ossec-control restart".
Then I went to the Agent and created a file in one of the observed
directories:
touch /etc/test
After that I triggered a syscheck for all agents on manager:
/var/ossec/bin/agent_control -r -a
But I never got any e-mail notification about the new file added :-( ....
Maybe someone sees, what I did wrong, thx & with best regards
Hans-Ulrich
PS: the "anywhere.on.earth"-stuff is only a placeholder for the real values.
starting to configure Wazuh for the first time I wonder because of
missing e-mail alerts about new, changed or deleted files. What I did is
on the manager:
vi /var/ossec/etc/ossec.conf
<ossec_config>
...
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>
<smtp_server>mailhost.anywhere.on.earth.</smtp_server>
<email_from>WazuhServer...@anywhere.on.earth</email_from>
<email_to>m...@anywhere.on.earth</email_to>
<email_maxperhour>32</email_maxperhour>
</global>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<email_alerts>
<email_to>m...@anywhere.on.earth</email_to>
<event_location>001|a01-210-210|10.97.210.210</event_location>
<do_not_delay />
<do_not_group />
</email_alerts>
<!-- 550 changed, 553 deleted, 554 added -->
<email_alerts>
<email_to>m...@anywhere.on.earth</email_to>
<event_location>001|a01-210-210|10.97.210.210</event_location>
<rule_id>550, 553, 554</rule_id>
<do_not_delay />
<do_not_group />
</email_alerts>
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>3600</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 3 times -->
<auto_ignore>no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes" report_changes="yes"
realtime="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes" report_changes="yes"
realtime="yes">/bin,/sbin,/boot</directories>
</syscheck>
...
</ossec_config>
On Manager and on Agent (a01-210-210) I did a
"/var/ossec/bin/ossec-control restart".
Then I went to the Agent and created a file in one of the observed
directories:
touch /etc/test
After that I triggered a syscheck for all agents on manager:
/var/ossec/bin/agent_control -r -a
But I never got any e-mail notification about the new file added :-( ....
Maybe someone sees, what I did wrong, thx & with best regards
Hans-Ulrich
PS: the "anywhere.on.earth"-stuff is only a placeholder for the real values.
Miguelangel Freitas
Sep 6, 2017, 2:07:45 PM9/6/17
to Hans-Ulrich Hohn, Wazuh mailing list
Hi Hans,
Sorry for the late reply.
The settings configured under the <syscheck> tag are locally applied, means that, any syscheck configuration made on the local ossec.conf file will affect on the same machine where resides. Also, you need to restart the Agent or the Manager in order to apply the changes made to ossec.conf file.
Take into account, that the Real time engine is fully started after some time, the next log line must appear in the ossec.log file either in the Agent or the Manager indicating that it's fully initiated:
2017/09/05 21:43:55 ossec-agent: INFO: INFO: Starting syscheck real-time monitoring.
After that, you should see real-time file changes alerts. You could see here all options regarding
The <email_alert_level> tag have precedence over the <email_alerts> configuration, so you need to lower the level there in order to receive alerts coming from rule 554 that have level 5:
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>5</email_alert_level>
</alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>5</email_alert_level>
</alerts>
Another option is to overwrite the rule 554 to comply with the <email_alert_level> in your configuration (save into local_rules.xml):
<rule id="554" level="7" overwrite="yes">
<category>ossec</category><decoded_as>syscheck_new_entry</decoded_as><description>File added to the system.</description><group>syscheck,pci_dss_11.5,</group>
</rule>
I hope it helps.
Best regards.
On Tue, Sep 5, 2017 at 8:29 AM, Hans-Ulrich Hohn <hans-ulr...@kit.edu> wrote:
Dear List,
starting to configure Wazuh for the first time I wonder because of missing e-mail alerts about new, changed or deleted files. What I did is on the manager:
vi /var/ossec/etc/ossec.conf
<ossec_config>
...
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>
<smtp_server>mailhost.anywhere.on.earth.</smtp_server>
<email_from>WazuhServer-a01-210-...@anywhere.on.earth</email_from>
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c2b57911-30a9-0bf6-3f80-c0ca4a3ba334%40kit.edu.
Hans-Ulrich Hohn
Sep 7, 2017, 6:33:42 AM9/7/17
to Miguelangel Freitas, Wazuh mailing list
Hi Miguelangel & list,
Thx for explanation and guidance. I did not recognize any "late reply". I'm very impressed about the response time and the quality of answers here at this list. Thank you very much for making my first-contact with wazuh much easier.
Your description worked perfect for me. Now I'm getting email alerts about new files in realtime.
Thank you very much Miguelangel
Hans-Ulrich
Thx for explanation and guidance. I did not recognize any "late reply". I'm very impressed about the response time and the quality of answers here at this list. Thank you very much for making my first-contact with wazuh much easier.
Your description worked perfect for me. Now I'm getting email alerts about new files in realtime.
Thank you very much Miguelangel
Hans-Ulrich
Reply all
Reply to author
Forward
0 new messages