OSSEC on Raspberry Pi 2

1,207 views
Skip to first unread message

Jedi Meister

unread,
Oct 15, 2015, 8:50:34ā€ÆAM10/15/15
to ossec-list
Hi,

I'm currently migrating OSSEC from Ubuntu 14.04 (x64) to an Raspeberry Pi2 running Ubuntu 14.04 (arm). As there is no binary build, I build up everything from the source. I copy over the running config from the Ubuntu host to the Raspberry.

When I start OSSEC, Agents can not connect to OSSEC.

I search the list and found something similar at:
https://www.mail-archive.com/ossec...@googlegroups.com/msg09198.html

There was the case that the agents can not connect to the Rethat system but to a cent os system in the same network.

It's the same here. Firewall is open and agents sends data:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

14:46:42.590610 IP static.xx.xx.xx.xx > 10.23.23.2.1514: UDP, length 441


Log files:
2015/10/15 14:29:38 ossec-remoted(4111): INFO: Maximum number of agents allowed: '256'.
2015/10/15 14:29:38 ossec-remoted(1410): INFO: Reading authentication keys file.
2015/10/15 14:29:38 ossec-monitord: INFO: Started (pid: 32534).
2015/10/15 14:29:40 ossec-analysisd: INFO: Connected to '/queue/alerts/ar' (active-response queue)
2015/10/15 14:29:40 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' (exec queue)
2015/10/15 14:29:42 ossec-syscheckd: INFO: Started (pid: 32527).
2015/10/15 14:29:42 ossec-rootcheck: INFO: Started (pid: 32527).

Any ideas what could be the cause of the server not accepting connections? The same setup, same config is running fine on the intel ubuntu.

Brgs
Daniel

dan (ddp)

unread,
Oct 15, 2015, 8:52:51ā€ÆAM10/15/15
to ossec...@googlegroups.com
You didn't give us much to go on. Did you create a new key for this agent?
Did you install it?
Did you restart the OSSEC processes after adding the key?
Are you sure there's no firewall on the OSSEC manager blocking the traffic?
Are there any logs from the manager's ossec.log file that might hint
at the problem?

> Brgs
> Daniel
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Jedi Meister

unread,
Oct 15, 2015, 9:44:39ā€ÆAM10/15/15
to ossec-list
Sorry,

You didn't give us much to go on. Did you create a new key for this agent?
Yes, new keys were generated on the rasperrby for the agents


Did you install it?
I used the install.sh method of the installation tar.gz



Did you restart the OSSEC processes after adding the key?
Yes, Restart or ossec and restart of the system


Are you sure there's no firewall on the OSSEC manager blocking the traffic?
Correct, Iptables is flushed, the firewall before let the ossec communication pass (as I receive the data with the same rule on the old system)


Are there any logs from the manager's ossec.log file that might hint
at the problem?

No, there is only the no indication. I included the full log:

