install ossec - bind to port 1514 fail | getaddrinfo: name or service not know

[Eduardo Reichert Figueiredo]

When i install ossec 2.9.0 on rhel 7.3 (no ipv6 feature and address) i have a problem to ossec-remoted and ossec-auth, this services cant bind ports 1514, log error below.

I generated my certificated with commands "openssl genrsa -out" and "openssl req -new -x509 -key ".

##Log OSSEC.LOG

2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '0'.

2017/03/21 11:34:34 ossec-remoted: Remote syslog allowed from: '0.0.0.0/0'

2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '1'.

2017/03/21 11:34:34 getaddrinfo: Name or service not known

2017/03/21 11:34:34 getaddrinfo: Name or service not known

2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port '1514'

2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port '514'

2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).

2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).

2017/03/21 11:35:47 ossec-authd: DEBUG: Starting ...

2017/03/21 11:35:47 ossec-authd: INFO: Started (pid: 24420).

2017/03/21 11:35:47 ossec-authd: DEBUG: Returning CTX for server.

2017/03/21 11:35:47 getaddrinfo: Name or service not known

2017/03/21 11:35:47 ossec-authd: Unable to bind to port 1514

in other cases for unable to bind port 1514, my error was my client.keys, but now i have a new error "getaddrinfo".

Can you help me?

Kind regards

[Victor Fernandez]

Hi Eduardo,

It seems that the error from "getaddrinfo" does not show which process logs it, but both remoted and authd processes are logging errors.

Could you share your <remote> configuration and the command that you use to run ossec-authd? It could be very useful for us to help you.

Best regards.

[Eduardo Reichert Figueiredo]

Hi Victor, bellow my remote configurations in ossec.conf

 <remote>

    <connection>syslog</connection>

    <allowed-ips>0.0.0.0/0</allowed-ips>

  </remote>

  <remote>

    <connection>secure</connection>

  </remote>

About command for run the proccess ossec-authd "/var/ossec/bin/ossec-authd -p 1514 >/dev/null 2>&1 &" but this process "exit" in seconds.

I try use <port>1514</port1514>  but dont have success. 

[dan (ddp)]

On Tue, Mar 21, 2017 at 10:46 AM, Eduardo Reichert Figueiredo
<eduardo....@hotmail.com> wrote:
> When i install ossec 2.9.0 on rhel 7.3 (no ipv6 feature and address) i have

Is IPv6 totally disabled for your system (support for IPv6 was removed)?

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Eduardo Reichert Figueiredo]

Hi dan, i dont have ipv6 enabled in my system linux, so i dont have inet6 in my ifconfig configurations, only ipv4.

This can caused for the problem?

[dan (ddp)]

On Thu, Mar 23, 2017 at 1:08 PM, Eduardo Reichert Figueiredo
<eduardo....@hotmail.com> wrote:
> Hi dan, i dont have ipv6 enabled in my system linux, so i dont have inet6 in
> my ifconfig configurations, only ipv4.
>
> This can caused for the problem?
>

I think having ipv6 support is necessary now. You don't need to have
addresses or anything, but the facilities need to be available.

[Victor Fernandez]

Hi Eduardo, 

I agree with Dan, I tested OSSEC v2.9 on a clean CentOS 7 with your <remote> configuration and it worked. But when I disabled IPv6 I got the same errors you have.

Please try to enable IPv6 on the running system with:

sysctl -w net.ipv6.conf.all.disable_ipv6=1

sysctl -w net.ipv6.conf.default.disable_ipv6=1

And try to start OSSEC. If it works, consider enabling IPv6 permanently by editing file /etc/sysctl.conf.

Hope it help. If I find another way to run OSSEC with IPv6 disabled I will let you know.

Best regards.

> email to ossec-list+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Victor M. Fernandez-Castro

IT Security Engineer

Wazuh Inc.

[Eduardo Reichert Figueiredo]

Hi,

i will try enable this feature in my rhel, after test i notice you.

Thanks.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

[Eduardo Reichert Figueiredo]

Hi Victor,

i validated and ipv6 feature is enable in my redhat 7.3, but ossec remoted continue is same error reported above.

The file of installation is same that used in other installations (rhel6.8).

Em quinta-feira, 23 de março de 2017 15:37:50 UTC-3, Victor Fernandez escreveu:

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

[Victor Fernandez]

Sorry Eduardo, maybe the method that I told you (enabling on the fly) does not work properly.

If followed those steps to disable IPv6, better undo what you did to disable it.

I have done it by editing file "/etc/sysctl.conf" and adding (to disable) or removing (to enable back) these lines:

net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.default.disable_ipv6 = 1

You probably used this method to disable IPv6, so please try to remove (or comment) those lines, reboot your system and start OSSEC again.

Best regards.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Eduardo Reichert Figueiredo]

Hi,

after enable ipv6 in /boot i received other problem, the process remoted binding in port 1514 for ipv6 and not binding to ipv4.

udp6       0      0 :::514                  :::*                                5243/bin/ossec-remo

udp6       0      0 :::1514                 :::*                                5244/bin/ossec-remo

You know this type of problem?

