Wazuh upgrade 2.x to 3.2 - ossec-remoted ERROR rootchecks/merged.mg

[Vaclav Adamec]

All seems to be ok, but this is periodically seen in ossec.log on server:

2018/06/11 02:37:05 ossec-remoted: ERROR: Unable to append merged file: '/etc/shared/rootchecks/merged.mg.tmp'.

2018/06/11 02:37:05 ossec-remoted: ERROR: Couldn't open file '/etc/shared/rootchecks/merged.mg.tmp'

2018/06/11 02:37:05 ossec-remoted: ERROR: Accessing file '/etc/shared/rootchecks/merged.mg'

any advice ? I saw rootcheck files in /var/ossec/etc/shared/default, there is nothing in /etc directly from RPMs

AVe

[Victor Fernandez]

Hi Vaclav,

I'm trying to reproduce your issue. Maybe you created the folder "/var/ossec/etc/shared/rootchecks"? In this case, that folder should have been copied into "/var/ossec/etc/shared/default/rootchecks". 

As of Wazuh 3.0, every folder inside /var/ossec/etc/shared represents an agent group. When you upgrade from Wazuh v2 to v3, all your files are copied into the group folder "default", but they are not removed by the RPM installer, so the manager confuses the folder "rootchecks" with an agent folder and that error may happen.

This does not work with folders because the manager doesn't expect to find folders inside the directory "shared". If this is your case, please reorganize your shared files and do not create shared folders on your own (use the tool /var/ossec/bin/agent_groups); otherwise let us know and describe us how to reproduce this issue.

We will triage this issue for next releases, in fact coming versions will support folder delivering to agents. Thank you very much for your feedback.

Best regards,

Victor M Fernandez-Castro 
IT Engineer — Wazuh, Inc.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9ebf00f6-2053-44f7-aff3-c840f738dbc8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Vaclav Adamec]

Hi,

 structure:

/var/ossec/etc/shared

├── ar.conf

├── default

│   ├── agent.conf

│   ├── cis_apache2224_rcl.txt

│   ├── cis_debian_linux_rcl.txt

│   ├── cis_mysql5-6_community_rcl.txt

│   ├── cis_mysql5-6_enterprise_rcl.txt

│   ├── cis_rhel5_linux_rcl.txt

│   ├── cis_rhel6_linux_rcl.txt

│   ├── cis_rhel7_linux_rcl.txt

│   ├── cis_rhel_linux_rcl.txt

│   ├── cis_sles11_linux_rcl.txt

│   ├── cis_sles12_linux_rcl.txt

│   ├── merged.mg

│   ├── rootchecks

│   │   ├── cis_debian_linux_rcl.txt

│   │   ├── cis_rhel5_linux_rcl.txt

│   │   ├── cis_rhel6_linux_rcl.txt

│   │   ├── cis_rhel7_linux_rcl.txt

│   │   ├── cis_rhel_linux_rcl.txt

│   │   ├── cis_sles11_linux_rcl.txt

│   │   ├── cis_sles12_linux_rcl.txt

│   │   ├── merged.mg

│   │   ├── rootkit_files.txt

│   │   ├── rootkit_trojans.txt

│   │   ├── system_audit_rcl.txt

│   │   ├── system_audit_ssh.txt

│   │   ├── win_applications_rcl.txt

│   │   ├── win_audit_rcl.txt

│   │   └── win_malware_rcl.txt

│   ├── rootkit_files.txt

│   ├── rootkit_trojans.txt

│   ├── system_audit_rcl.txt

│   ├── system_audit_ssh.txt

│   ├── win_applications_rcl.txt

│   ├── win_audit_rcl.txt

│   └── win_malware_rcl.txt

└── rootchecks

    ├── cis_debian_linux_rcl.txt

    ├── cis_rhel5_linux_rcl.txt

    ├── cis_rhel6_linux_rcl.txt

    ├── cis_rhel7_linux_rcl.txt

    ├── cis_rhel_linux_rcl.txt

    ├── cis_sles11_linux_rcl.txt

    ├── cis_sles12_linux_rcl.txt

    ├── rootkit_files.txt

    ├── rootkit_trojans.txt

    ├── system_audit_rcl.txt

    ├── system_audit_ssh.txt

    ├── win_applications_rcl.txt

    ├── win_audit_rcl.txt

    └── win_malware_rcl.txt

Dne pondělí 11. června 2018 15:52:56 UTC+2 Victor Fernandez napsal(a):

[Vaclav Adamec]

Ok, so removing rootchecks dir helps, now only default is in shared

Thanks for help

Dne úterý 12. června 2018 8:09:07 UTC+2 Vaclav Adamec napsal(a):