Remoted not running
550 views
Skip to first unread message
Tennisha tennisha
Mar 6, 2016, 1:06:24 PM3/6/16
to ossec-list
I have tried to install ossec on three different vms and am not able to get it to pick up modifications, additions, deletions of files. I am have tried running it on security onion 14.04 machine and a non security onion machine. I followed the instructions hereand on two of the machines I am getting this process XXX not used by ossec removing, ossec remoted not running error. Please advisemartin@martin-VirtualBox:~$ sudo /var/ossec/bin/ossec-control status[sudo] password for martin:ossec-monitord is running...ossec-logcollector is running...ossec-remoted: Process 1439 not used by ossec, removing ..ossec-remoted not running...ossec-syscheckd is running...ossec-analysisd is running...ossec-maild not running...ossec-execd is running...martin@martin-VirtualBox:~$ gdb /var/ossec/bin/ossec-remotedGNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1Copyright (C) 2014 Free Software Foundation, Inc.License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law. Type "show copying"and "show warranty" for details.This GDB was configured as "x86_64-linux-gnu".Type "show configuration" for configuration details.For bug reporting instructions, please see:Find the GDB manual and other documentation resources online at:For help, type "help".Type "apropos word" to search for commands related to "word".../var/ossec/bin/ossec-remoted: Permission denied.(gdb)(gdb) set follow-fork-mode child(gdb) run -dfStarting program: -dfNo executable file specified.Use the "file" or "exec-file" command.(gdb) tNo thread selected(gdb) btNo stack.(gdb)[1]+ Stopped gdb /var/ossec/bin/ossec-remotedmartin@martin-VirtualBox:~$ sudo gdb /var/ossec/bin/ossec-remotedGNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1Copyright (C) 2014 Free Software Foundation, Inc.License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law. Type "show copying"and "show warranty" for details.This GDB was configured as "x86_64-linux-gnu".Type "show configuration" for configuration details.For bug reporting instructions, please see:Find the GDB manual and other documentation resources online at:For help, type "help".Type "apropos word" to search for commands related to "word"...Reading symbols from /var/ossec/bin/ossec-remoted...(no debugging symbols found)...done.(gdb) set follow-fork-mode child(gdb) run -dfStarting program: /var/ossec/bin/ossec-remoted -df[Thread debugging using libthread_db enabled]Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".2016/03/06 12:31:23 ossec-remoted: DEBUG: Starting ...2016/03/06 12:31:23 ossec-remoted: INFO: Started (pid: 4504).[New process 4508][Thread debugging using libthread_db enabled]Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".2016/03/06 12:31:23 ossec-remoted: DEBUG: Forking remoted: '0'.2016/03/06 12:31:23 ossec-remoted: INFO: Started (pid: 4508).2016/03/06 12:31:23 ossec-remoted: DEBUG: Running manager_init[New Thread 0x7ffff6fba700 (LWP 4509)][New Thread 0x7ffff67b9700 (LWP 4510)]2016/03/06 12:31:24 ossec-remoted: INFO: (unix_domain) Maximum send buffer set to: '16777216'.2016/03/06 12:31:24 ossec-remoted(4111): INFO: Maximum number of agents allowed: '1024'.2016/03/06 12:31:24 ossec-remoted(1410): INFO: Reading authentication keys file.2016/03/06 12:31:24 ossec-remoted(1402): ERROR: Authentication key file '/etc/client.keys' not found.2016/03/06 12:31:24 ossec-remoted(1750): ERROR: No remote connection configured. Exiting.[Thread 0x7ffff6fba700 (LWP 4509) exited][Thread 0x7ffff7fe1740 (LWP 4508) exited][Inferior 2 (process 4508) exited with code 01](gdb)
Santiago Bassett
Mar 6, 2016, 1:30:03 PM3/6/16
to ossec...@googlegroups.com
Most likely you just need to register the first agent, so /var/ossec/etc/client.keys gets created. You can use /var/ossec/bin/manage_agents to register it (use "add an agent" option).
I hope it helps
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Santiago Bassett
Mar 6, 2016, 1:30:51 PM3/6/16
to ossec...@googlegroups.com
Forgot to mention that you need to restart OSSEC (in the manager), once you have done that.
Tennisha tennisha
Mar 6, 2016, 1:41:25 PM3/6/16
to ossec-list
I did this and not remoted is running (thank you!!!) but I am still not getting any alerts for added, modified, removed files in the ossec.log. Am I looking in the wrong place?
Santiago Bassett
Mar 6, 2016, 1:46:21 PM3/6/16
to ossec...@googlegroups.com
The alerts can usually be found at /var/ossec/logs/alerts/alerts.log
In case you are not doing that already, I recommend you to use alert_new_files option in /var/ossec/etc/ossec.conf (in the manager, in the syscheck section), to be sure you get alerted every time there is a new file.
Also remember that, by default, syschecks are run periodically, so it can take a while to detect file changes. You can change the frequency in the configuration (less than 300 seconds is not recommended).
Best
dan (ddp)
Mar 6, 2016, 1:48:50 PM3/6/16
to ossec...@googlegroups.com
On Mar 6, 2016 1:41 PM, "Tennisha tennisha" <tenn...@gmail.com> wrote:
>
> I did this and not remoted is running (thank you!!!) but I am still not getting any alerts for added, modified, removed files in the ossec.log. Am I looking in the wrong place?
>
Alerts get saved to /var/ossec/logs/alerts/alerts.log
Reply all
Reply to author
Forward
0 new messages