ossec-remoted: ERROR: (1106): String not correctly formated.

158 views
Skip to first unread message

Gordon Maene

unread,
Feb 15, 2019, 6:45:50 AM2/15/19
to Wazuh mailing list

Morning Wazuh Team

 

I’m receiving an error on one of our Wazuh manager servers but I can’t determine where the problem is.

 

I receive the error below.

 

2019/02/15 11:33:00 ossec-remoted: ERROR: (1106): String not correctly formated.

 

When I restart ossec-remoted with debugging enabled I get the following:

 

2019/02/15 11:41:49 ossec-remoted[104370] main.c:124 at main(): DEBUG: Starting ...

2019/02/15 11:41:49 ossec-remoted[104370] main.c:140 at main(): DEBUG: This is not a worker

2019/02/15 11:41:49 ossec-remoted[104370] main.c:202 at main(): INFO: Started (pid: 104372).

2019/02/15 11:41:49 ossec-remoted[104370] shared_download.c:604 at w_prepare_parsing(): DEBUG: Shared configuration file not found.

2019/02/15 11:41:49 ossec-remoted[104370] main.c:213 at main(): DEBUG: Forking remoted: '0'.

2019/02/15 11:41:49 ossec-remoted[104370] remoted.c:65 at HandleRemote(): CRITICAL: (1206): Unable to Bind port '443' due to [(98)-(Address already in use)]

 

If I run netstat, I can see the server is listening on the correct port 443/TCP but not sure why I am receiving this error.

 

[root@server-01 bin]# netstat -nap |grep remoted

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      93483/ossec-remoted

 

Is there anything else I can check to determine what the cause could be?

 

Thanks for your help.

 

Regards

 

Gordon

miguel....@wazuh.com

unread,
Feb 15, 2019, 6:39:42 PM2/15/19
to Wazuh mailing list
Hello Gordon,

It seems there is something wrong with your configuration of remoted.

This message: "DEBUG: This is not a worker", makes me think that the manager is understanding that has the configuration of a worker node of a Wazuh cluster.

I think there is no remote stanza configured in the ossec.conf file and is trying to boot in the port of the 443 instead of the corresponding port for the communication of the agents.

Could you provide me with the version of your manager and with the ossec.conf file?

Regards,

Miguel Casares

Gordon Maene

unread,
Feb 18, 2019, 6:26:46 AM2/18/19
to Wazuh mailing list
Hi Miguel

Thanks a lot for having a look at this for me.

Just a bit of background information that might assist in troubleshooting.

We have 1 x server with Elasticsearch and Kibana running on it.

We have 2 x servers with Wazuh-manager roles, wazuh-api roles and logstash, both poitning to the same Elasticsearch server.

Everything seemed to be running fine until I went through upgrading from 3.7.0 to 3.8.2. It was only then that I noticed the ossec-remoted: ERROR: (1106) error.

Version along with ossec.conf below. 

Let me know if you need anything else from my side.

Regards

Gordon


{
  "name" : "9uxYeLa",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "x2XKCDdgQEyTUPblO_3aTQ",
  "version" : {
    "number" : "6.6.0",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "a9861f4",
    "build_date" : "2019-01-24T11:27:09.439740Z",
    "build_snapshot" : false,
    "lucene_version" : "7.6.0",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}
[root@azu-pro-elk-01 lib]#

############

Manager 1

Version
v3.8.2
Compilation date
Wed Jan 30 12:15:49 UTC 2019
Installation path
/var/ossec
Installation type
manager
Agents limit
14000
OpenSSL Support
yes


###########

Manager 2

Version
v3.8.2
Compilation date
Wed Jan 30 12:15:49 UTC 2019
Installation path
/var/ossec
Installation type
manager
Agents limit
14000
OpenSSL Support
yes

<!--
  Wazuh - Manager - Default configuration for centos 7
-->

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>yes</logall_json>
    <email_notification>no</email_notification>
    <smtp_server>smtp.example.wazuh.com</smtp_server>
    <email_from>oss...@example.wazuh.com</email_from>
    <email_to>reci...@example.wazuh.com</email_to>
    <email_maxperhour>12</email_maxperhour>
    <queue_size>131072</queue_size>
  </global>

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>6</email_alert_level>
  </alerts>

  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
  <logging>
    <log_format>plain</log_format>
  </logging>

  <remote>
    <connection>secure</connection>
    <port>443</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>

  <!-- Policy monitoring -->
  <rootcheck>
    <disabled>no</disabled>
    <check_unixaudit>yes</check_unixaudit>
    <check_files>yes</check_files>
    <check_trojans>yes</check_trojans>
    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>

    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>43200</frequency>

    <rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>

    <system_audit>/var/ossec/etc/rootcheck/system_audit_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/rootcheck/system_audit_ssh.txt</system_audit>
    <system_audit>/var/ossec/etc/rootcheck/cis_rhel7_linux_rcl.txt</system_audit>

    <skip_nfs>yes</skip_nfs>
  </rootcheck>

  <wodle name="open-scap">
    <disabled>no</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>

    <content type="xccdf" path="ssg-centos-7-ds.xml">
      <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
      <profile>xccdf_org.ssgproject.content_profile_common</profile>
    </content>
  </wodle>

  <wodle name="cis-cat">
    <disabled>yes</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>

    <java_path>wodles/java</java_path>
    <ciscat_path>wodles/ciscat</ciscat_path>
  </wodle>

  <!-- Osquery integration -->
  <wodle name="osquery">
    <disabled>yes</disabled>
    <run_daemon>yes</run_daemon>
    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
    <config_path>/etc/osquery/osquery.conf</config_path>
    <add_labels>yes</add_labels>
  </wodle>

  <!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>
  </wodle>

  <wodle name="vulnerability-detector">
    <disabled>no</disabled>
    <interval>120m</interval>
    <run_on_start>yes</run_on_start>
    <feed name="ubuntu-18">
      <disabled>no</disabled>
      <update_interval>4h</update_interval>
    </feed>
    <feed name="redhat">
      <disabled>no</disabled>
      <update_interval>4h</update_interval>
    </feed>
    <feed name="debian-9">
      <disabled>no</disabled>
      <update_interval>4h</update_interval>
    </feed>
  </wodle>

  <!-- File integrity monitoring -->
  <syscheck>
    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>43200</frequency>

    <scan_on_start>yes</scan_on_start>

    <!-- Generate alert when new file detected -->
    <alert_new_files>yes</alert_new_files>

    <!-- Don't ignore files that change more than 'frequency' times -->
    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin,/boot</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>
    <ignore>/sys/kernel/security</ignore>
    <ignore>/sys/kernel/debug</ignore>

    <!-- Check the file, but never compute the diff -->
    <nodiff>/etc/ssl/private.key</nodiff>

    <skip_nfs>yes</skip_nfs>

    <!-- Remove not monitored files -->
    <remove_old_diff>yes</remove_old_diff>

    <!-- Allow the system to restart Auditd after installing the plugin -->
    <restart_audit>yes</restart_audit>
  </syscheck>

  <!-- Active response -->
  <global>
    <white_list>127.0.0.1</white_list>
    <white_list>^localhost.localdomain$</white_list>
    <white_list>168.63.129.16</white_list>
  </global>

  <command>
    <name>disable-account</name>
    <executable>disable-account.sh</executable>
    <expect>user</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>restart-ossec</name>
    <executable>restart-ossec.sh</executable>
    <expect></expect>
  </command>

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>host-deny</name>
    <executable>host-deny.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>route-null</name>
    <executable>route-null.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>win_route-null</name>
    <executable>route-null.cmd</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>win_route-null-2012</name>
    <executable>route-null-2012.cmd</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>netsh</name>
    <executable>netsh.cmd</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>netsh-win-2016</name>
    <executable>netsh-win-2016.cmd</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <!--
  <active-response>
    active-response options here
  </active-response>
  -->

  <!-- Log analysis -->
  <localfile>
    <log_format>command</log_format>
    <command>df -P</command>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
    <alias>netstat listening ports</alias>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>last -n 20</command>
    <frequency>360</frequency>
  </localfile>

  <ruleset>
    <!-- Default ruleset -->
    <decoder_dir>ruleset/decoders</decoder_dir>
    <rule_dir>ruleset/rules</rule_dir>
    <rule_exclude>0215-policy_rules.xml</rule_exclude>
    <list>etc/lists/audit-keys</list>
    <list>etc/lists/amazon/aws-sources</list>
    <list>etc/lists/amazon/aws-eventnames</list>

    <!-- User-defined ruleset -->
    <decoder_dir>etc/decoders</decoder_dir>
    <rule_dir>etc/rules</rule_dir>
  </ruleset>

  <!-- Configuration for ossec-authd
    To enable this service, run:
    ossec-control enable auth
  -->
  <auth>
    <disabled>no</disabled>
    <port>1515</port>
    <use_source_ip>no</use_source_ip>
    <force_insert>yes</force_insert>
    <force_time>0</force_time>
    <purge>yes</purge>
    <use_password>no</use_password>
    <limit_maxagents>yes</limit_maxagents>
    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
    <!-- <ssl_agent_ca></ssl_agent_ca> -->
    <ssl_verify_host>no</ssl_verify_host>
    <ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
    <ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
    <ssl_auto_negotiate>no</ssl_auto_negotiate>
  </auth>

  <cluster>
    <name>wazuh</name>
    <node_name>node01</node_name>
    <node_type>master</node_type>
    <key></key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node>NODE_IP</node>
    </nodes>
    <hidden>no</hidden>
    <disabled>yes</disabled>
  </cluster>

</ossec_config>

<ossec_config>
  <localfile>
    <log_format>audit</log_format>
    <location>/var/log/audit/audit.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/secure</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/maillog</location>
  </localfile>

</ossec_config>

Gordon Maene

unread,
Feb 19, 2019, 11:31:50 AM2/19/19
to Wazuh mailing list
Hi Miguel

Have you managed to have a look at this at all?

