error when install linux agent on wazuh server.

[Harvey Ryu]

Hi Team,

I'm trying to install a linux agent on wazuh server machine.

First I tried tar package install:

./install.sh

It returns:

4- Installing the system

 - Running the Makefile

cd external/zlib/ && CFLAGS=-fPIC ./configure && make libz.a
cd external/openssl/ && ./config enable-weak-ssl-ciphers no-shared && make build_libs
    CC external/cJSON/cJSON.o
make: *** No rule to make target 'external/sqlite/sqlite3.c', needed by 'external/sqlite/sqlite3.o'.  Stop.
make: *** Waiting for unfinished jobs....
/bin/sh: 1: cd: can't cd to external/zlib/
/bin/sh: 1: cd: can't cd to external/openssl/
make: *** [Makefile:718: external/zlib//libz.a] Error 2
make: *** [Makefile:699: external/openssl/libssl.a] Error 2

I tried:

WAZUH_MANAGER="myip" apt-get install wazuh-agent

It returns:

mv: cannot move '/var/ossec/packages_files/agent_config_files/group/default' to '/var/ossec/etc/shared/default': Directory not empty
dpkg: error processing package wazuh-agent (--configure):

I tried:

apt-get install wazuh-agent

It returns:

chown: cannot access '/var/ossec/ruleset/sca/cis_debian7_L2.yml': No such file or directory
dpkg: error processing package wazuh-agent (--configure):

First time I use the install.sh script when I follow the guide to here:

You already have Wazuh installed. Do you want to update it? (y/n):

I choosed y,

then it got stuck on download some python package, I pressed ctrl+c, next time I choose n, and type 'agent' here:

1- What kind of installation do you want (manager, agent, local, hybrid or help)? agent

So how to fix the error, by the way, my wazuh server is still good, these error havn't affect it.

[Harvey Ryu]

I just found out that a lot of wazuh files changed to .save, like local_rules.xml.save

[Jose Miguel Hernandez Garcia]

Hi Harvey Ryu,

By default, when you install a Wazuh Manager in your system, the Manager can monitor the system by itself. 

Installing a Wazuh Agent where the Manager is installed is not allowed due to incompatibility between them.

If you run the agent-control binary with the -l flag, you will see that the 000 agent is your Wazuh Manager:

 

/var/ossec/bin/agent-control -l

The Agents are designed to monitor endpoints and report the collected data to the Manager. 

Those errors are because you're trying to install an agent in a system with a Manager installed so probably you're overwriting some files. 

As you tried to install the Agent using different options probably the Manager installation has been affected. 

So, in order to fix the problem, I would recommend you to uninstall your agent and re-install the Manager in order to avoid future problems due to missing files or permissions in your Manager.

As said before, you can try to install an Agent in a different machine and connect it to the Manager, there you will see that the Agent reports the data to the Manager.

Hope that it helps,

Josemi.

[Harvey Ryu]

Hi Josemi,

Yes, the agent_control shows that is is agent 000, but I added the following line in ossec.conf,

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

And these local_rules.xml:

<group name="linux, sshd,">
  <rule id="100023" level="14">
    <decoded_as>sshd</decoded_as>
    <match>Accepted</match>
    <description>sshd: Accepted password from $(srcip) to $(hostname) with user $(dstuser).</description>
  </rule>
  <rule id="100024" level="14">
    <decoded_as>sshd</decoded_as>
    <match>Failed</match>
    <description>sshd: Failed password from $(srcip) to $(hostname) with user $(dstuser).</description>
  </rule>
</group>

After restart wazuh-manager or reboot machine, I still got no alert.

[Jose Miguel Hernandez Garcia]

Hi Harvey Ryu,

In order to keep a better tracking of your question and help other users that can be facing the same problem, I would recommend you to open a new topic in the Wazuh mailing list due to this second question is not related to the main one.

Best regards,

Josemi

[Harvey Ryu]

Hi Josemi,

It's a problem caused by the original problem, I've already newly installed the wazuh, everything seems fine, but the Agents registration service is not working, I use "ss -ant", can not see tcp port 1515 on listening status, now I tried to install wazuh again, but when adding pgp public, it returns this:

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -v -
gpg: armor header: Version: GnuPG v2.0.22 (GNU/Linux)
gpg: pub  rsa4096/96B3EE5F29111145 2016-08-01  Wazuh.com (Wazuh Signing Key) <sup...@wazuh.com>
OK

cat /etc/apt/sources.list.d/wazuh.list
deb https://packages.wazuh.com/3.x/apt/ stable main

root@iPhone:~# apt update
Ign:1 http://dl.google.com/linux/chrome/deb stable InRelease
Get:2 http://dl.google.com/linux/chrome/deb stable Release [943 B]
Get:3 http://dl.google.com/linux/chrome/deb stable Release.gpg [819 B]
Hit:4 https://packages.wazuh.com/3.x/apt stable InRelease
Err:3 http://dl.google.com/linux/chrome/deb stable Release.gpg
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 78BD65473CB3BD13
Hit:5 http://mirrors.neusoft.edu.cn/kali kali-rolling InRelease
Fetched 819 B in 1s (953 B/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
2684 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://dl.google.com/linux/chrome/deb stable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 78BD65473CB3BD13
W: Failed to fetch http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 78BD65473CB3BD13
W: Some index files failed to download. They have been ignored, or old ones used instead.

[Harvey Ryu]

Hi,

I used:

wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo apt-key add -

fixed the pub error, I'll continue find what makes 1515 not listening