Issue with symbolically linked /var/ossec/logs directory.

[InfoSec]

Wazuh is logging archives, which caused a disk space issue.

I stopped OSSEC, created a new partition, formatted it, mounted it, moved /var/ossec/logs to it (# mv -v /var/ossec/logs <mount_point>), and created a symbolic link from the new logs directory to /var/ossec/logs (# ln -s <mount_point>/logs /var/ossec/logs).

OSSEC analysisd now refuses to start. Tried to run it in the foreground in debug mode, got the following error:

ossec-analysisd: CRITICAL: (1107): Could not create directory '/logs/archives/2017/' due to [(2)-(No such file or directory)].

But:

# ls -l /var/ossec

total 4

drwxr-x---.  3 root  ossec   17 Aug 11 03:07 active-response

drwxr-x---.  2 root  ossec  286 Aug 24 07:33 agentless

drwxr-x---. 10 root  ossec  199 Aug 24 07:34 api

drwxr-x---.  3 root  ossec   20 Aug 11 03:07 backup

drwxr-x---.  2 root  root  4096 Aug 24 07:33 bin

drwxrwx---.  7 ossec ossec  225 Sep 18 09:17 etc

drwxr-x---.  2 root  ossec   36 Aug 24 07:33 integrations

lrwxrwxrwx.  1 root  root    22 Sep 16 22:28 logs -> <mount_point>/logs

drwxr-x---.  4 root  root    36 Aug 11 03:07 lua

drwxr-x---. 11 root  ossec  136 Aug 11 03:07 queue

drwxr-x---.  4 root  ossec   75 Aug 24 07:33 ruleset

drwxr-x---.  5 ossec ossec   64 Aug 11 03:07 stats

drwxr-x--T.  3 root  ossec   21 Aug 24 07:34 tmp

drwxr-x---.  5 root  ossec   41 Sep 18 09:09 var

drwxr-x---.  3 root  ossec   19 Aug 11 03:07 wodles

# ls -l /var/ossec/logs/archives/

total 6467380

drwxr-x---. 3 ossec ossec       4096 Sep 16 16:26 2017

-rw-r-----. 2 ossec ossec 6063570772 Sep 16 22:11 archives.json

-rw-r-----. 2 ossec ossec  559010146 Sep 16 22:11 archives.log

# ls -l /var/ossec/logs/archives/2017

total 4

drwxr-x---. 2 ossec ossec 4096 Sep 16 16:29 Sep

Is anything wrong in the permissions or ownership of the '/var/ossec/logs/archives' tree, or does ossec-analysisd have issues with a symbolically linked logs directory?

If it is neither of the above, how do I determine the root cause?

[Polkan G.]

Hi Gjahchan,

Try changing the ownership of the logs soft link.

chown ossec:ossec /var/ossec/logs
/var/ossec/bin/ossec-control restart

Regards,

Polkan Garcia / Security Engineer 
pol...@wazuh.com
Webex Personal Room

Wazuh Inc 
http://wazuh.com/

       

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/bcbef877-5f6a-4e46-a7c2-bcc40d78d534%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Cristóbal López]

Hi InfoSec,

The error is due to the fact that WAZUH "cages" some processes in /var/ossec. By making a symbolic link you are copying the full path of the new address, but analysisd sees no further than /var/ossec.

Try it:

1) /var/ossec/bin/ossec-control stop
2) mv /var/ossec/logs/* <new_log_folder>
3) mount --bind <new_log_folder> /var/ossec/logs
4) Reebot

Add this to fstab to make the permanent change:
<new_log_folder> /var/ossec/logs    none    bind

Best regards,
Cristóbal.

[InfoSec]

Hi Cristóbal,

Thank you for the tip. It worked like a charm. Did not need to reboot.

After mounting the new directory in /var/ossec/logs instead of symbolically linking it, all active OSSEC daemons start when starting OSSEC.

Issue resolved.