Configure Wazuh Agent on Macbook / Firewall issue

[Luke Lee]

Hi all, 

I have installed and configured the wazuh-agent on my macbook. But when I try to connect to the server which host the Wazuh's manager, I encounter the following error. 

ossec-agentd start_agent.c:200 st start_agent(): DEBUG: Connection socket: Resources temporarily unavailable.

Is it due to the firewall port on my macbook is not opened properly? Or is it due to other configurations issue? 

[juan....@wazuh.com]

Hi Luke Lee:

That line is not an error, is just a warning message that says that "When using UDP, the socket may be empty when read by the agent, since it is not an established connection."

Please, check the actual status of the agent by writing `-> sudo launchctl list | grep wazuh` and write the output here.

Also, answer the following questions so we can check if the configuration is correct:

    - Are you using TCP or UDP? You can check it in the `<global>` section of the `ossec.conf` file.
    - When do you get the warning? With what frequency do you get it?
    - Are the agents correctly connected?
   
Best regards.

[Luke Lee]

Hi Juan, 

Thanks for your reply. 

I tried to run this "sudo launchctl list | grep wazuh" command on my Macbook but there is no output for it. And I have edited the pf.conf file by adding these 2 line onto it. 

> pass in proto tcp from any to any port 1514

> pass in proto udp from any to any port 1514

Meanwhile I also turned off the system firewall, but still I am not able to connect to Wazuh. Please advise. 

[Luke Lee]

I get this logs from here : cd /Library/Ossec/bin    -->   ./ossec-agentd -df 

On Tuesday, April 2, 2019 at 8:20:33 PM UTC+8, juan....@wazuh.com wrote:

[juan....@wazuh.com]

I need you to tell me the errors shown in the ossec.log. The file should be placed in "/Library/Ossec/logs/ossec.log" but it might be different depending on your installation folder.

Best regards.

[Luke Lee]

Hi there is these notifications :

ossec-agentd:WARNING: (4101) : Waiting for server reply (not started). Tried: 'wazuhserverIP".

INFO: Trying to connect to server (serverip:1514/udp). 

Does this help? The rest of the logs doesn't help. 

[juan....@wazuh.com]

Hi Luke Lee:

It seems that you have a connection problem. Let's check if all your connections work properly:

On the manager's side:

    - Check if the manager is running:  

ps -xa | grep ossec   

          You shoud get an output like this:     

  

    - Is remoted listening port correctly?

# netstat -tunap | grep ossec

You should get an output like this:

    - Is the agent registered? Try executing:

           #  /Library/Ossec/bin/agent_control -l

On the agent's side:

 

    - Check the connection with the manager:

nc -vu MANAGER_IP 1514

Let me know the output of all these commands, please.

Best regards.

[jesus.g...@wazuh.com]

Hi guys,

The command for listing agents is wrong, it should be as follow:

/var/ossec/bin/agent_control -l

An example output:

Wazuh agent_control. List of available agents:
   ID: 000, Name: master (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: agent, IP: 172.16.1.20, Disconnected
   ID: 002, Name: agentwin2, IP: 172.16.1.21, Disconnected
   ID: 003, Name: pop-os, IP: 172.16.1.1, Active

List of agentless devices:

In addition, you can use the Wazuh API as follow:

curl "foo:bar@localhost:55000/agents?pretty&select=status,name"

And the example output for my environment:

{
   "error": 0,
   "data": {
      "items": [
         {
            "name": "master",
            "id": "000",
            "status": "Active"
         },
         {
            "name": "agent",
            "id": "001",
            "status": "Disconnected"
         },
         {
            "name": "agentwin2",
            "id": "002",
            "status": "Disconnected"
         },
         {
            "name": "pop-os",
            "id": "003",
            "status": "Active"
         }
      ],
      "totalItems": 4
   }
}

Some useful links:

• https://documentation.wazuh.com/current/getting-started/architecture.html#communications-and-data-flow
• https://documentation.wazuh.com/current/user-manual/agents/command-line/listing.html
• https://documentation.wazuh.com/current/user-manual/agents/restful-api/listing.html

Regards,
Jesús

​

[Luke Lee]

Hi, below are the results 

/var/ossec/bin/agent_control -l

> ...... this machine is, Never connected.

curl "foo:bar@localhost:55000/agents?pretty&select=status,name"

> event not found

Is this normal ?

[Luke Lee]

Hi Juan, 

The rest are listed as per normal. 

nc -vu MANAGER_IP 1514

>> found  0  associations 

found  1 connections: 

           1: flags=82<CONNECTED,PREFERRED> 

               outif (null)
               src MacBk IP port 63039

               dst server IP port 1514 

               rank info not available 

Connection to server IP port 1514 [udp/fujitsu-dtcns] succeeded ! 

[Luke Lee]

Hi,

I did this test on the Wazuh server and found these. 

cat /var/ossec/logs/ossec.log | grep -i -E '(error|warn)'

> Banner not received from the server 

> Error Sending email to ..... (smtp server)

Does this related?

[Luke Lee]

Hi, when I try to inspect the site for this agent, I found this error msg from the console. 

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-SHHSeLc0bp6xt4BoVVyUy+3IbVqp3ujLaR+s+kSP5UI='), or a nonce ('nonce-...') is required to enable inline execution.

[Luke Lee]

Hi, 

I realized when I do a telnet from my server to the MacBook, it shows me this. Does it means that my MacBk port is still not properly open?

How should I open the port on my Macbook ?

[Sergio Peral]

Hi Luke Lee,

Seems like telnet has been removed from modern versions of OSX. If this is your case, you can head to the following site where it's explained how to get it back:

http://osxdaily.com/2018/07/18/get-telnet-macos/

Regards,
Sergio.

[Luke Lee]

Hi Sergio, thanks for your reply. But will this be a factor that causing my Wazuh server unable to get information from the Mac Agent? 

[Sergio Peral]

Hi Luke,

I don't think telnet is related to our problem, so let's better forget about it.

• Could you please check if <MANAGER_IP> is correctly set in your ossec.conf?
• Could you check if it's an UDP issue? Replace udp with tcp in ossec.conf, <remote> section, <protocol> tag.

Regards,

Sergio.

[Luke Lee]

Hi, 

Both I have tried and restarted the service. May I know what is the best way to troubleshoot this problem. 

Based on the test, the firewall is now open. 

[Luke Lee]

Hi all, 

I am having this log file from the agent machine.

2019/04/15 15:00:05 ossec-agent: INFO: Monitoring directory: 'c:\windows\system32\winrm.vbs', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | mtime | inode | attributes.

2019/04/15 15:00:05 ossec-agent: INFO: Monitoring directory: 'c:\programdata\microsoft\windows\start menu\programs\startup', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | realtime | mtime | inode | attributes.

2019/04/15 15:00:05 ossec-agent: INFO: Ignoring sregex: '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'

2019/04/15 15:00:05 ossec-agent: INFO: Ignoring registry: 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'

2019/04/15 15:00:05 ossec-agent: INFO: Ignoring registry: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'

2019/04/15 15:00:05 ossec-agent: INFO: Ignoring registry sregex: '\Enum$'

2019/04/15 15:00:05 ossec-agent: INFO: Started (pid: 133980).

2019/04/15 15:00:25 ossec-agent: WARNING: (4101): Waiting for server reply (not started). Tried: '10.0.106.144'.

2019/04/15 15:00:27 ossec-agent: INFO: Trying to connect to server (10.0.106.144:5910/udp).

Kindly advise. 

[Sergio Peral]

Hi Luke,

The following log leads me to ask you something:

2019/04/15 15:00:27 ossec-agent: INFO: Trying to connect to server (10.0.106.144:5910/udp).

Could you check your <remote> section in your manager's ossec.conf and check that the used <port> is 1514?

Regards,

Sergio.