ossec-remoted(1310): WARN: Invalid active response (execd) message

[bw]

I'm setting up a centralized ossec configuration, playing around. For
now I have a master with three agents. All of them are 2.6, downloaded
straight from ossec site.

Every once in a while (that is, while screwing around) I see that message

ossec-remoted(1310): WARN: Invalid active response (execd) message

and there's no more alerts from the agents in alert.log.

Searched the archives and all I've found was about an old bug that was
fixed and using different versions of master/agents.

I've seen it when using agents installed with yum via repo, thought it's
because of different versions, removed all agents and installed from
tgz, things went well for a while but now I've seen it again. It
happened when I restarted the master without stopping the agents, I
stopped everything, then started the master, then started the agents,
everything went back to normal. Tried several times restarting the
master again, all was good, I can't reliably reproduce it.

So is anything known about this? When does it happen and how can I avoid it?

[bw]

Attaching my ossec.conf and agent.conf. I know active response, for
example, isn't configured in agent, but there it is, the conf that got
me the warning, figured it will just ignore the sections that don't
belong. The only thing I left out are a few IPs in whitelist. That's
what I changed when it happend, added another IP, but I changed it again
later and it was fine.

[dan (ddp)]

You can try adding the following debug to possibly see what's going
on. I don't see anything in the ossec.conf that should be causing
this. Also try running everything in debug mode.

--- ar-forward.c.orig Tue Jul 17 09:40:03 2012
+++ ar-forward.c Tue Jul 17 09:40:42 2012
@@ -58,6 +58,7 @@
/* Getting the location */
location = msg;

+ merror("DEBUG_ERROR: %s", msg);

/* Location is going to be the agent name */
tmp_str = strchr(msg, ')');

[bw]

> You can try adding the following debug to possibly see what's going
> on. I don't see anything in the ossec.conf that should be causing
> this. Also try running everything in debug mode.
>
> --- ar-forward.c.orig Tue Jul 17 09:40:03 2012
> +++ ar-forward.c Tue Jul 17 09:40:42 2012
> @@ -58,6 +58,7 @@
> /* Getting the location */
> location = msg;
>
> + merror("DEBUG_ERROR: %s", msg);
>
> /* Location is going to be the agent name */
> tmp_str = strchr(msg, ')');
>

Did that. Added the line on server, enabled level 2 debugging on both
server and one of the agents for remoted and agentd. The logs don't look
very informative to me, but here's some samples. All these are logs from
the server, there was nothing on agents:


2012/07/18 14:33:10 DEBUG_ERROR: 1:(www)
10.XXX.XXX.XXX->ossec-keepalive:--MARK--:
X5]'DhmWi*'l3Ed-v_2889.#zJC3SvSj[]Q@clBY,urZY8/CWiey*PTY'D9LY9ca5St73U%hx?pD81ny9sfc7g10J(TQWVQvW!K7#s^RsM+[hc6y8tA;zJa9wUtAjrV5J?+4s4p;kS(5VS.@#@3T34!HsL7^3w.U9(sJ/IBW[nv.o69IL_]WS6.sl4Qw[N*m$RVt'=^CeSz6sQilFe8Fs5g*(WiuRHG#;,?A)%2F%]ga[oZz6BmGPssBw%VvpKPVGO+7!?gSJmaD^ik.=wEG.Wp7EtLb3[WdJ[!1'yoC'258!xn2URQ?ho6'+l[SU?d.HvY

2012/07/18 14:33:10 ossec-remoted(1310): WARN: Invalid active response
(execd) message '1:(www'.

---

2012/07/18 14:33:15 DEBUG_ERROR: 1:(other_www)
192.168.XXX.XX->ossec-keepalive:--MARK--:
,J;o.aCMTO'T?$cK&@p5dim^0Nw54#kiqQx1RZWSV.TU@VNVAk9(s+j(&FR,0jfy0&Hl=.lMJ4Oot]rcf[_@xLYh&jS;tXqB+Y[udf6M920Kg([luw=S7.hagZ;$4jiT7cvsV]5#gzrmZl@_IkGXhNXohQJthSvwcQOY[nEa]dmU3=ITcwkj!8@z6pa$pvdr#?x6nk6inA2&rTD7^O*b4e%(7^h-SYW#XBM!L0AZ[L=0/vBvr0@D5b3Gy!@*C^X'kSmW0M3V=U3DxMh,h($uBKi0o)'Qk

2012/07/18 14:33:15 ossec-remoted(1310): WARN: Invalid active response
(execd) message '1:(other_www'.

---

The rest of the DEBUG_ERROR messages look like normal things going on
and don't generate an 1310 warning:

2012/07/18 14:35:42 DEBUG_ERROR: 1:(mail)
10.XXX.XXX.YYY->/var/log/maillog:Jul 18 14:35:40 mail
postfix/smtpd[44622]: connect from localhost.localdomain[127.0.0.1]


When resetting the server while syscheck was running on agents I got
flood of:

---
2012/07/18 12:26:42 DEBUG_ERROR: 8:(www)
10.XXX.XXX.XXX->syscheck:46591:33188:48:0:77eb74f032cc70f2c254f29d4e764acb:510b36fbd2a8caa608d95372a62012a27840bf15
/var/www/html/userfiles/photos/album/005.jpg

2012/07/18 12:26:42 ossec-remoted(1310): WARN: Invalid active response
(execd) message '8:(www'.

2012/07/18 12:26:42 DEBUG_ERROR: 8:(www)
10.XXX.XXX.XXX->syscheck:30841:33188:48:0:acf858c163e98b6f9696c8b296228d3e:0cc8a108c59cb2f5c1de666af87e9645e1d6213c
/var/www/html/userfiles/photos/album/thumb-005 (8).JPG

2012/07/18 12:26:42 ossec-remoted(1310): WARN: Invalid active response
(execd) message '8:(www'.
---


The server is listening on all interfaces and serving two networks,
192.168. and 10., some agents connect to server's 10. IP, some to
192.168., that might be uncommon and relevant?

[dan (ddp)]

It might be. I've never tried it. I've also never seen this error. You
can remove the debugging, it doesn't really show me anything too
useful.

You should also remove the useless junk from the agent.conf. There's
absolutely no need for the email configuration or the rules. Maybe
combine the sections that should be combined (combine all wwws
together). But since you don't have any active response defined for
any agents I don't think this really is an issue.

You could try pulling the latest source and giving that a shot. This
is a really odd issue, and I can't see anything that should be causing
it.