ossec-remoted: ERROR: (1106): String not correctly formated.

Gordon Maene

unread,

Feb 15, 2019, 6:45:50 AM2/15/19

to Wazuh mailing list

Morning Wazuh Team

I’m receiving an error on one of our Wazuh manager servers but I can’t determine where the problem is.

I receive the error below.

2019/02/15 11:33:00 ossec-remoted: ERROR: (1106): String not correctly formated.

When I restart ossec-remoted with debugging enabled I get the following:

2019/02/15 11:41:49 ossec-remoted[104370] main.c:124 at main(): DEBUG: Starting ...

2019/02/15 11:41:49 ossec-remoted[104370] main.c:140 at main(): DEBUG: This is not a worker

2019/02/15 11:41:49 ossec-remoted[104370] main.c:202 at main(): INFO: Started (pid: 104372).

2019/02/15 11:41:49 ossec-remoted[104370] shared_download.c:604 at w_prepare_parsing(): DEBUG: Shared configuration file not found.

2019/02/15 11:41:49 ossec-remoted[104370] main.c:213 at main(): DEBUG: Forking remoted: '0'.

2019/02/15 11:41:49 ossec-remoted[104370] remoted.c:65 at HandleRemote(): CRITICAL: (1206): Unable to Bind port '443' due to [(98)-(Address already in use)]

If I run netstat, I can see the server is listening on the correct port 443/TCP but not sure why I am receiving this error.

[root@server-01 bin]# netstat -nap |grep remoted

tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 93483/ossec-remoted

Is there anything else I can check to determine what the cause could be?

Thanks for your help.

Regards

Gordon

miguel....@wazuh.com

unread,

Feb 15, 2019, 6:39:42 PM2/15/19

to Wazuh mailing list

Hello Gordon,

It seems there is something wrong with your configuration of remoted.

This message: "DEBUG: This is not a worker", makes me think that the manager is understanding that has the configuration of a worker node of a Wazuh cluster.

I think there is no remote stanza configured in the ossec.conf file and is trying to boot in the port of the 443 instead of the corresponding port for the communication of the agents.

Could you provide me with the version of your manager and with the ossec.conf file?

Regards,

Miguel Casares

Gordon Maene

unread,

Feb 18, 2019, 6:26:46 AM2/18/19

to Wazuh mailing list

Hi Miguel

Thanks a lot for having a look at this for me.

Just a bit of background information that might assist in troubleshooting.

We have 1 x server with Elasticsearch and Kibana running on it.

We have 2 x servers with Wazuh-manager roles, wazuh-api roles and logstash, both poitning to the same Elasticsearch server.

Everything seemed to be running fine until I went through upgrading from 3.7.0 to 3.8.2. It was only then that I noticed the ossec-remoted: ERROR: (1106) error.

Version along with ossec.conf below.

Let me know if you need anything else from my side.

Regards

Gordon

{

"name" : "9uxYeLa",

"cluster_name" : "elasticsearch",

"cluster_uuid" : "x2XKCDdgQEyTUPblO_3aTQ",

"version" : {

"number" : "6.6.0",

"build_flavor" : "default",

"build_type" : "rpm",

"build_hash" : "a9861f4",

"build_date" : "2019-01-24T11:27:09.439740Z",

"build_snapshot" : false,

"lucene_version" : "7.6.0",

"minimum_wire_compatibility_version" : "5.6.0",

"minimum_index_compatibility_version" : "5.0.0"

},

"tagline" : "You Know, for Search"

}

[root@azu-pro-elk-01 lib]#

############

Manager 1

Version

v3.8.2

Compilation date

Wed Jan 30 12:15:49 UTC 2019

Installation path

/var/ossec

Installation type

manager

Agents limit

14000

OpenSSL Support

yes

###########

Manager 2

Version

v3.8.2

Compilation date

Wed Jan 30 12:15:49 UTC 2019

Installation path

/var/ossec

Installation type

manager

Agents limit

14000

OpenSSL Support

yes

<!--

Wazuh - Manager - Default configuration for centos 7

More info at: https://documentation.wazuh.com

Mailing list: https://groups.google.com/forum/#!forum/wazuh

-->

<ossec_config>

<jsonout_output>yes</jsonout_output>

<alerts_log>yes</alerts_log>

<logall_json>yes</logall_json>

<email_notification>no</email_notification>

<smtp_server>smtp.example.wazuh.com</smtp_server>

<email_from>oss...@example.wazuh.com</email_from>

<email_to>reci...@example.wazuh.com</email_to>

<email_maxperhour>12</email_maxperhour>

<queue_size>131072</queue_size>

</global>

<log_alert_level>3</log_alert_level>

<email_alert_level>6</email_alert_level>

</alerts>

<log_format>plain</log_format>

</logging>

<connection>secure</connection>

<queue_size>131072</queue_size>

</remote>

<check_unixaudit>yes</check_unixaudit>

<check_files>yes</check_files>

<check_trojans>yes</check_trojans>

<check_dev>yes</check_dev>

<check_sys>yes</check_sys>

<check_pids>yes</check_pids>

<check_ports>yes</check_ports>

<check_if>yes</check_if>

<rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>

<rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>

<system_audit>/var/ossec/etc/rootcheck/system_audit_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/rootcheck/system_audit_ssh.txt</system_audit>

