Unable to install OSSEC Agent

112 views
Skip to first unread message

Andy

unread,
Apr 20, 2020, 2:12:18 PM4/20/20
to ossec-list
I am unable to install the ossec agent on a centos 7 server.  I get this error:
In file included from ./headers/shared.h:215:0,
                 from client-agent/sendmsg.c:10:
./os_regex/os_regex.h:19:19: fatal error: pcre2.h: No such file or directory
 #include <pcre2.h>

After installing pcre-devel, it still fails with this error. 

Vicente Munoz

unread,
Apr 20, 2020, 2:19:21 PM4/20/20
to ossec...@googlegroups.com

If I’m not mistaken you have to add the following variable before being able to compile OSSEC in newer versions:

 

PCRE2_SYSTEM=yes

 

VR,

Vicente Muñoz (ACSE)

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/87a1b5ac-5b1d-476c-bda7-1c1dfc8cdae3%40googlegroups.com.

Andy

unread,
Apr 20, 2020, 4:22:25 PM4/20/20
to ossec-list
Where do I add this variable? 


On Monday, April 20, 2020 at 2:19:21 PM UTC-4, Vicente Munoz wrote:

If I’m not mistaken you have to add the following variable before being able to compile OSSEC in newer versions:

 

PCRE2_SYSTEM=yes

 

VR,

Vicente Muñoz (ACSE)

From: ossec...@googlegroups.com <ossec...@googlegroups.com> On Behalf Of Andy
Sent: Monday, April 20, 2020 11:10 AM
To: ossec-list <ossec...@googlegroups.com>
Subject: [EXTERNAL] [ossec-list] Unable to install OSSEC Agent

 

I am unable to install the ossec agent on a centos 7 server.  I get this error:

In file included from ./headers/shared.h:215:0,

                 from client-agent/sendmsg.c:10:

./os_regex/os_regex.h:19:19: fatal error: pcre2.h: No such file or directory

 #include <pcre2.h>


After installing pcre-devel, it still fails with this error. 

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.

Zach Vanderbilt

unread,
Apr 20, 2020, 4:27:42 PM4/20/20
to ossec...@googlegroups.com
Hey Andy,

You need to either need to rerun the install.sh with "PCRE2_SYSTEM=yes ./install.sh" or you can edit the makefile in /src. Since the build is failing on that library already you probably just need to cd /src and "make clean" and then reattempt installation. You could also delete the directory you got after decompressing the tarball, decompress it again and then run the installer. 

Hope this helps!

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/c7fed188-a884-40cb-94be-59d01f2878df%40googlegroups.com.

David Williams

unread,
Apr 20, 2020, 5:30:51 PM4/20/20
to ossec...@googlegroups.com
Andy,
I believe there are seperate pcre2 packages. I have these installed:

pcre-8.32-17.el7.x86_64
pcre2-utf16-10.23-2.el7.x86_64
pcre2-10.23-2.el7.x86_64
pcre2-devel-10.23-2.el7.x86_64
pcre-8.32-17.el7.i686
pcre2-utf32-10.23-2.el7.x86_64


-David
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+...@googlegroups.com
> <mailto:ossec-list+...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/87a1b5ac-5b1d-476c-bda7-1c1dfc8cdae3%40googlegroups.com
> <https://groups.google.com/d/msgid/ossec-list/87a1b5ac-5b1d-476c-bda7-1c1dfc8cdae3%40googlegroups.com?utm_medium=email&utm_source=footer>.

--

GPG (http://www.gnupg.org/) key available from:
http://www.kayakero.net/per/david/

signature.asc

Luke Boguslaw

unread,
Apr 20, 2020, 7:44:17 PM4/20/20
to ossec...@googlegroups.com
It is telling me that pcre-utf does not exist, and pcre-devel is already installed. 

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/cab8fad4-032e-f5ba-4390-e3285aa8bf9e%40kayakero.net.

