My agnetless machine doesn't send logs to my manager.

[zw...@korea.ac.kr]

my agentless host is a Smoothwall firewall device.

Manager's ossec.conf file setting is 

 <agentless>

    <type>ssh_generic_diff</type>

    <frequency>600</frequency>

    <host>ro...@192.168.0.88:222</host>

    <state>periodic_diff</state>

    <arguments>ls -al /etc; cat /etc/passwd</arguments>

  </agentless>

and I restarted my ossec-control and my ossec.log is 

2019/04/24 10:20:28 ossec-agentlessd: INFO: ssh_generic_diff: ro...@192.168.0.88:222: Starting.

2019/04/24 10:21:11 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).

2019/04/24 10:21:16 ossec-syscheckd: INFO: Ending syscheck scan. Database completed.

2019/04/24 10:21:19 rootcheck: INFO: Ending rootcheck scan.

but after I changed my agentless's /etc folder(create directory, create any file) , any log doesn't show in my alerts.log file.

Can you help me? 

[daniel...@wazuh.com]

Hello zwish,

I’ve checked your configuration and it looks correct.

You’ve set the frequency value to 600, this means you will get alerts every 10 minutes if the result of the commands you’ve set in the arguments option change from the last result.

If you create a new directory or file inside /etc you will be informed the next time the manager checks it.

It’s important to keep in mind the agentless device doesn’t send the logs to the manager, it is the manager who makes a new ssh connection and then it executes the commands to get the results and analyze them.

Remember you need to restart the manager every time you change your ossec.conf file in order to get the changes applied.

You can get further information about agentless monitoring here: https://documentation.wazuh.com/current/user-manual/capabilities/agentless-monitoring/index.html

You could also enable syslog in the device. This way it will forward the logs to the manager then they will be parsed by the ruleset so alerts can be triggered.

The manager has to be configured to receive these logs, you need to create a <remote> section inside your ossec.conf file in the manager.

This section should look like:

<remote>
    <connection>syslog</connection>
    <port>514</port>
    <protocol>udp</protocol>
    <allowed-ips>192.168.2.0/24</allowed-ips>
</remote>

Where you have to specify the IPs you want to allow and the rest of the options like the protocol, port ...

You may check for further information about it here: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html?highlight=syslog#remote-syslog

Hope this information helps you and don’t hesitate to ask us again.

Regards.

[zw...@korea.ac.kr]

 Hello Daniel, I fixed this situation.

after I changed port to 22 in my smoothwall device,ossec.conf and register_host.sh, I can see logs.

but, I have a question, If I change port to another number is this operate?

I think another number doesn't operate. can you check this ?? and answer please.

[Juan Carlos]

Hello zwish,

You can configure the non-standard port by using a config file placed in /var/ossec/.ssh/config with a content similar to:

host smoothwall
user root
port 222
hostname 192.168.0.88

You will need to allow this file and directory to be readable by the ossec group:

chown ossec:ossec /var/ossec/.ssh -R

And configure the host as:

/var/ossec/agentless/register_host.sh add smoothwall example_password

and the ossec.conf file as:

 <agentless>
    <type>ssh_generic_diff</type>
    <frequency>600</frequency>

    <host>smoothwall</host>

    <state>periodic_diff</state>
    <arguments>ls -al /etc; cat /etc/passwd</arguments>
  </agentless>

Best Regards,

Juan Carlos Tello

[zw...@korea.ac.kr]

Thank you Juan.

I did follow your answer.

but, I don't have config file in .ssh directory. so I make it and input my config.

After I restarted wazuh manager, I encountered above my problem.

passed log is shown, but I can't see any agentless logs.

[Juan Carlos]

Hello zwish,

So you are able to see the logs if the device's port is 22 but not 222 when configured using the /var/ossec/.ssh/config file?

In order to better debug this you may run the agentless binary in debug mode:

/var/ossec/bin/ossec-agentlessd -ddf

This will provide feedback on each step taken by the agentless daemon. Take into account that there is a waiting period for several of the steps, so you may need to wait a couple of minutes to observe the full trace of activity.

Best Regards,

Juan Carlos Tello

[­박신우[ 학부재학 / 컴퓨터융합소프트웨어학과 ]]

Hello Juan,

I ran /var/ossec/bin/ossec-agentlessd -ddf , and result is above picture.

and my ossec.conf file and .ssh/config file picture is below.

and ./agent-control result is above picture.

I don' know why my agentless ID and IP are '<na>'?

 I think my configuration is all right.

Can you give me a some hints for me?

[Daniel Moreno]

Hello Zwish,

 

The agentless daemon is telling us he is not able to connect to the device so It’s possible there is an issue with the configuration.

Did you place your ssh config file in the path /var/ossec/.ssh/config ?

Can you check the connectivity from Wazuh to the agentless device?

It is possible to check it by calling the ssh command in your machine this way:

sudo -u ossec ssh smoothwall

If it doesn’t work check the connectivity from your machine to the agentless device this way:

sudo ssh user@hostname -p port

Keep in mind you must replace “user”, “hostname” and “port” with the values used in the config file

 

Regards.