<system_audit>/var/ossec/etc/rootcheck/cis_rhel7_linux_rcl.txt</system_audit>

<skip_nfs>yes</skip_nfs>

</rootcheck>

<scan-on-start>yes</scan-on-start>

<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>

<profile>xccdf_org.ssgproject.content_profile_common</profile>

</content>

</wodle>

<scan-on-start>yes</scan-on-start>

<java_path>wodles/java</java_path>

<ciscat_path>wodles/ciscat</ciscat_path>

</wodle>

<run_daemon>yes</run_daemon>

<log_path>/var/log/osquery/osqueryd.results.log</log_path>

<config_path>/etc/osquery/osquery.conf</config_path>

<add_labels>yes</add_labels>

</wodle>

<scan_on_start>yes</scan_on_start>

</wodle>

<run_on_start>yes</run_on_start>

<update_interval>4h</update_interval>

</feed>

<update_interval>4h</update_interval>

</feed>

<update_interval>4h</update_interval>

</feed>

</wodle>

<scan_on_start>yes</scan_on_start>

<alert_new_files>yes</alert_new_files>

<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>

<ignore>/etc/hosts.deny</ignore>

<ignore>/etc/mail/statistics</ignore>

<ignore>/etc/random-seed</ignore>

<ignore>/etc/random.seed</ignore>

<ignore>/etc/adjtime</ignore>

<ignore>/etc/httpd/logs</ignore>

<ignore>/etc/utmpx</ignore>

<ignore>/etc/wtmpx</ignore>

<ignore>/etc/cups/certs</ignore>

<ignore>/etc/dumpdates</ignore>

<ignore>/etc/svc/volatile</ignore>

<ignore>/sys/kernel/security</ignore>

<ignore>/sys/kernel/debug</ignore>

<nodiff>/etc/ssl/private.key</nodiff>

<skip_nfs>yes</skip_nfs>

<remove_old_diff>yes</remove_old_diff>

<restart_audit>yes</restart_audit>

</syscheck>

<white_list>127.0.0.1</white_list>

<white_list>^localhost.localdomain$</white_list>

<white_list>168.63.129.16</white_list>

</global>

<name>disable-account</name>

<executable>disable-account.sh</executable>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>restart-ossec</name>

<executable>restart-ossec.sh</executable>

</command>

<name>firewall-drop</name>

<executable>firewall-drop.sh</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>route-null</name>

<executable>route-null.sh</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>win_route-null</name>

<executable>route-null.cmd</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>win_route-null-2012</name>

<executable>route-null-2012.cmd</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>netsh</name>

<executable>netsh.cmd</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>netsh-win-2016</name>

<executable>netsh-win-2016.cmd</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<!--

<active-response>

active-response options here

</active-response>

-->

<log_format>command</log_format>

</localfile>

<log_format>full_command</log_format>

<command>netstat -tulpn | sed 's/$[[:alnum:]]\+$\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+$.*$:$[[:digit:]]*$\ \+$[0-9\.\:\*]\+$.\+\ $[[:digit:]]*\/[[:alnum:]\-]*$.*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == $.*$ ==/:\1/' | sed 1,2d</command>

<alias>netstat listening ports</alias>

</localfile>

<log_format>full_command</log_format>

</localfile>

<decoder_dir>ruleset/decoders</decoder_dir>

<rule_dir>ruleset/rules</rule_dir>

<rule_exclude>0215-policy_rules.xml</rule_exclude>

<list>etc/lists/audit-keys</list>

<list>etc/lists/amazon/aws-sources</list>

<list>etc/lists/amazon/aws-eventnames</list>

<decoder_dir>etc/decoders</decoder_dir>

<rule_dir>etc/rules</rule_dir>

</ruleset>

<!-- Configuration for ossec-authd

To enable this service, run:

ossec-control enable auth

-->

<auth>

<use_source_ip>no</use_source_ip>

<force_insert>yes</force_insert>

<force_time>0</force_time>

<use_password>no</use_password>

<limit_maxagents>yes</limit_maxagents>

<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>

<ssl_verify_host>no</ssl_verify_host>

<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>

<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>

<ssl_auto_negotiate>no</ssl_auto_negotiate>

</auth>

<name>wazuh</name>

<node_name>node01</node_name>

<node_type>master</node_type>

<bind_addr>0.0.0.0</bind_addr>

<nodes>

</nodes>

</cluster>

</ossec_config>

<ossec_config>

<log_format>audit</log_format>

<location>/var/log/audit/audit.log</location>

</localfile>

<log_format>syslog</log_format>

<location>/var/ossec/logs/active-responses.log</location>

</localfile>

<log_format>syslog</log_format>

<location>/var/log/messages</location>

</localfile>

<log_format>syslog</log_format>

<location>/var/log/secure</location>

</localfile>

<log_format>syslog</log_format>

<location>/var/log/maillog</location>

</localfile>

</ossec_config>

Gordon Maene

unread,

Feb 19, 2019, 11:31:50 AM2/19/19

to Wazuh mailing list

Hi Miguel

Have you managed to have a look at this at all?

Oddly, it's only the one wazuh-manager server suffering from this problem.

Is there anything else I can check in order to resolve the issue?

Thanks

Gordon

On Friday, 15 February 2019 23:39:42 UTC, miguel....@wazuh.com wrote:

miguel....@wazuh.com

unread,

Feb 19, 2019, 12:47:40 PM2/19/19

to Wazuh mailing list

Hello Gordon,

Sorry for the late reply.

I think here is the problem:

<remote>
    <connection>secure</connection>
    <port>443</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>

You have configured the port 443 to run remoted. By default, we use the port 1514. You can use another port to this, but I think the port 443 could be used by another service or process. Could you check this, please?

netstat -tunap | grep 443

Regards,

Miguel Casares

Gordon Maene

unread,

Feb 20, 2019, 9:28:58 AM2/20/19

to Wazuh mailing list

Hi Miguel

No worries, I know you guys are busy.

I don't believe that is the cause.

We've been running wazuh-manager on 443/TCP since we built it last year without any issues what so ever.

As I mentioned, we have 2 x wazuh-manager connected to the same Elasticsearch server, both configured the same (using 443/TCP for remoted) and only the one server seems to be suffering from this issue.

Below the output from netstat -tunap | grep 443

### Server with 1106 error ###

[root@wazuh-manager-01 conf.d]# netstat -tunap | grep 443

tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:57562 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 33.39.137.225:53242 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 179.97.96.207:51763 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:50896 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:59507 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:54516 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 173.70.162.135:63819 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:59676 63.146.232.122:443 TIME_WAIT -

tcp 0 0 174.21.23.23:443 223.74.122.11:61773 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:49351 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:49431 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:62538 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 47.119.153.242:26625 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:51342 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:52389 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:49468 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 179.97.96.207:57878 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:60461 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 33.39.137.225:59233 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:58876 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 47.119.153.242:25600 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:54098 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 173.70.162.135:61520 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 179.97.96.207:61223 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:52099 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:59646 63.146.232.122:443 TIME_WAIT -

tcp 0 0 174.21.23.23:443 47.119.153.242:29696 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:49486 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:54543 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:54170 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 178.251.177.47:64970 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:49923 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:59195 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:50015 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 47.119.153.242:31744 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 33.39.137.225:49272 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:61791 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:53721 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 213.1.22.92:52148 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:64343 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:59421 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:64126 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:49338 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:53595 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 213.63.50.131:56024 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:55021 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:49764 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:59658 63.146.232.122:443 TIME_WAIT -

tcp 0 0 174.21.23.23:443 223.74.122.11:63501 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 173.70.162.135:58997 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 37.122.198.146:53327 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:55683 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:56214 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:60817 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:52692 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 86.111.164.123:54825 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:49757 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:50775 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:59678 63.146.232.122:443 TIME_WAIT -

tcp 0 0 174.21.23.23:443 223.74.122.11:51744 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:61915 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:51234 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:50721 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:50319 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:51158 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 213.1.22.92:50377 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 173.70.162.135:64273 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:54669 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 33.39.137.225:59778 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 86.111.164.123:54292 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:56532 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:56691 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:59614 63.146.232.122:443 TIME_WAIT -

tcp 0 0 174.21.23.23:443 223.74.122.11:59846 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:53036 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 94.193.196.90:55822 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 47.119.153.242:19456 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 179.97.96.207:54847 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:59674 63.146.232.122:443 TIME_WAIT -

tcp 0 0 174.21.23.23:443 213.63.50.131:59259 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:52949 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 86.159.240.134:54238 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 213.1.22.92:51732 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 37.122.198.146:53522 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 47.119.153.242:23488 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 213.63.50.131:57065 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 94.193.196.90:55426 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:59321 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:33221 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 47.119.153.242:27648 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:37208 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:53821 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:52839 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:54040 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 234.46.37.16:1984 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 47.119.153.242:32768 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:54649 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 37.122.198.146:53733 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:53328 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 173.70.162.135:62234 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 86.159.240.134:53970 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:62112 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 47.119.153.242:20480 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:59630 63.146.232.122:443 TIME_WAIT -

tcp 0 0 174.21.23.23:59612 63.146.232.122:443 TIME_WAIT -

tcp 0 0 174.21.23.23:443 223.74.122.11:49509 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 173.70.162.135:49492 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:51504 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:52279 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:49465 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:59152 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 173.70.162.135:60441 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:54515 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 179.97.96.207:54467 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:57364 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 47.119.153.242:33792 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:56019 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 47.119.153.242:21504 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:49404 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 173.70.162.135:62423 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 213.63.50.131:49425 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 213.1.22.92:50552 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:62560 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:53426 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:54425 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 179.97.96.207:57951 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:56039 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:56959 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:53437 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:51416 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:50023 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:56721 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:51124 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:59376 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 47.119.153.242:22208 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:62666 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 173.70.162.135:62976 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 33.39.137.225:52524 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 47.119.153.242:30720 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:56591 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:49328 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 213.63.50.131:56728 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:52614 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 33.39.137.225:55673 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 173.70.162.135:52223 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:50261 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 33.39.137.225:52631 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 213.1.22.92:53636 ESTABLISHED 115470/ossec-remote

tcp 0 0 174.21.23.23:443 223.74.122.11:55736 ESTABLISHED 115470/ossec-remote

#### wazuh-manager-02 - which is working ###

[root@wazuh-manager-02 etc]# netstat -tunap | grep 443

tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1807/ossec-remoted

tcp 0 0 175.28.1.9:443 163.98.98.210:60560 ESTABLISHED 1807/ossec-remoted

tcp 0 0 175.28.1.9:443 181.89.94.13:39028 ESTABLISHED 1807/ossec-remoted

tcp 0 0 175.28.1.9:46494 144.140.148.48:443 TIME_WAIT -

tcp 0 0 175.28.1.9:443 181.89.94.13:62060 ESTABLISHED 1807/ossec-remoted

tcp 0 0 175.28.1.9:443 181.89.94.13:52189 ESTABLISHED 1807/ossec-remoted

tcp 0 0 175.28.1.9:443 181.89.94.13:144959 ESTABLISHED 1807/ossec-remoted

Anything else I can look at?

Thanks again for the help

Regards

Gordon

miguel....@wazuh.com

unread,

Feb 20, 2019, 4:15:09 PM2/20/19

to Wazuh mailing list

Hi Gordon,

Sorry, my bad. Then, I think this error:

2019/02/15 11:41:49 ossec-remoted[104370] remoted.c:65 at HandleRemote(): CRITICAL: (1206): Unable to Bind port '443' due to [(98)-(Address already in use)]

Is due to you launched the debug mode without stopping the current remoted process. I recommend you to kill the dameon and launch again in debug mode to get back to the first issue: ossec-remoted: ERROR: (1106): String not correctly formated

This way we can get more information about that issue.

Regards,

Miguel Casares

Gordon Maene

unread,

Feb 21, 2019, 9:57:45 AM2/21/19

to Wazuh mailing list

Hi Miguel

Thanks for that, makes sense.

I've attached two log files, one was run with debug=1, the other with debug=2 (not sure if it makes a difference)

Oddly, I'm still not seeing much information which could point me to determining what the problem could be.

Thanks again for all the help.

Regards

Gordon

debug_output.txt

debug_output_1.txt

miguel....@wazuh.com

unread,

Feb 21, 2019, 5:33:38 PM2/21/19

to Wazuh mailing list

Hello Gordon,

I can see the error happens when a new TCP connection is established:

2019/02/21 10:50:54 ossec-remoted[9889] secure.c:162 at HandleSecure(): DEBUG: New TCP connection at 194.74.152.11 [113]
2019/02/21 10:50:54 ossec-remoted[9889] mq_op.c:69 at SendMSG(): ERROR: (1106): String not correctly formated

That error means that the manager cannot read the events those connection are sending to him. Probably, it is not a Wazuh agent trying to connect to the manager, maybe is another device, such as a firewall or router. Could you check that, please?

Regards,

Miguel Casares

Gordon Maene

unread,

Feb 27, 2019, 4:37:06 AM2/27/19

to Wazuh mailing list

Hi Miguel

Apologies for the delayed response.

Thanks a lot for having a look at this for me, I'm having a look into that particular device and trying to track down what it's sending through.

I'll give you an update once I've tracked it down.

Regards

Gordon

miguel....@wazuh.com

unread,

Feb 27, 2019, 9:21:58 AM2/27/19

to Wazuh mailing list

Hello Gordon,

You are welcome.

Let me know if you need further help.

Regards,

Miguel Casares

Reply all

Reply to author

Forward