David Williams

unread,
Apr 20, 2020, 10:34:19 PM4/20/20
to ossec...@googlegroups.com
Andy,
How about this:
yum info pcre2-devel
Note the "2:" pcre2-devel
-David
> <mailto:ossec-list%2Bunsu...@googlegroups.com>
> > <mailto:ossec-list+...@googlegroups.com
> <mailto:ossec-list%2Bunsu...@googlegroups.com>>.
> > To view this discussion on the web visit
> >
> https://groups.google.com/d/msgid/ossec-list/87a1b5ac-5b1d-476c-bda7-1c1dfc8cdae3%40googlegroups.com
> >
> <https://groups.google.com/d/msgid/ossec-list/87a1b5ac-5b1d-476c-bda7-1c1dfc8cdae3%40googlegroups.com?utm_medium=email&utm_source=footer>.
>
> --
>
> GPG (http://www.gnupg.org/) key available from:
> http://www.kayakero.net/per/david/
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to ossec-list+...@googlegroups.com
> <mailto:ossec-list%2Bunsu...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/cab8fad4-032e-f5ba-4390-e3285aa8bf9e%40kayakero.net.
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+...@googlegroups.com
> <mailto:ossec-list+...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/CABX9L-gdpq-JthSt-XW0V1bv49kwAVdXvB43s6rD%3D-WFm2-XRQ%40mail.gmail.com
> <https://groups.google.com/d/msgid/ossec-list/CABX9L-gdpq-JthSt-XW0V1bv49kwAVdXvB43s6rD%3D-WFm2-XRQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
signature.asc

Mohit Gupta

unread,
Apr 21, 2020, 6:36:44 AM4/21/20
to ossec-list
Hi Team,

Good Morning/Afternoon/Evening.

I was trying to install ossec agent on one of my machine but getting below error on control start up.

---------------------
2020/04/21 07:31:49 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2020/04/21 07:31:49 rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2020/04/21 07:31:57 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2020/04/21 07:31:57 rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2020/04/21 07:32:10 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2020/04/21 07:32:10 rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
ossec-syscheckd did not start
---------------------

Where we have added Agent at server side and extracted key to add agent.

kindly assist here for same.

Note - We have kernel difference b/w server and client.

Server has below version :

Linux <Server Hostname> 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 13 10:46:25 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux


Client has below version :

Linux <Client Hostname> 3.10.0-862.11.6.el7.x86_64 #1 SMP Fri Aug 10 16:55:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

dan (ddp)

unread,
Apr 21, 2020, 7:02:21 AM4/21/20
to ossec...@googlegroups.com
On Mon, Apr 20, 2020 at 10:34 PM David Williams <dave...@kayakero.net> wrote:
>
> Andy,
> How about this:
> yum info pcre2-devel
> Note the "2:" pcre2-devel
> -David
>

This should be the answer right here. Use pcre2, not pcre.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/19948dfd-4a75-ebc9-e7d7-44e5265fb86c%40kayakero.net.

dan (ddp)

unread,
Apr 21, 2020, 7:04:02 AM4/21/20
to ossec...@googlegroups.com
This does not look related to this thread. Reply in-line.

On Tue, Apr 21, 2020 at 6:36 AM Mohit Gupta <mohitg...@gmail.com> wrote:
>
> Hi Team,
>
> Good Morning/Afternoon/Evening.
>
> I was trying to install ossec agent on one of my machine but getting below error on control start up.
>
> ---------------------
> 2020/04/21 07:31:49 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2020/04/21 07:31:49 rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2020/04/21 07:31:57 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2020/04/21 07:31:57 rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2020/04/21 07:32:10 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2020/04/21 07:32:10 rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
> ossec-syscheckd did not start
> ---------------------
>

These messages are from the agent machine?
Are there any error messages in the ossec.log file on the agent before
these messages?

