wazuh-agent for OpenBSD

[Sarah Evelyn Townsend]

I have a few OpenBSD virtual machines I would like to install the wazuh-agent on.  I believe I will need to compile a package to do this.  I'm not really familiar with compiling packages, and am not able to figure out what source I would need to use to do this.  The last post on this subject was in 2019, but I was unable to find any files on git that looked helpful that were mentioned in that post.  Could you please point me in the right direction?  Thank you!

[José Fernández]

Hello Sarah Evelyn,

Currently we don't have any official binary package for BSD platforms but you can build the wazuh-agent in BSD following these steps (I have performed compilation on OpenBSD 6.6):

1. Install dependencies
   pkg_add gmake gcc automake autoconf libtool
   (I selected automake-1.16.1 and autoconf-2.69p2)
   
   
2. Download and extract last Wazuh release
   
   curl -Ls https://github.com/wazuh/wazuh/archive/v3.12.3.tar.gz | tar xvzf -
   
   
3. Go Wazuh directory and launch installation script
   cd wazuh-* && ./install.sh
   
   
4. Select language, and select agent installation, the rest of the questions could be let as default.
5. Wait to compile the agent, when finish press enter and your agent is installed.
6. You could register and start your agent as usually.

We have such matter in our roadmap, if you wish take a look at https://github.com/wazuh/wazuh-packages/issues/361

I hope it helps, don't hesitate to ask us if you have any doubts.

Regards.

[Sarah Evelyn Townsend]

José,

Thank you for the quick response, and the extremely helpful information.  I think I'm almost there, but when running "cd wazuh-* && ./install.sh" I get the following error:

curl -so external/cJSON.tar.gz https://packages.wazuh.com/deps/3.12/cJSON.tar.gz

gmake: *** [Makefile:904: external/cJSON.tar.gz] Error 7

Makefile:691: *** No external directory found. Run "gmake deps" before compiling external libraries.  Stop.

 Error 0x5.

 Building error. Unable to finish the installation.

I believe I need to create a Makefile in wazuh/src, but am not sure what to put in it.  Doing a search in the Wazuh information does have some helpful information, but is there anything specific you could provide me for what needs to go into the Makefile?

Thank you,

Sarah

[José Fernández]

Hello Sarah,

Sorry for late response, The error number 7 seems to be related with connectivity problems, have your host access to internet?
Maybe you could try this command inside src folder

gmake deps RESOURCES_URL=http://packages.wazuh.com/deps/3.12

We recommend you to have the host fully connected to internet in order to download required dependencies, if it isn't possible you could execute the described command and copy the entire Wazuh folder to the target host and then run install.sh script.

I hope it helps to you, regards.

[Sarah Evelyn Townsend]

José,

Thank you, that helped.  I was able to get the agent installed on my OpenBSD host.  However now that I've registered the host, added the key to my host to be monitored and made sure the correct IP for the Wazuh server is in ossec.conf and restarted ossec-control it is showing up in the Kibana Wazuh app as "never connected".  I tried registering the agent both with and IP and also with "any" as the IP and neither will connect.  Help?  Suggestions?

Thank you,

Sarah

[Sarah Townsend]

José,

 

Any update on this question?

 

Thank you,

 

Sarah

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/Lub77EFuAP8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ffd8ab6a-65c8-4a3f-99f6-17e21994b9b8%40googlegroups.com.

[José Fernández]

Hello Sarah,

Sorry again for late response, I have repeated the whole process without errors, one possible way to register the agent (that I usually do):

/var/ossec/bin/agent-auth -m YOUR_MANAGER_IP_OR_DNS

If all goes well you will see a log like this:

2020/05/20 16:30:48 agent-auth: INFO: Started (pid: 83848).
2020/05/20 16:30:48 agent-auth: INFO: No authentication password provided.
2020/05/20 16:30:48 agent-auth: INFO: Connected to YOUR_MANAGER_IP_OR_DNS:1515
2020/05/20 16:30:48 agent-auth: WARNING: Registering agent to unverified manager.
2020/05/20 16:30:48 agent-auth: INFO: Using agent name as: openbsd6.localdomain
2020/05/20 16:30:48 agent-auth: INFO: Send request to manager. Waiting for reply.
2020/05/20 16:30:48 agent-auth: INFO: Received response with agent key
2020/05/20 16:30:48 agent-auth: INFO: Valid key created. Finished.
2020/05/20 16:30:48 agent-auth: INFO: Connection closed.

If not, probably you have a connectivity problem on port 1515 or the port you have specified (at the manager side).
Then I usually edit the configuration file /var/ossec/etc/ossec.conf and added on address section your manager IP, I think that you have already done that point.
Last but not least, start your agent with:

/var/ossec/bin/ossec-control start

Then you can perform a connectivity check with:

/var/ossec/bin/agent_control -l

You must see something like:

Wazuh agent_control. List of available agents:
   ID: 000, Name: 9f54148e7a66 (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: openbsd6.localdomain, IP: any, Active

If it shows never connected as you point out, you can check the agent or manager logs in search of any errors, such files are located at /var/ossec/logs/ossec.log on both sides, an useful command to search errors in the log is:

grep -Ei "warn|error" /var/ossec/logs/ossec.log

Finally take a look at https://documentation.wazuh.com/3.12/user-manual/agents/agent-connection.html to get more ideas of possible errors.
I hope it helps to you, don't hesitate to ask us if you have any doubts.

Regards!.

To unsubscribe from this group and all its topics, send an email to wazuh+unsubscribe@googlegroups.com.