Agents offline caching log data

[Stephen]

Hi guys, 

Here is my scenario. I've got an agent running on a device which goes offline occasionally. While the system is offline I would like to cache the logs locally and push it to the manager once I get back online. I tried to simulate the connection outage then modify a file....once I get online the manager didn't report the file integrity change. Any suggestions? 

Thanks 

Steve

[ola...@gmail.com]

I'm interested in the answer to this as well.

[Stephen]

I found this. But what if my system goes offline for 30 mins? 

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/client_buffer.html

[rafael...@wazuh.com]

Hi Stephen,

you will need to set up a very large queue size for that scenario. Actually the maximum size is for 100000 elements.

If your agent is sending about let's say 200EPS it will be filled in 8 minutes.

We can consider to increase this limit in the next release of Wazuh.

Best regards.

[Stephen]

Hi Rafael,

Where can I see the number of EPS? It would be awesome if you could increase the cache! 

Thanks

Stephen 

[Stephen]

OK sorry, this part of the config 

  <client_buffer>

    <!-- Agent buffer options -->

    <disabled>no</disabled>

    <queue_size>5000</queue_size>

    <events_per_second>500</events_per_second>

  </client_buffer>

So what would happen if I limit the EPS to 20 and increase the queue size? Would I lose any logs by doing that? 

Thanks again 

Stephen 

[rafael...@wazuh.com]

Hi Stephen,

if you lower the maximum EPS you will have a lower throughput but the queue will get filled at the same rate regardless of the EPS.

Have in mind that a huge queue size will increase your RAM consumption.

Best regards.

On Tuesday, July 24, 2018 at 6:16:45 PM UTC+2, Stephen wrote:

[Stephen]

Hi, It seems like I am not getting any log data at all once I come back online even after 30 seconds of being offline.

My test scenario is the following:

1. I take the system offline

2. modify a config file which is in real time file integrity monitoring

3. take the system back online

4. No file integrity change reported on the Kibana side

 Is that because I am using UDP? Am I missing any additional config? 

Thanks

Stephen 

[Santiago Bassett]

Hi Stephen,

I run a few tests and I believe you should not lose events when you use TCP. Please give it a try.

UDP takes longer for the agent to realize that it is disconnected. TCP should be instantly.

Thanks!

[Stephen]

I have changed the config on the agent side to TCP. Now it can't connect to the server as I assume the port is not open on the manager side. Do you know how can I can fix this?  

Thanks 

Steve

[rafael...@wazuh.com]

Hi Stephen,

you must enable TCP on the manager. To do this edit the file /var/ossec/etc/ossec.conf and modify the <remote> block as follows:

 <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>

Now on the agent edit the ossec.conf file:

  <client>
    <server>
      <address>YOUR_AMAGER_IP</address>
      <port>1514</port>
      <protocol>tcp</protocol>
    </server>
    . . .
  </client>

You can choose the ports you want as long as the are the same on the manager as on the agent.Remember that if the manager is on TCP, it wont accept UDP connections.

Best regards.

On Tuesday, July 24, 2018 at 6:16:45 PM UTC+2, Stephen wrote:

[Stephen]

Hi, I am getting the following error message on the manager: 

Started wazuh-db...

Started wazuh-modulesd...

Started ossec-execd...

Started ossec-analysisd...

Started ossec-syscheckd...

2018/07/31 08:23:41 ossec-remoted: ERROR: (1230): Invalid element in the configuration: 'queue_size'.

2018/07/31 08:23:41 ossec-remoted: ERROR: (1202): Configuration error at '/var/ossec/etc/ossec.conf'. Exiting.

2018/07/31 08:23:41 ossec-remoted: CRITICAL: (1202): Configuration error at '/var/ossec/etc/ossec.conf'. Exiting.

ossec-remoted did not start correctly.

I tried to remove the queue size variable and run it without that. -I am getting "unable to connect" log messages on the agent side. 

Thanks

Steve  

[Stephen]

Anyone? 

[rafael...@wazuh.com]

Hi Stephen,

make sure your agent can communicate with the manager by doing a ping . If your agent is able to communicate please post here your agent ossec.conf and your manager ossec.conf

Best regards.

On Tuesday, July 24, 2018 at 6:16:45 PM UTC+2, Stephen wrote:

[Stephen]

Hi yes, I can ping the manager. It only happens when I apply the new config. It works fine with UDP 

Agent :

  <client>

    <server>

      <address>IP</address>

      <port>1514</port>

      <protocol>tcp</protocol>

    </server>

    <config-profile>test</config-profile>

    <notify_time>60</notify_time>

    <time-reconnect>300</time-reconnect>

    <auto_restart>yes</auto_restart>

  </client>

Manager:

 <remote>

    <connection>secure</connection>

    <port>1514</port>

    <protocol>tcp</protocol>

  </remote>

[rafael...@wazuh.com]

Hi Stephen,

maybe you have the port 1514 in use. Please choose another port number like 5554, set it to TCP on both agent and manager and tell me if it works.

Best regards.

On Tuesday, July 24, 2018 at 6:16:45 PM UTC+2, Stephen wrote:

[rafael...@wazuh.com]

Hi Stephen,

have you checked your manager firewall settings for TCP ports? Maybe the issue is related to that.

Best regards.

On Tuesday, July 24, 2018 at 6:16:45 PM UTC+2, Stephen wrote:

[Stephen]

Hi, Yes I have and I am not blocking tcp traffic.