> Where we have added Agent at server side and extracted key to add agent.
>
> kindly assist here for same.
>
> Note - We have kernel difference b/w server and client.
>
> Server has below version :
>
> Linux <Server Hostname> 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 13 10:46:25 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux
>
>
> Client has below version :
>
> Linux <Client Hostname> 3.10.0-862.11.6.el7.x86_64 #1 SMP Fri Aug 10 16:55:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
>
>
> On Monday, April 20, 2020 at 11:42:18 PM UTC+5:30, Andy wrote:
>>
>> I am unable to install the ossec agent on a centos 7 server. I get this error:
>> In file included from ./headers/shared.h:215:0,
>> from client-agent/sendmsg.c:10:
>> ./os_regex/os_regex.h:19:19: fatal error: pcre2.h: No such file or directory
>> #include <pcre2.h>
>>
>> After installing pcre-devel, it still fails with this error.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/5a80eca6-0374-45a5-b4ad-27102c92b59d%40googlegroups.com.

Luke Boguslaw

unread,
Apr 21, 2020, 7:49:54 AM4/21/20
to ossec...@googlegroups.com
I did a make clean, then ran install with PCRE2_SYSTEM=yes, but am getting this error now:
image.png

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/19948dfd-4a75-ebc9-e7d7-44e5265fb86c%40kayakero.net.

dan (ddp)

unread,
Apr 21, 2020, 9:37:56 AM4/21/20
to ossec...@googlegroups.com
The installation documentation has a list of pre requisite packages that should be installed. In this case it’s libevet-devel

Luke Boguslaw

unread,
Apr 21, 2020, 10:29:01 AM4/21/20
to ossec...@googlegroups.com
I also had to install zlib-devel.
But now I get this error:
image.png
So I install openssl, but it says it is already installed... 

To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMqDKjwYQ8vbY%3D4ZTdNcsorWcXQ4QuP9NYJs6OOhLA0TYg%40mail.gmail.com.

dan (ddp)

unread,
Apr 21, 2020, 11:15:24 AM4/21/20
to ossec...@googlegroups.com
Openssl or openssl-devel?

Message has been deleted

Andy

unread,
Apr 21, 2020, 1:40:13 PM4/21/20
to ossec-list
This fixed it, thanks!
What is the different b/w openssl and the devel option? 

dan (ddp)

unread,
Apr 21, 2020, 1:48:45 PM4/21/20
to ossec...@googlegroups.com
Openssl is what you need to run binaries, the devel version is what you need to build the binaries. A precompiled version of ossec probably only needs the openssl package.
I don’t know why they broke it up into 2 packages, but it’s not my decision. 

On Tue, Apr 21, 2020 at 1:39 PM Andy <lbogu...@gmail.com> wrote:
This fixed it, thanks!
What is the different b/w openssl and the devel option? 

>     > an email to ossec...@googlegroups.com

>     <mailto:ossec-list%2Bunsu...@googlegroups.com>
>     > <mailto:ossec-list+...@googlegroups.com
>     <mailto:ossec-list%2Bunsu...@googlegroups.com>>.
>     > To view this discussion on the web visit
>     >
>     https://groups.google.com/d/msgid/ossec-list/87a1b5ac-5b1d-476c-bda7-1c1dfc8cdae3%40googlegroups.com
>     >
>     <https://groups.google.com/d/msgid/ossec-list/87a1b5ac-5b1d-476c-bda7-1c1dfc8cdae3%40googlegroups.com?utm_medium=email&utm_source=footer>.
>
>     --
>
>     GPG (http://www.gnupg.org/) key available from:
>     http://www.kayakero.net/per/david/
>
>     --
>
>     ---
>     You received this message because you are subscribed to the Google
>     Groups "ossec-list" group.
>     To unsubscribe from this group and stop receiving emails from it,
>     send an email to ossec...@googlegroups.com

>     <mailto:ossec-list%2Bunsu...@googlegroups.com>.
>     To view this discussion on the web visit
>     https://groups.google.com/d/msgid/ossec-list/cab8fad4-032e-f5ba-4390-e3285aa8bf9e%40kayakero.net.
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMqDKjwYQ8vbY%3D4ZTdNcsorWcXQ4QuP9NYJs6OOhLA0TYg%40mail.gmail.com.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages