Startup error after file modification and update
868 views
Skip to first unread message
Cyprien Chapelle
Aug 23, 2022, 12:50:12 PM8/23/22
to Wazuh mailing list
Hello,
I can no longer start the Wazuh service, I get this :
* wazuh-manager.service - Wazuh manager
Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; disabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2022-08-23 16:41:39 UTC; 5min ago
Process: 324 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=1/FAILURE)
Tasks: 69 (limit: 4915)
Memory: 326.4M
CGroup: /system.slice/wazuh-manager.service
|-378 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
|-400 /var/ossec/bin/wazuh-integratord
|-421 /var/ossec/bin/wazuh-authd
|-438 /var/ossec/bin/wazuh-db
|-450 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
|-453 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
|-466 /var/ossec/bin/wazuh-execd
|-480 /var/ossec/bin/wazuh-analysisd
`-496 /var/ossec/bin/wazuh-syscheckd
Aug 23 16:41:25 wazuh-manager env[324]: Started wazuh-authd...
Aug 23 16:41:26 wazuh-manager env[324]: Started wazuh-db...
Aug 23 16:41:27 wazuh-manager env[324]: Started wazuh-execd...
Aug 23 16:41:27 wazuh-manager env[324]: 2022/08/23 16:41:27 wazuh-analysisd: ERROR: Could not set resource limit for file descriptors to 458752: Operation
Aug 23 16:41:28 wazuh-manager env[324]: Started wazuh-analysisd...
Aug 23 16:41:29 wazuh-manager env[324]: Started wazuh-syscheckd...
Aug 23 16:41:39 wazuh-manager env[324]: wazuh-remoted did not start correctly.
Aug 23 16:41:39 wazuh-manager systemd[1]: wazuh-manager.service: Control process exited, code=exited, status=1/FAILURE
Aug 23 16:41:39 wazuh-manager systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
Aug 23 16:41:39 wazuh-manager systemd[1]: Failed to start Wazuh manager.
Cyprien Chapelle
Aug 23, 2022, 12:55:37 PM8/23/22
to Wazuh mailing list
Sorry, I hadn't finished my message.
So before wazuh wanted to work, I modified some files in "ruleset", then I updated Wazuh with apt-update.
Wazuh's version is now the latest. I don't remember which one was before...
So before wazuh wanted to work, I modified some files in "ruleset", then I updated Wazuh with apt-update.
Wazuh's version is now the latest. I don't remember which one was before...
Here are the logs from ossec.log:
2022/08/23 16:41:29 wazuh-remoted: ERROR: Could not set resource limit for file descriptors to 458752: Operation not permitted (1) 2022/08/23 16:41:29 wazuh-remoted: INFO: Started (pid: 511). Listening on port 1514/TCP (secure). 2022/08/23 16:41:29 wazuh-syscheckd: WARNING: (6924): Who-data engine cannot start because Auditd is not running. 2022/08/23 16:41:29 wazuh-syscheckd: WARNING: (6913): Who-data engine could not start. Switching who-data to real-time. 2022/08/23 16:41:29 rootcheck: INFO: Starting rootcheck scan. 2022/08/23 16:41:29 wazuh-syscheckd: INFO: (6000): Starting daemon... 2022/08/23 16:41:29 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds 2022/08/23 16:41:29 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started. 2022/08/23 16:41:29 wazuh-remoted: INFO: (1410): Reading authentication keys file. 2022/08/23 16:41:29 wazuh-remoted: ERROR: Unable to open agent file. errno: 13 2022/08/23 16:41:29 wazuh-remoted: CRITICAL: (1103): Could not open file 'queue/rids/001' due to [(13)-(Permission denied)]. 2022/08/23 16:41:31 wazuh-analysisd: ERROR: (1301): Unable to connect to active response queue. 2022/08/23 16:41:31 wazuh-analysisd: INFO: Connected to 'queue/alerts/execq' (exec queue) 2022/08/23 16:41:34 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended. 2022/08/23 16:41:34 wazuh-syscheckd: INFO: (6012): Real-time file integrity monitoring started. 2022/08/23 16:41:46 rootcheck: INFO: Ending rootcheck scan.
Mauro Agustín Malara
Aug 23, 2022, 1:27:05 PM8/23/22
to Wazuh mailing list
Hello,
Thanks for using Wazuh!
Let's check what's going on here,
Before upgrading, how did you install Wazuh? I mean, did you install Wazuh using your operating system's package manager or did you install it from the sources?
Also, can you please share with me the output of the following command: `ls -la /var/ossec/queue/rids && ls -la /var/ossec/queue` ?
Finally, what version of Wazuh did you install initially and what is your operating system (distro and version)?
Best regards.
Thanks for using Wazuh!
Let's check what's going on here,
Before upgrading, how did you install Wazuh? I mean, did you install Wazuh using your operating system's package manager or did you install it from the sources?
Also, can you please share with me the output of the following command: `ls -la /var/ossec/queue/rids && ls -la /var/ossec/queue` ?
Finally, what version of Wazuh did you install initially and what is your operating system (distro and version)?
Best regards.
Cyprien Chapelle
Aug 24, 2022, 5:29:39 AM8/24/22
to Wazuh mailing list
Hello and thank you for your answer.
I installed Wazuh through the repositories:
following this documentation: https://connect.ed-diamond.com/Linux-Pratique/lphs -046/monitor-your-system-to-prevent-and-detect-malicious-action.
The version was 3.x, sorry I don't remember exactly.
I installed Wazuh through the repositories:
deb https://packages.wazuh.com/3.x/apt/The version was 3.x, sorry I don't remember exactly.
Here is the result of the command:
root@wazuh-manager:~# ls -la /var/ossec/queue/rids && ls -la /var/ossec/queue
total 24
drwxrwx--- 2 wazuh wazuh 4096 Jul 5 14:00 .
drwxr-x--- 16 root wazuh 4096 Aug 23 16:39 ..
-rw-r--r-- 1 ossecr ossec 7 Jul 5 13:05 001
-rw-r--r-- 1 ossecr ossec 10 Aug 23 15:44 002
-rw-r--r-- 1 ossecr ossec 8 Jul 11 15:18 003
-rw-r--r-- 1 ossecr ossec 9 Aug 23 15:48 sender_counter
total 64
drwxr-x--- 16 root wazuh 4096 Aug 23 16:39 .
drwxr-x--- 21 root wazuh 4096 Aug 23 15:52 ..
drwxrwx--- 2 root wazuh 4096 Jul 5 14:01 agent-groups
drwxr-x--- 2 wazuh wazuh 4096 Nov 12 2021 agentless
-rw------- 1 root wazuh 0 Aug 23 16:39 agents-timestamp
drwxrwx--- 2 wazuh wazuh 4096 Aug 24 06:37 alerts
drwxrwx--- 2 wazuh wazuh 4096 Nov 12 2021 cluster
drwxr-x--- 2 wazuh wazuh 4096 Aug 24 09:24 db
drwxr-x--- 6 wazuh wazuh 4096 Jul 5 14:01 diff
drwxr-x--- 3 wazuh wazuh 4096 Jan 24 2022 fim
drwxr-x--- 2 wazuh wazuh 4096 Jan 24 2022 fts
drwxr-x--- 2 wazuh wazuh 4096 Jan 24 2022 logcollector
drwxrwx--- 2 wazuh wazuh 4096 Jul 5 14:00 rids
drwxrwx--- 2 wazuh wazuh 4096 Aug 24 06:37 sockets
drwxr-x--- 3 wazuh wazuh 4096 Aug 23 15:53 syscollector
drwxrwx--- 2 wazuh wazuh 4096 Aug 23 15:56 tasks
drw-rw---- 3 root wazuh 4096 Jan 24 2022 vulnerabilities
Finally, my operating system is Debian 10.
Cyprien Chapelle
Aug 24, 2022, 5:30:24 AM8/24/22
to Wazuh mailing list
Mauro Agustín Malara
Aug 24, 2022, 10:55:30 AM8/24/22
to Wazuh mailing list
Hi!
The problem is in the user and group of the files inside /var/ossec/queue/rids/. The ossec user is used by older versions of Wazuh, in version 4.3 Wazuh replaces this user with wazuh.
So, to make it work again, run the following commands in your manager:
chown wazuh /var/ossec/queue/rids/* && chgrp wazuh /var/ossec/queue/rids/*systemctl restart wazuh-manager
Let me know if it works or if you have any questions.,
Kind regards.
Cyprien Chapelle
Aug 24, 2022, 11:32:36 AM8/24/22
to Wazuh mailing list
Ok that was good, thank you very much for your responsiveness and efficiency, as usual haha :)
Have a good day.
Reply all
Reply to author
Forward
0 new messages