[dan (ddp)]

On Fri, Mar 31, 2017 at 10:36 AM, Eduardo Reichert Figueiredo
<eduardo....@hotmail.com> wrote:
> Hi,
> after enable ipv6 in /boot i received other problem, the process remoted
> binding in port 1514 for ipv6 and not binding to ipv4.
>
> udp6 0 0 :::514 :::*
> 5243/bin/ossec-remo
> udp6 0 0 :::1514 :::*
> 5244/bin/ossec-remo
>
> You know this type of problem?
>

Mine shows up the same way, but I don't have IPv6 configured on this system:

udp6 0 0 :::1514 :::*

3225/ossec-remoted

My agents connect fine. Are your agents not connecting?

[lon...@stanford.edu]

I'm having similar issues, but enabling IPv6 didn't work for me.  Is there anything else that I can try?  Here is the error message I get in the log:

2019/04/10 17:12:08 getaddrinfo: Name or service not known

2019/04/10 17:12:08 ossec-remoted(1206): ERROR: Unable to Bind port '1514'

I'm running OSSEC version 2.9.0

On Wednesday, March 29, 2017 at 11:09:37 AM UTC-7, Victor Fernandez wrote:

Sorry Eduardo, maybe the method that I told you (enabling on the fly) does not work properly.

If followed those steps to disable IPv6, better undo what you did to disable it.

I have done it by editing file "/etc/sysctl.conf" and adding (to disable) or removing (to enable back) these lines:

net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.default.disable_ipv6 = 1

You probably used this method to disable IPv6, so please try to remove (or comment) those lines, reboot your system and start OSSEC again.

Best regards.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[lam...@gmail.com]

These IPv6/IPv4 issues are due to the way IPv4 and IPv6 were being implemented on releases earlier than 3.1.0. This only affects OSSEC servers. The issue has to do with the way addresses are requested from the system (IPv4 native versus IPv4 mapped over IPv6) and the fact that earlier releases of OSSEC limited you to just one address (no multiple binding). All of that has been fixed. You can read more about the correction here:

https://github.com/ossec/ossec-hids/pull/1412

If you do not want to migrate to OSSEC 3.1.0 server (which should be compatible with older OSSEC clients), you can download a copy of 2.9.3 with the change in it from this link:

https://networkalarmcorp.com/dnld/ossec-hids-2.9.3.1.tgz

However, it is worth it to move to the latest release of OSSEC due to many other fixes and enhancements in the code base.

Best,

Dave Stoddard

Network Alarm Corp.

[Lonlone Lee]

Thank you for the response.  I will try upgrading to a more recent version.

--

[Lonlone Lee]

I’ve upgraded to version 3.2.0 and this has appeared to have resolved my issue.  Thank you again for your assistance.

[ac427]

I got similar error yesterday, and spent like 4 hours to debug. The issue was because of typo in hostname of my server in my ossec-agent.conf. I know it is my stupid mistake, but printing hostname in logs ( like  getaddrinfo: Name or service not known for foo.com) will be extra helpful

ac

On Thursday, April 11, 2019 at 6:49:57 PM UTC-4, Lonlone Lee wrote:

I’ve upgraded to version 3.2.0 and this has appeared to have resolved my issue.  Thank you again for your assistance.

 

From: ossec...@googlegroups.com <ossec...@googlegroups.com> On Behalf Of Lonlone Lee
Sent: Thursday, April 11, 2019 9:04 AM
To: ossec...@googlegroups.com
Subject: RE: [ossec-list] install ossec - bind to port 1514 fail | getaddrinfo: name or service not know

 

Thank you for the response.  I will try upgrading to a more recent version.

 

From: ossec...@googlegroups.com <ossec...@googlegroups.com> On Behalf Of lam...@gmail.com
Sent: Thursday, April 11, 2019 5:56 AM
To: ossec-list <ossec...@googlegroups.com>
Subject: Re: [ossec-list] install ossec - bind to port 1514 fail | getaddrinfo: name or service not know

 

 

These IPv6/IPv4 issues are due to the way IPv4 and IPv6 were being implemented on releases earlier than 3.1.0. This only affects OSSEC servers. The issue has to do with the way addresses are requested from the system (IPv4 native versus IPv4 mapped over IPv6) and the fact that earlier releases of OSSEC limited you to just one address (no multiple binding). All of that has been fixed. You can read more about the correction here:

 

https://github.com/ossec/ossec-hids/pull/1412

 

If you do not want to migrate to OSSEC 3.1.0 server (which should be compatible with older OSSEC clients), you can download a copy of 2.9.3 with the change in it from this link:

 

https://networkalarmcorp.com/dnld/ossec-hids-2.9.3.1.tgz

 

However, it is worth it to move to the latest release of OSSEC due to many other fixes and enhancements in the code base.

 

Best,

 

Dave Stoddard

Network Alarm Corp.

 

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.