Wazuh conflicts with imunify360
656 views
Skip to first unread message
Shrikant Mhatre (श्री)
Feb 28, 2023, 2:03:26 AM2/28/23
to Wazuh mailing list
Hi there ,
We have Almalinux servers with imunify360 running on it already.
We also want Wazuh 4.13 (current) version to run along with it , but during the installation from source the install.sh script check the presence of file "/etc/ossec-init.conf" which has the installation path of the "/var/ossec" which is installed by imunify360 in Server mode.
cat /etc/ossec-init.conf
DIRECTORY="/var/ossec"
VERSION="3.x.x"
DATE="Wed Dec 10 14:52:06 UTC 2022"
TYPE="server"
DIRECTORY="/var/ossec"
VERSION="3.x.x"
DATE="Wed Dec 10 14:52:06 UTC 2022"
TYPE="server"
Just wanted to know how can or what arguments can we give so as to Wazuh installation from source which will avoid the conflict .
I have been trying to compile the agent using the below argument from the src directory:
make deps PREFIX=/opt/ossec && make PREFIX=/opt/ossec TARGET=agent
after this i run the ./install.sh script which reads the /etc/ossec-init.conf and informs that there is already a version of ossec installed in /var/ossec .
Would like to know whether it is possible to run multiple instance of ossec on a single server one in server and one as an agent ??
Any help on this will be really appreciated.
Kevin Ledesma
Mar 14, 2023, 1:29:32 PM3/14/23
to Wazuh mailing list
Hello Shrikant!
How are you doing?
It is not supported to have two Wazuh instances in the same system, anyway the manager itself comes with an agent, you can see it under the ID 000 in the agent_control binary (run on the manager system: /var/ossec/bin/agent_control -l), it wont be displayed as an agent in the dashboard but you will be able to see the alerts raised by it. There is a github issue about a related topic that you can check #6038
Have a great day!
Shrikant Mhatre (श्री)
Mar 17, 2023, 2:38:36 PM3/17/23
to Wazuh mailing list
Thank you very much Kevin ,
I thought i would get a workaround but it seems its the way it is .
Will talk to the imunify360 team to see if there is a workaround . Cause we are not able to monitor the machines which have imunify360 instaled .
Any ways thank you very much for pointing me the github issue , will go through .
Have a great time !
Shrikant Mhatre (श्री)
Mar 17, 2023, 4:08:41 PM3/17/23
to Wazuh mailing list
Hey Kevin,
I did this and it worked .
tar gz the /var/ossec directory on the similar Almalinux sever (same version AlmaLinux release 8.7 (Stone Smilodon)) which was running the wazuh-agent without imunify360 installed .
copied it to the server which had imunify360 installed .
extracted all the content in /opt/ directory .
then i had the directory /opt/ossec
ran the command to delete the files mentioned below which had the entry of the host where i copied the directory from
rm -f /opt/ossec/etc/client.keys
rm -f /opt/ossec/queue/syscollector/db/local.db
rm -rf /opt/ossec/queue/sockets/.agent_info
rm -rf /opt/ossec/queue/fim/db/fim.db
created a user wazuh with /sbin/nologin shell and /opt/ossec as the home directory
useradd -m -s /sbin/nologin -d /opt/ossec wazuh
This created the user wazuh
Well i have to set a password , set a complex password but since its a nologin shell it will take care of it for the time i figure it out how to manually create the user "wazuh" the correct method.
chown -R wazuh:wazuh /opt/ossec
ran the command
# /opt/ossec/bin/wazuh-control start
Starting Wazuh v4.3.10...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
# /opt/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
And my wazuh-agent started reporting to the wazuh manager without ant issues having the imunif360 run along side the wazuh-agentd service
Now i have to figure out
1. make systemctl script for wazuh-agentd
2. enable at boot
3. If this worked then compiling the binaries from the source for a particular Operating system and then moving the binaries to their respective directories wil work too.
4. creating wazuh user the proper way to keep it secure.
Hope this helps some one who is looking for a solution for two ossec instance run on the same server side by side.
Best regards
./shri
Muhamad Tuhfatur Roziqin
Feb 12, 2024, 8:45:21 AM2/12/24
to Wazuh | Mailing List
Hi shri,
Could you please inform the step-by-step process of the installation again?
I am having difficulty understanding the steps from your comment.
Thank you.
Could you please inform the step-by-step process of the installation again?
I am having difficulty understanding the steps from your comment.
Thank you.
Reply all
Reply to author
Forward
0 new messages