OSSEC fails to start after install from RPM on RHEL7

2,487 views
Skip to first unread message

Felix Martel

unread,
Apr 6, 2017, 10:30:29 PM4/6/17
to ossec-list
Hello,

Not finding any useful information regarding my problems anywhere. I'm new to OSSEC HIDS. I played around a little bit with an appliance version, but now want to install it on a DevOps host.

I just did a fresh install of OSSEC HIDS from the atomicorp repo. Install seemed to go normally, although none of the usual installation questions were asked with respect to the questions asked by /install.sh in the manual (ie installation type, e-mail address, notifications, different engines, etc.). Haven't found any instructions on how to do those configuration steps post-install either.

Anyways, I installed using the command

yum install ossec-hids ossec-hids-server


Everything seemed normal. No error messages during the installation.

After the installation, I attempted to start OSSEC-HIDS with the command

/etc/init.d/ossec-hids start

At this point I got an error "Command not found".

I rebooted the server and was then able to run the command. At this point I got the following errors:

Starting ossec-hids (via systemctl):  Job for ossec-hids.service failed because the control process exited with error code. See "systemctl status ossec-hids.service" and "journalctl -xe" for details.
                                                           [FAILED]


I then ran journalctl -xe and gotr the following output:

-- Unit ossec-hids.service has begun starting up.
Apr 06 21:35:48 RHEL7HOST realmd[1698]: quitting realmd service after timeout
Apr 06 21:35:48 RHEL7HOST realmd[1698]: stopping service
Apr 06 21:36:01 RHEL7HOST ossec-hids[2382]: Starting ossec-hids: [FAILED]
Apr 06 21:36:01 RHEL7HOST systemd[1]: ossec-hids.service: control process exited, code=exited status=1
Apr 06 21:36:01 RHEL7HOST systemd[1]: Failed to start SYSV: OSSEC-HIDS is an Open Source Host-based Intrusion Detection System..
-- Subject: Unit ossec-hids.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit ossec-hids.service has failed.
--
-- The result is failed.
Apr 06 21:36:01 RHEL7HOST systemd[1]: Unit ossec-hids.service entered failed state.
Apr 06 21:36:01 RHEL7HOST systemd[1]: ossec-hids.service failed.

I'm stumped. What I find really curious is the fact that realmd seems to stop (and immediately restarts after the failed start). Any help appreciated.







Victor Fernandez

unread,
Apr 7, 2017, 4:16:27 AM4/7/17
to ossec...@googlegroups.com
Hi Felix,

I followed your steps and got the same result. Maybe the OSSEC log could help us:

root@centos ~]# tail /var/ossec/logs/ossec.log
2017/04/07 00:59:35 ossec-testrule: INFO: Reading local decoder file.
2017/04/07 00:59:35 ossec-testrule: INFO: Started (pid: 2303).
2017/04/07 00:59:50 ossec-maild(1501): ERROR: Invalid SMTP Server: smtp.example.com.
2017/04/07 00:59:50 ossec-maild(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting.
2017/04/07 00:59:50 ossec-maild(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting.

I think that the problem is that email notifications are enabled but no valid SMTP server is configured, so if you get the same error edit file "/var/ossec/etc/ossec.conf" and try to configure the email settings, or disable email notifications if you won't use them:

<global>
  <email_notification>no</email_notification>
  <email_to>danie...@example.com</email_to>
  <smtp_server>smtp.example.com.</smtp_server>
  <email_from>oss...@ossec.example.com.</email_from>
</global>

Then try to start OSSEC again:

[root@centos ~]# systemctl start ossec-hids

[root@centos ~]# systemctl status ossec-hids

ossec-hids.service - SYSV: OSSEC-HIDS is an Open Source Host-based Intrusion Detection System.

   Loaded: loaded (/etc/rc.d/init.d/ossec-hids; bad; vendor preset: disabled)

   Active: active (running) since Fri 2017-04-07 01:03:08 PDT; 6s ago

     Docs: man:systemd-sysv-generator(8)

  Process: 2386 ExecStart=/etc/rc.d/init.d/ossec-hids start (code=exited, status=0/SUCCESS)

   CGroup: /system.slice/ossec-hids.service

           ├─2414 /var/ossec/bin/ossec-execd

           ├─2418 /var/ossec/bin/ossec-analysisd

           ├─2422 /var/ossec/bin/ossec-logcollector

           ├─2433 /var/ossec/bin/ossec-syscheckd

           └─2437 /var/ossec/bin/ossec-monitord


Hope it help.

Best regards.


--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Victor M. Fernandez-Castro
IT Security Engineer
Wazuh Inc.

Felix Martel

unread,
Apr 7, 2017, 8:34:09 AM4/7/17
to ossec-list
Thanks Victor. Feeling a little sheepish right now. I checked just about every log except that one... :-)
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages