Starting wazuh-manager failure
10,583 views
Skip to first unread message
Mark Aurelius
Apr 3, 2019, 1:44:08 PM4/3/19
to Wazuh mailing list
I probably missed something in the initial config/install and there is an error when starting the manager, so I can't get to the point of registering the first agent. Thanks in advance.
root@UBUNTU:/var/ossec/etc# systemctl restart wazuh-manager
Job for wazuh-manager.service failed because the control process exited with error code.
Job for wazuh-manager.service failed because the control process exited with error code.
See "systemctl status wazuh-manager.service" and "journalctl -xe" for details.
root@UBUNTU:/var/ossec/etc# journalctl -xe
root@UBUNTU:/var/ossec/etc# journalctl -xe
Apr 03 13:18:18 UBUNTU gnome-shell[2440]: [AppIndicatorSupport-DEBUG] Registering StatusNotifierItem :1.71/org/ayatana/NotificationItem/softwa
Apr 03 13:18:18 UBUNTU gnome-shell[2440]: JS ERROR: Exception in callback for signal: activate: Error: Error invoking IBus.set_global_engine_a
setEngine@resource:///org/gnome/shell/misc/ibusManager.js:207:9
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
activateInputSource@resource:///org/gnome/shell/ui/status/keyboard.js:490:13
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
_emit@resource:///org/gnome/gjs/modules/signals.js:128:27
activate@resource:///org/gnome/shell/ui/status/keyboard.js:65:9
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
_inputSourcesChanged@resource:///org/gnome/shell/ui/status/keyboard.js:620:13
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
reload@resource:///org/gnome/shell/ui/status/keyboard.js:369:9
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
_ibusSetContentType@resource:///org/gnome/shell/ui/status/keyboard.js:691:9
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
_emit@resource:///org/gnome/gjs/modules/signals.js:128:27
_setContentType@resource:///org/gnome/shell/misc/ibusManager.js:183:9
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
Apr 03 13:32:52 UBUNTU systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit wazuh-manager.service has begun starting up.
Apr 03 13:32:52 UBUNTU systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1
Apr 03 13:32:52 UBUNTU systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
Apr 03 13:32:52 UBUNTU systemd[1]: Failed to start Wazuh manager.
-- Subject: Unit wazuh-manager.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit wazuh-manager.service has failed.
--
-- The result is RESULT.
Apr 03 13:32:52 UBUNTU env[25381]: 2019/04/03 13:32:52 ossec-agentd: CRITICAL: (1751): File client.keys not found or empty.
Apr 03 13:32:52 UBUNTU env[25381]: ossec-agentd: Configuration error. Exiting
Apr 03 13:33:18 UBUNTU gnome-shell[2440]: Some code accessed the property 'WindowPreviewMenu' on the module 'windowPreview'. That property was
Apr 03 13:18:18 UBUNTU gnome-shell[2440]: JS ERROR: Exception in callback for signal: activate: Error: Error invoking IBus.set_global_engine_a
setEngine@resource:///org/gnome/shell/misc/ibusManager.js:207:9
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
activateInputSource@resource:///org/gnome/shell/ui/status/keyboard.js:490:13
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
_emit@resource:///org/gnome/gjs/modules/signals.js:128:27
activate@resource:///org/gnome/shell/ui/status/keyboard.js:65:9
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
_inputSourcesChanged@resource:///org/gnome/shell/ui/status/keyboard.js:620:13
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
reload@resource:///org/gnome/shell/ui/status/keyboard.js:369:9
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
_ibusSetContentType@resource:///org/gnome/shell/ui/status/keyboard.js:691:9
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
_emit@resource:///org/gnome/gjs/modules/signals.js:128:27
_setContentType@resource:///org/gnome/shell/misc/ibusManager.js:183:9
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
Apr 03 13:32:52 UBUNTU systemd[1]: Starting Wazuh manager...
-- Subject: Unit wazuh-manager.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit wazuh-manager.service has begun starting up.
Apr 03 13:32:52 UBUNTU systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1
Apr 03 13:32:52 UBUNTU systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
Apr 03 13:32:52 UBUNTU systemd[1]: Failed to start Wazuh manager.
-- Subject: Unit wazuh-manager.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit wazuh-manager.service has failed.
--
-- The result is RESULT.
Apr 03 13:32:52 UBUNTU env[25381]: 2019/04/03 13:32:52 ossec-agentd: CRITICAL: (1751): File client.keys not found or empty.
Apr 03 13:32:52 UBUNTU env[25381]: ossec-agentd: Configuration error. Exiting
Apr 03 13:33:18 UBUNTU gnome-shell[2440]: Some code accessed the property 'WindowPreviewMenu' on the module 'windowPreview'. That property was
Mark Aurelius
Apr 3, 2019, 1:47:23 PM4/3/19
to Wazuh mailing list
ossec log
root@UBUNTU:/var/ossec/etc# more /var/ossec/logs/ossec.log
2019/04/03 10:17:44 ossec-agentd: CRITICAL: (1751): File client.keys not found o
2019/04/03 10:17:44 ossec-agentd: CRITICAL: (1751): File client.keys not found o
r empty.
2019/04/03 13:32:52 ossec-agentd: CRITICAL: (1751): File client.keys not found o
r empty.
Juan Carlos Rodríguez
Apr 4, 2019, 5:34:13 AM4/4/19
to Wazuh mailing list
Hi Mark,
It’s possible that you had installed an agent in the same instance of the manager? Anyway, in order to give you better assistance, could you specify me your Wazuh version and your Ubuntu version? On the other hand, if you made some change on your configuration file, please paste here your ossec.conf, in order to be able to reproduce your environment in a test lab.
Regards.
Juan Carlos.
Mark Aurelius
Apr 4, 2019, 4:01:25 PM4/4/19
to Wazuh mailing list
<!--
Wazuh - Agent - Default configuration for ubuntu 18.04
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->
<ossec_config>
<client>
<server>
<address>192.168.1.187</address>
<port>1514</port>
<protocol>udp</protocol>
</server>
<config-profile>ubuntu, ubuntu18, ubuntu18.04</config-profile>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
</client>
<client_buffer>
<!-- Agent buffer options -->
<disabled>no</disabled>
<queue_size>5000</queue_size>
<events_per_second>500</events_per_second>
</client_buffer>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="open-scap">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
</wodle>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/sys/kernel/security</ignore>
<ignore>/sys/kernel/debug</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<!-- Allow the system to restart Auditd after installing the plugin -->
<restart_audit>yes</restart_audit>
</syscheck>
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<!-- Active response -->
<active-response>
<disabled>no</disabled>
<ca_store>/var/ossec/etc/wpk_root.pem</ca_store>
<ca_verification>yes</ca_verification>
</active-response>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/kern.log</location>
</localfile>
</ossec_config>
Wazuh - Agent - Default configuration for ubuntu 18.04
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->
<ossec_config>
<client>
<server>
<address>192.168.1.187</address>
<port>1514</port>
<protocol>udp</protocol>
</server>
<config-profile>ubuntu, ubuntu18, ubuntu18.04</config-profile>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
</client>
<client_buffer>
<!-- Agent buffer options -->
<disabled>no</disabled>
<queue_size>5000</queue_size>
<events_per_second>500</events_per_second>
</client_buffer>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="open-scap">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
</wodle>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/sys/kernel/security</ignore>
<ignore>/sys/kernel/debug</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<!-- Allow the system to restart Auditd after installing the plugin -->
<restart_audit>yes</restart_audit>
</syscheck>
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<!-- Active response -->
<active-response>
<disabled>no</disabled>
<ca_store>/var/ossec/etc/wpk_root.pem</ca_store>
<ca_verification>yes</ca_verification>
</active-response>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/kern.log</location>
</localfile>
</ossec_config>
Mark Aurelius
Apr 4, 2019, 4:04:40 PM4/4/19
to Wazuh mailing list
Ubuntu 18.04.2 LTS Wazuh 3.8.2 I think - just downloaded in the past 10 days.
On Thursday, April 4, 2019 at 5:34:13 AM UTC-4, Juan Carlos Rodríguez wrote:
Juan Carlos Rodríguez
Apr 5, 2019, 11:28:38 AM4/5/19
to Wazuh mailing list
Hi Mark,
Effectively, it seems that you have a mixed and erroneous installation (the manager and the agent in the same instance), which makes your system doesn't work. We must differenciate between the concepts of agents, that runs on each monitored host and the server that analyzes data received from the agents.
You can find more useful information about these concepts here https://documentation.wazuh.com/3.x/getting-started/components.html
And you can enhance your knowledge about the Wazuh environment architecture and the communication between its components here https://documentation.wazuh.com/3.x/getting-started/architecture.html
Once these concepts have been clarified, you must perform a clean installation. You must install in a first instance the Wazuh server, or in other words, the manager. One important point is that the manager is simultaneously an agent that collect data from itself, and this is the reason why it is not necessary to install an agent in the manager instance.
Follow this guide to install the Wazuh server https://documentation.wazuh.com/current/installation-guide/installing-wazuh-server/index.html
At this point, you will have the manager installed and running. Now, additionally, and if you need to monitor some other host, you can install an agent on that host instance. You could follow this guide to install the Wazuh agent https://documentation.wazuh.com/3.x/installation-guide/installing-wazuh-agent/index.html
Please let us know the results.
Best regards,
Juan Carlos
Reply all
Reply to author
Forward
0 new messages