Oddly, it's only the one wazuh-manager server suffering from this problem.

Is there anything else I can check in order to resolve the issue?

Thanks

Gordon


On Friday, 15 February 2019 23:39:42 UTC, miguel....@wazuh.com wrote:

miguel....@wazuh.com

unread,
Feb 19, 2019, 12:47:40 PM2/19/19
to Wazuh mailing list
Hello Gordon, 

Sorry for the late reply.

I think here is the problem:
<remote>
    <connection>secure</connection>
    <port>443</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>

You have configured the port 443 to run remoted. By default, we use the port 1514. You can use another port to this, but I think the port 443 could be used by another service or process. Could you check this, please?

netstat -tunap | grep 443

Regards,

Miguel Casares

Gordon Maene

unread,
Feb 20, 2019, 9:28:58 AM2/20/19
to Wazuh mailing list
Hi Miguel

No worries, I know you guys are busy.

I don't believe that is the cause.

We've been running wazuh-manager on 443/TCP since we built it last year without any issues what so ever.

As I mentioned, we have 2 x wazuh-manager connected to the same Elasticsearch server, both configured the same (using 443/TCP for remoted) and only the one server seems to be suffering from this issue.

Below the output from netstat -tunap | grep 443

### Server with 1106 error ###

[root@wazuh-manager-01 conf.d]# netstat -tunap | grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:57562     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        33.39.137.225:53242     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        179.97.96.207:51763      ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:50896     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:59507     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:54516     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        173.70.162.135:63819    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:59676      63.146.232.122:443      TIME_WAIT   -
tcp        0      0 174.21.23.23:443        223.74.122.11:61773     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:49351     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:49431     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:62538     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        47.119.153.242:26625    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:51342     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:52389     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:49468     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        179.97.96.207:57878      ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:60461     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        33.39.137.225:59233     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:58876     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        47.119.153.242:25600    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:54098     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        173.70.162.135:61520    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        179.97.96.207:61223      ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:52099     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:59646      63.146.232.122:443      TIME_WAIT   -
tcp        0      0 174.21.23.23:443        47.119.153.242:29696    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:49486     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:54543     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:54170     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        178.251.177.47:64970    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:49923     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:59195     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:50015     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        47.119.153.242:31744    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        33.39.137.225:49272     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:61791     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:53721     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        213.1.22.92:52148       ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:64343     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:59421     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:64126     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:49338     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:53595     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        213.63.50.131:56024     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:55021     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:49764     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:59658      63.146.232.122:443      TIME_WAIT   -
tcp        0      0 174.21.23.23:443        223.74.122.11:63501     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        173.70.162.135:58997    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        37.122.198.146:53327    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:55683     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:56214     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:60817     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:52692     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        86.111.164.123:54825    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:49757     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:50775     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:59678      63.146.232.122:443      TIME_WAIT   -
tcp        0      0 174.21.23.23:443        223.74.122.11:51744     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:61915     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:51234     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:50721     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:50319     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:51158     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        213.1.22.92:50377       ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        173.70.162.135:64273    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:54669     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        33.39.137.225:59778     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        86.111.164.123:54292    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:56532     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:56691     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:59614      63.146.232.122:443      TIME_WAIT   -
tcp        0      0 174.21.23.23:443        223.74.122.11:59846     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:53036     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        94.193.196.90:55822     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        47.119.153.242:19456    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        179.97.96.207:54847      ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:59674      63.146.232.122:443      TIME_WAIT   -
tcp        0      0 174.21.23.23:443        213.63.50.131:59259     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:52949     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        86.159.240.134:54238    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        213.1.22.92:51732       ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        37.122.198.146:53522    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        47.119.153.242:23488    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        213.63.50.131:57065     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        94.193.196.90:55426     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:59321     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:33221     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        47.119.153.242:27648    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:37208     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:53821     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:52839     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:54040     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        234.46.37.16:1984       ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        47.119.153.242:32768    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:54649     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        37.122.198.146:53733    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:53328     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        173.70.162.135:62234    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        86.159.240.134:53970    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:62112     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        47.119.153.242:20480    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:59630      63.146.232.122:443      TIME_WAIT   -
tcp        0      0 174.21.23.23:59612      63.146.232.122:443      TIME_WAIT   -
tcp        0      0 174.21.23.23:443        223.74.122.11:49509     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        173.70.162.135:49492    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:51504     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:52279     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:49465     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:59152     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        173.70.162.135:60441    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:54515     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        179.97.96.207:54467      ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:57364     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        47.119.153.242:33792    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:56019     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        47.119.153.242:21504    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:49404     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        173.70.162.135:62423    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        213.63.50.131:49425     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        213.1.22.92:50552       ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:62560     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:53426     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:54425     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        179.97.96.207:57951      ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:56039     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:56959     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:53437     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:51416     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:50023     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:56721     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:51124     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:59376     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        47.119.153.242:22208    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:62666     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        173.70.162.135:62976    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        33.39.137.225:52524     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        47.119.153.242:30720    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:56591     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:49328     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        213.63.50.131:56728     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:52614     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        33.39.137.225:55673     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        173.70.162.135:52223    ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:50261     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        33.39.137.225:52631     ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        213.1.22.92:53636       ESTABLISHED 115470/ossec-remote
tcp        0      0 174.21.23.23:443        223.74.122.11:55736     ESTABLISHED 115470/ossec-remote


#### wazuh-manager-02 - which is working ###

[root@wazuh-manager-02 etc]# netstat -tunap | grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1807/ossec-remoted
tcp        0      0 175.28.1.9:443         163.98.98.210:60560    ESTABLISHED 1807/ossec-remoted
tcp        0      0 175.28.1.9:443         181.89.94.13:39028     ESTABLISHED 1807/ossec-remoted
tcp        0      0 175.28.1.9:46494       144.140.148.48:443       TIME_WAIT   -
tcp        0      0 175.28.1.9:443         181.89.94.13:62060     ESTABLISHED 1807/ossec-remoted
tcp        0      0 175.28.1.9:443         181.89.94.13:52189     ESTABLISHED 1807/ossec-remoted
tcp        0      0 175.28.1.9:443         181.89.94.13:144959     ESTABLISHED 1807/ossec-remoted


Anything else I can look at?

Thanks again for the help

Regards

Gordon

miguel....@wazuh.com

unread,
Feb 20, 2019, 4:15:09 PM2/20/19
to Wazuh mailing list
Hi Gordon,

Sorry, my bad. Then, I think this error:
 2019/02/15 11:41:49 ossec-remoted[104370] remoted.c:65 at HandleRemote(): CRITICAL: (1206): Unable to Bind port '443' due to [(98)-(Address already in use)]

Is due to you launched the debug mode without stopping the current remoted process. I recommend you to kill the dameon and launch again in debug mode to get back to the first issue: ossec-remoted: ERROR: (1106): String not correctly formated

This way we can get more information about that issue.

Regards,

Miguel Casares

Gordon Maene

unread,
Feb 21, 2019, 9:57:45 AM2/21/19
to Wazuh mailing list
Hi Miguel

Thanks for that, makes sense.

I've attached two log files, one was run with debug=1, the other with debug=2 (not sure if it makes a difference)

Oddly, I'm still not seeing much information which could point me to determining what the problem could be.

Thanks again for all the help.

Regards

Gordon
debug_output.txt
debug_output_1.txt

miguel....@wazuh.com

unread,
Feb 21, 2019, 5:33:38 PM2/21/19
to Wazuh mailing list
Hello Gordon,

I can see the error happens when a new TCP connection is established:
2019/02/21 10:50:54 ossec-remoted[9889] secure.c:162 at HandleSecure(): DEBUG: New TCP connection at 194.74.152.11 [113]
2019/02/21 10:50:54 ossec-remoted[9889] mq_op.c:69 at SendMSG(): ERROR: (1106): String not correctly formated

That error means that the manager cannot read the events those connection are sending to him. Probably, it is not a Wazuh agent trying to connect to the manager, maybe is another device, such as a firewall or router. Could you check that, please?

Regards,

Miguel Casares

Gordon Maene

unread,
Feb 27, 2019, 4:37:06 AM2/27/19
to Wazuh mailing list
Hi Miguel

Apologies for the delayed response.

Thanks a lot for having a look at this for me, I'm having a look into that particular device and trying to track down what it's sending through.

I'll give you an update once I've tracked it down.

Regards

Gordon

miguel....@wazuh.com

unread,
Feb 27, 2019, 9:21:58 AM2/27/19
to Wazuh mailing list
Hello Gordon,

You are welcome.

Let me know if you need further help.

Regards,

Miguel Casares
Reply all
Reply to author
Forward
0 new messages