UDP 1514 open, but agent can't connect anyway.

2,197 views
Skip to first unread message

Edward Stanford

unread,
Dec 11, 2017, 8:28:09 PM12/11/17
to Wazuh mailing list
I've installed the Wazuh client (using ansible) and the Wazuh docker containers (from github) on two different Ubuntu 16.04 instances in AWS.  

The security groups permit UDP traffic on 1514, as shown by netcat below.  However, the agent cannot connect to the server: the agent logs are consistent with a firewall issue, but netcat seems to indicate otherwise.

  • Client logs

    • Agent information:

         ID:004

         Name:test3

         IP Address:54.218.88.9


      Confirm adding it?(y/n): y

      Added.



      ****************************************

      * Wazuh v2.1.1 Agent manager.          *

      * The following options are available: *

      ****************************************

         (I)mport key from the server (I).

         (Q)uit.

      Choose your action: I or Q: q


      ** You must restart Wazuh for your changes to take effect.


      manage_agents: Exiting.

      root@ip-172-31-34-29:/var/ossec

    • Agent logs after restart

      2017/12/12 01:13:06 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).

      2017/12/12 01:13:06 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).

      2017/12/12 01:13:06 ossec-syscheckd: INFO: Initializing real time file monitoring engine.

      2017/12/12 01:14:07 ossec-agentd: ERROR: (1216): Unable to connect to '54.213.245.4'.

      2017/12/12 01:14:16 ossec-logcollector: INFO: (1904): File not available, ignoring it: '/var/log/messages'.

      2017/12/12 01:14:16 ossec-logcollector: INFO: (1904): File not available, ignoring it: '/var/log/secure'.

      2017/12/12 01:14:19 ossec-agentd: INFO: Trying to connect to server (54.213.245.4:1514).

      2017/12/12 01:16:27 ossec-agentd: ERROR: (1216): Unable to connect to '54.213.245.4'.

    • 2017/12/12 01:12:36 ossec-syscheckd: INFO: Syscheck scan frequency: 43200 seconds

  • Server logs (after restart)
  • The ports appear to be blocked.  However, from the server
    • nc -u 54.218.88.9 1514
    • splunge
produces

  • server logs:

    2017/12/12 01:14:34 rootcheck: DEBUG: Going into check_rc_ports

    2017/12/12 01:14:34 rootcheck: DEBUG: Going into check_open_ports

    2017/12/12 01:14:34 rootcheck: DEBUG: Going into check_rc_if

    2017/12/12 01:14:34 rootcheck: DEBUG: Completed with all checks.

    2017/12/12 01:14:39 rootcheck: INFO: Ending rootcheck scan.

    2017/12/12 01:14:39 rootcheck: DEBUG: Leaving run_rk_check

    2017/12/12 01:14:39 wazuh-modulesd:database: DEBUG: Synchronizing file '/var/ossec/queue/rootcheck/rootcheck'

So far, this appears consistent with a failure to open up a hole for 1514 in the firewall.  However,
  • Server To Client
    • Server-sde

      • nc -u 54.218.88.9 1514

        splunge

    • Client-side

      • nc -ul 1514

        splunge

  • Client-to-server: Can't listen for the message on 1514, because Wazuh is already listening.  However, in the ossec.log, there is clear evidence the message arrives
    • Client-side

      • nc -u 54.213.245.4 1514

        splunge for me too

    • Server-side ossec.conf

      • 2017/12/12 01:14:39 wazuh-modulesd:database: DEBUG: Synchronizing file '/var/ossec/queue/rootcheck/rootcheck'

        2017/12/12 01:22:57 ossec-remoted: ERROR: (1403): Incorrectly formatted message from agent '004' (host '54.218.88.9').

I conclude that 1514 traffic is flowing both ways, but for some reason the server does not log a connection from the agent and the agent 
agent does not connect to the server.  As there are no clues in the logs, I'm not sure where to go next.

Apologies if I've missed something obvious: I'm new to Wazuh

Edward

Jose Luis Ruiz

unread,
Dec 11, 2017, 8:52:14 PM12/11/17
to Edward Stanford, Wazuh mailing list

Hi Edward,

Usually the error "2017/12/12 01:22:57 ossec-remoted: ERROR: (1403): Incorrectly formatted message from agent '004' (host '54.218.88.9'). has relation with a incorrect client.keys.

In the agent, look the file /var/ossec/etc/client.keys, this file has a content similar that:

root@wazuh-manager:/var/ossec# cat /var/ossec/etc/client.keys
001 puppet-centos7 172.25.0.1 3a9e0cea9eb130a3e799e46624e49d0d73bca4a920235c39c7d2d1ae349260ae
root@wazuh-manager:/var/ossec#

Can you verify that the same line exists in the manager in the same file?



Regards
————————
José Luis Ruiz.
Wazuh Inc.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/24ed6e64-6fd8-4ef1-ab96-d6e27a1e58b4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Edward Stanford

unread,
Dec 11, 2017, 9:49:39 PM12/11/17
to Wazuh mailing list
This turned out to be an easy one: my client config contained
   <client>
    <protocol>udp</protocol> 

  </client>



Jose Luis Ruiz

unread,
Dec 11, 2017, 9:50:38 PM12/11/17
to Edward Stanford, Wazuh mailing list
Edward you mean TCP instead UDP right? :)

Regards
————————
José Luis Ruiz.
Wazuh Inc.


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

Edward Stanford

unread,
Dec 11, 2017, 9:50:42 PM12/11/17
to Wazuh mailing list
while my server conatined 
   <remote>
    <protocol>udp</protocol> 
    <remote>

  </client>

Reply all
Reply to author
Forward
0 new messages