2015/10/15 15:42:17 ossec-testrule: INFO: Reading local decoder file.
2015/10/15 15:42:18 ossec-testrule: INFO: Started (pid: 5575).
2015/10/15 15:42:18 ossec-maild: INFO: Started (pid: 5587).
2015/10/15 15:42:18 ossec-execd: INFO: Started (pid: 5591).
2015/10/15 15:42:18 ossec-remoted: INFO: Started (pid: 5603).
2015/10/15 15:42:18 ossec-remoted: INFO: Started (pid: 5605).
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading local decoder file.
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'symantec-ws_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'pure-ftpd_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'roundcube_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'wordpress_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'cimserver_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'vmpop3d_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'courier_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'web_appsec_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'apache_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'nginx_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'php_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'postgresql_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'cisco-ios_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'sonicwall_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'sendmail_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'mailscanner_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'dovecot_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'ms-exchange_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'racoon_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'vpn_concentrator_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'spamd_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'msauth_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'mcafee_av_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'trend-osce_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'ms-se_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'zeus_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'solaris_bsm_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'vmware_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'ms_dhcp_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'asterisk_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'attack_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'openbsd_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'clam_av_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'dropbear_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'local_rules.xml'
2015/10/15 15:42:18 ossec-analysisd: INFO: Total rules enabled: '1310'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/svc/volatile'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/System32/LogFiles'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Debug'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/WindowsUpdate.log'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/iis6.log'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/wbem/Logs'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/wbem/Repository'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Prefetch'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/SoftwareDistribution'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Temp'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/config'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/spool'
2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/CatRoot'
2015/10/15 15:42:18 ossec-analysisd: INFO: White listing IP: '127.0.0.1'
2015/10/15 15:42:18 ossec-analysisd: INFO: White listing IP: '10.23.23.123'
2015/10/15 15:42:18 ossec-analysisd: INFO: 2 IPs in the white list for active response.
2015/10/15 15:42:18 ossec-analysisd: INFO: White listing Hostname: 'localhost.localdomain'
2015/10/15 15:42:18 ossec-analysisd: INFO: 1 Hostname(s) in the white list for active response.
2015/10/15 15:42:18 ossec-analysisd: INFO: Started (pid: 5595).
2015/10/15 15:42:19 ossec-remoted(4111): INFO: Maximum number of agents allowed: '256'.
2015/10/15 15:42:19 ossec-remoted(1410): INFO: Reading authentication keys file.
2015/10/15 15:42:19 ossec-remoted: INFO: Assigning counter for agent hal: '7:3538'.
2015/10/15 15:42:19 ossec-remoted: INFO: Assigning sender counter: 0:102
2015/10/15 15:42:19 ossec-monitord: INFO: Started (pid: 5614).
2015/10/15 15:42:21 ossec-analysisd: INFO: Connected to '/queue/alerts/ar' (active-response queue)
2015/10/15 15:42:21 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' (exec queue)
2015/10/15 15:42:23 ossec-syscheckd: INFO: Started (pid: 5610).
2015/10/15 15:42:23 ossec-rootcheck: INFO: Started (pid: 5610).
2015/10/15 15:42:23 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2015/10/15 15:42:23 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2015/10/15 15:42:23 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.
2015/10/15 15:42:23 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2015/10/15 15:42:23 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2015/10/15 15:42:24 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/auth.log'.
2015/10/15 15:42:24 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/syslog'.
2015/10/15 15:42:24 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/dpkg.log'.
2015/10/15 15:42:24 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/apache2/error.log'.
2015/10/15 15:42:24 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/apache2/access.log'.
2015/10/15 15:42:24 ossec-logcollector: INFO: Monitoring output of command(360): df -h
2015/10/15 15:42:24 ossec-logcollector: INFO: Monitoring full output of command(360): netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort
2015/10/15 15:42:24 ossec-logcollector: INFO: Monitoring full output of command(360): last -n 5
2015/10/15 15:42:24 ossec-logcollector: INFO: Started (pid: 5599).

Jedi Meister

unread,
Oct 15, 2015, 9:50:38ā€ÆAM10/15/15
to ossec-list
So,

I rebuild the server with the SAMEĀ  tar.gz file and restart it.

Now i receive the alerts from the clients.

** Alert 1444916936.103875: - syslog,sshd,authentication_failed,
2015 Oct 15 15:48:56 (hal) 78.46.76.44->/var/log/auth.log
Rule: 5716 (level 5) -> 'SSHD authentication failed.'
Src IP: 80.87.168.98
User: itsolutions
Oct 15 15:48:55 hal sshd[21772]: Failed password for foobar from 80.87.168.98 port 55976 ssh2


VERY Strange. But anyway, it works now.

Thanks for the help!!

Shaharyar Chaudhry

unread,
Feb 7, 2016, 6:04:52ā€ÆPM2/7/16
to ossec-list
Hey, I was wondering how you got the ossec agent to work on rpi, is there a guide to this? I am trying to get agent on my rpi2 model to work. Any help would be great.

Cheers :)

Jan Andrasko

unread,
Feb 9, 2016, 8:25:03ā€ÆAM2/9/16
to ossec...@googlegroups.com
Hello Shaharyar,

compiling from source works just fine

Jan
Reply all
Reply to author
Forward
0 new messages