remoted silently stops working
300 views
Skip to first unread message
Daniil Sobolev
Oct 14, 2019, 5:33:54 AM10/14/19
to Wazuh mailing list
Hi Wazuh team!
Could you please help me with following issue?
I've notices that ossec-remoted stops working on my Wazuh 3.9.5
Here's part of remoted logs
[root@wzh ossec]# 2019/10/14 09:26:13 ossec-remoted: INFO: Started (pid: 1527). Listening on port 1514/TCP (secure).
2019/10/14 09:26:13 ossec-remoted: INFO: (4111): Maximum number of agents allowed: '14000'.
2019/10/14 09:26:13 ossec-remoted: INFO: (1410): Reading authentication keys file.
2019/10/14 09:26:13 ossec-remoted: ERROR: Unable to open agent file. errno: 13
2019/10/14 09:26:13 ossec-remoted: CRITICAL: (1103): Could not open file '/queue/rids/2725' due to [(13)-(Permission denied)].
I've checked file permission, owner(it's ossec), and even tried to chmod to 755 just to see if this will solve the issue.
sudo -u ossec cat /var/ossec/queue/rids/2725 is also working, but remoted wont start anyway.
I'm running a cluster with 3 nodes, other nodes are not working as well:
[root@wzh04 ~]# /var/ossec/bin/ossec-remoted -f
[root@wzh04 ~]# 2019/10/14 09:30:39 ossec-remoted: INFO: Started (pid: 24692). Listening on port 1514/TCP (secure).
2019/10/14 09:30:39 ossec-remoted: INFO: (4111): Maximum number of agents allowed: '14000'.
2019/10/14 09:30:39 ossec-remoted: INFO: (1410): Reading authentication keys file.
2019/10/14 09:30:39 ossec-remoted: ERROR: Unable to open agent file. errno: 13
2019/10/14 09:30:39 ossec-remoted: CRITICAL: (1103): Could not open file '/queue/rids/sender_counter' due to [(13)-(Permission denied)].
[root@wzh04 ~]# ls -lh /var/ossec/queue/rids/sender_counter
-rw-r--r-- 1 ossec ossec 14 Oct 7 09:19 /var/ossec/queue/rids/sender_counter
That's not a first time I see issues with permissions on /queue folder, but previously changing owner recursively helped, and now it's not.
Looking forward for your answer!
Thanks,
Daniil.
Daniil Sobolev
Oct 14, 2019, 5:57:30 AM10/14/19
to Wazuh mailing list
Nevermind, usual workaround have fixed the issue
понедельник, 14 октября 2019 г., 12:33:54 UTC+3 пользователь Daniil Sobolev написал:
chown -R ossecr:ossec /var/ossec/queue && chown ossecr:ossec /var/ossec/queue/rids/
chmod --recursive 770 /var/ossec
I'm still wondering why such problems pops up from time to time..
понедельник, 14 октября 2019 г., 12:33:54 UTC+3 пользователь Daniil Sobolev написал:
Message has been deleted
José Manuel López del Río
Oct 14, 2019, 12:37:33 PM10/14/19
to Wazuh mailing list
Hello Daniil,
This conflict is caused by an issue with the sender_receiver file ownership. The files in the /var/ossec/queue/rids/ directory need their ownerships to be ossecr ossec. By using the command chown -R ossecr:ossec /var/ossec/queue && chown ossecr:ossec /var/ossec/queue/rids/, the whole /var/ossec/queue/rids/ directory ownerships were modified to ossecr ossec, including the sender_receiver one.
I hope it helped to understand better the situation.
Best Regards,
Jose Manuel Lopez
Daniil Sobolev
Oct 15, 2019, 11:03:02 AM10/15/19
to Wazuh mailing list
Thanks for your answer, Jose!
I still didn't quite get - which ownership should be put on sender_receiver?
Thanks!
понедельник, 14 октября 2019 г., 19:37:33 UTC+3 пользователь José Manuel López del Río написал:
понедельник, 14 октября 2019 г., 19:37:33 UTC+3 пользователь José Manuel López del Río написал:
José Manuel López del Río
Oct 15, 2019, 1:57:23 PM10/15/19
to Wazuh mailing list
Hello Daniil,
It should be ossecr ossec for sender_receiver.
Best Regards,
Jose Manuel Lopez
Daniil Sobolev
Oct 16, 2019, 9:54:59 AM10/16/19
to Wazuh mailing list
Thank you
вторник, 15 октября 2019 г., 20:57:23 UTC+3 пользователь José Manuel López del Río написал:
вторник, 15 октября 2019 г., 20:57:23 UTC+3 пользователь José Manuel López del Río написал:
José Manuel López del Río
Oct 16, 2019, 1:38:58 PM10/16/19
to Wazuh mailing list
Hello Daniil,
Regards,
Jose Manuel Lopez
Reply all
Reply to author
Forward
0 new messages