ossec-remoted: ERROR: Too big message size from

Stuart abrams-humphries

unread,

Oct 10, 2018, 8:35:46 AM10/10/18

to Wazuh mailing list

Hi,

limited experience of ossec/wazuh -- I have a simple setup - 18 ubuntu1404 nodes and two solaris sparc 11.3 nodes.

all running wazuh - I've tried with versions 3.2.3 and also 3.5.0 and 3.6.1

all linux boxes work ok, report fine , however I'm getting repeated:

"ossec-remoted: ERROR: Too big message size from .."

on the wazuh server (ubuntu) - tried googling but no joy - anyone have any ideas please?

I'm assuming some configuration setting? or is a solaris client incompatible with an ubuntu server?

thanks in advance

Stuart

Miguel Ruiz

unread,

Oct 10, 2018, 1:20:40 PM10/10/18

to Wazuh mailing list

Hi Stuart,

The information you gave us is very useful, it would be helpful if you can also give us the current version of the manager and the agent.

Can you execute this command in the manager and the agent and send us the output?

cat /var/ossec/logs/ossec.log | grep -i error

Maybe with previous logs from the manager and logs from the agent side, we can get more information about what is happening.

Best regards,

Miguel R.

Stuart abrams-humphries

unread,

Oct 11, 2018, 5:09:09 AM10/11/18

to Wazuh mailing list

Hi,

We started on 3.2.3 everywhere but upgraded to 3.6.1 everywhere in the hope it would fix things - same error

All the ubuntu nodes are ok - everything great there.

However on Solaris client (sparc, solaris 11.3):

no errors in log file (grep -i err returns nothing)

however have:

2018/10/11 10:02:38 ossec-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: x.a.b.c.d

2018/10/11 10:03:39 ossec-agentd: INFO: Trying to connect to server (v.w.x.y:1514).

i've obfuscated the IP addresses ,,, above messages contunually repeats the server:

On the server we get continuously:.

2018/10/11 09:08:04 ossec-remoted: ERROR: Too big message size from x.b.c.d

Stuart abrams-humphries

unread,

Oct 11, 2018, 9:57:46 AM10/11/18

to Wazuh mailing list

i've googled this:

https://github.com/wazuh/wazuh/issues/172

not sure its been fixed - I wonder if there is a general issue with solaris sparc?

Miguel Ruiz

unread,

Oct 11, 2018, 11:56:38 AM10/11/18

to Wazuh mailing list

Hi Stuart,

Yes, it might be possible that the issue with Solaris SPARC message size isn't fixed yet.

It is weird, because we test the Wazuh agent in Solaris SPARC environments for every release, and we did a lot of changes to the communication protocol since version 2.1.1

It would be helpful if you can give us all the information you can about your system and configuration, so we can try to replicate the issue in our lab.

Sorry for the inconveniences.

Best regards,

Miguel R.

On Wednesday, October 10, 2018 at 2:35:46 PM UTC+2, Stuart abrams-humphries wrote:

Stuart abrams-humphries

unread,

Oct 15, 2018, 5:35:12 AM10/15/18

to Wazuh mailing list

on solaris we are running:

pkg info kernel

Name: system/kernel

Summary: Core Kernel

Description: Core operating system kernel, device drivers and other

modules.

Category: System/Core

State: Installed

Publisher: solaris

Version: 0.5.11

Build Release: 5.11

Branch: 0.175.3.28.0.4.0

Packaging Date: January 5, 2018 04:53:50 PM

Size: 17.22 MB

FMRI: pkg://solaris/system/ker...@0.5.11,5.11-0.175.3.28.0.4.0:20180105T165350Z

the ossec.conf on the solaris client is (I've changed the actual ip to a.b.c.d here - in reality its an ip address!)

cat ossec.conf

<!--

Wazuh - Agent - Default configuration for sunos 5.11

More info at: https://documentation.wazuh.com

Mailing list: https://groups.google.com/forum/#!forum/wazuh

-->

<ossec_config>

</server>

<config-profile>sunos, sunos5, sunos5.11</config-profile>

<notify_time>10</notify_time>

<time-reconnect>60</time-reconnect>

<auto_restart>yes</auto_restart>

<crypto_method>aes</crypto_method>

</client>

<client_buffer>

<queue_size>5000</queue_size>

<events_per_second>500</events_per_second>

</client_buffer>

<check_unixaudit>yes</check_unixaudit>

<check_files>yes</check_files>

<check_trojans>yes</check_trojans>

<check_dev>yes</check_dev>

<check_sys>yes</check_sys>

<check_pids>yes</check_pids>

<check_ports>yes</check_ports>

<check_if>yes</check_if>

<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>

<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>

<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>

<skip_nfs>yes</skip_nfs>

</rootcheck>

<scan-on-start>yes</scan-on-start>

</wodle>

<scan-on-start>yes</scan-on-start>

<java_path>wodles/java</java_path>

<ciscat_path>wodles/ciscat</ciscat_path>

</wodle>

<run_daemon>yes</run_daemon>

<log_path>/var/log/osquery/osqueryd.results.log</log_path>

<config_path>/etc/osquery/osquery.conf</config_path>

<add_labels>yes</add_labels>

</wodle>

<scan_on_start>yes</scan_on_start>

<ignore>/etc/hosts.deny</ignore>

<ignore>/etc/mail/statistics</ignore>

<ignore>/etc/random-seed</ignore>

<ignore>/etc/random.seed</ignore>

<ignore>/etc/adjtime</ignore>

<ignore>/etc/httpd/logs</ignore>

<ignore>/etc/utmpx</ignore>

<ignore>/etc/wtmpx</ignore>

<ignore>/etc/cups/certs</ignore>

<ignore>/etc/dumpdates</ignore>

<ignore>/etc/svc/volatile</ignore>

<ignore>/sys/kernel/security</ignore>

<ignore>/sys/kernel/debug</ignore>

<nodiff>/etc/ssl/private.key</nodiff>

<skip_nfs>yes</skip_nfs>

<remove_old_diff>yes</remove_old_diff>

<restart_audit>yes</restart_audit>

</syscheck>

<log_format>syslog</log_format>

<location>/var/ossec/logs/active-responses.log</location>

</localfile>

<log_format>syslog</log_format>

<location>/var/log/authlog</location>

</localfile>

<log_format>syslog</log_format>

<location>/var/log/syslog</location>

</localfile>

<log_format>syslog</log_format>

<location>/var/adm/messages</location>

</localfile>

<log_format>command</log_format>

</localfile>

<log_format>full_command</log_format>

<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>

<alias>netstat listening ports</alias>

</localfile>

<log_format>full_command</log_format>

</localfile>

<active-response>

<ca_store>/var/ossec/etc/wpk_root.pem</ca_store>

<ca_verification>yes</ca_verification>

</active-response>

<log_format>plain</log_format>

</logging>

</ossec_config>

Miguel Ruiz

unread,

Oct 15, 2018, 10:07:33 AM10/15/18

to Wazuh mailing list

Hi Stuart,

Thank you very much for all the information provided.

Our team will try to reproduce your issue and develop a solution.

I will notify you of further updates regarding this.

Best regards,

Miguel R.

On Wednesday, October 10, 2018 at 2:35:46 PM UTC+2, Stuart abrams-humphries wrote:

Victor Fernandez

unread,

Dec 17, 2018, 6:21:58 AM12/17/18

to Miguel Ruiz, Wazuh mailing list

This is commonly an architecture incompatibility. Every message between the agent and the manager has a header containing the size of the message. The problem is that the interpretation of this data depends on the architecture: Intel architectures use little-endian and SPARC uses big-endian.

Endianness incompatibility was a known bug in Wazuh and it was fixed in version 2.1.1. However, we detected an issue in the endianness detection that affects Solaris 11. We have fixed it in Wazuh v3.7.1, please upgrade your agent and let us know if this solves the problem.

If you are compiling the agent on a SPARC architecture on your own, please remember enabling the flag USE_BIG_ENDIAN:

# Go to the sources folder
cd wazuh/src

# Download the external dependencies
make deps

# Compile the agent, force big-endian
make TARGET=agent USE_BIG_ENDIAN=yes

# Install the agent
cd ..
./install.sh

Hope it helps.

Best regards,

Victor Manuel Fernandez-Castro
Core Engineering | vic...@wazuh.com

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5e2d08c2-fd17-4d20-b45a-ccb3cd76b4fa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

nOBEL jUNG

unread,

Dec 17, 2018, 6:49:42 PM12/17/18

to Wazuh mailing list

Hello,

I also would like to compile source on AIX, HPUX on my own, how to compile those agents on their server?

Many thanks,

N.J

2018년 12월 17일 월요일 오후 8시 21분 58초 UTC+9, Victor Fernandez 님의 말:

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

alberto....@wazuh.com

unread,

Dec 21, 2018, 3:50:17 AM12/21/18

to Wazuh mailing list

Hello

HP-UX: wazuh version higher or equal 3.5

# Go to the sources folder
cd wazuh/src


# Download the external dependencies


gmake deps


# Compile the agent
gmake TARGET=agent RESOURCES_URL=http://packages.wazuh.com/deps/3.5




# Install the agent
cd ..
./install.sh

AIX 5:

# Go to the sources folder
cd wazuh/src

# Download the external dependencies


gmake deps RESOURCES_URL=http://packages.wazuh.com/deps/3.5

# Compile the agent
gmake TARGET=agent DISABLE_SYSC=yes

# Install the agent
cd ..
./install.sh

AIX 6 or higher:

# Go to the sources folder
cd wazuh/src

# Download the external dependencies


gmake deps RESOURCES_URL=http://packages.wazuh.com/deps/3.5

# Compile the agent
gmake TARGET=agent



# Install the agent
cd ..
./install.sh

I invite you to consider using the pre-compiled packages that we offer. As you can see in the link below, we build RPM for AIX and a precompiled package for HP-UX:

https://documentation.wazuh.com/current/installation-guide/packages-list/index.html