Client-agent from source on OpenBSD
335 views
Skip to first unread message
Simon Slaytor
Sep 12, 2017, 2:34:16 PM9/12/17
to Wazuh mailing list
Hey Folks,
I'm a long time OSSEC user, loving the direction Wazuh is taking this already great platform!
I could however do with some help. I have installed the client-agent from source on an OpenBSD 5.9 AMD64 box, after adding gmake to the base box the compile completes and I have the agent installed.
However if I try and start the agent I'm presented with the following error, as you can see I've tried both the stable and master branches to see if this issue has been solved.
# ./ossec-control start
Starting Wazuh v3.0.0-beta8 (maintained by Wazuh Inc.)...
Started ossec-execd...
Started wazuh-modulesd...
2017/09/12 19:22:01 ossec-agentd: INFO: Using notify time: 10 and max time to reconnect: 60
Started ossec-agentd...
Started ossec-logcollector...
2017/09/12 19:22:04 ossec-syscheckd: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2017/09/12 19:22:04 rootcheck: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2017/09/12 19:22:12 ossec-syscheckd: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2017/09/12 19:22:12 rootcheck: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2017/09/12 19:22:25 ossec-syscheckd: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2017/09/12 19:22:25 rootcheck: CRITICAL: (1211): Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
ossec-syscheckd did not start
If I try and start and start the agent daemon directly I get:
# /var/ossec/bin/ossec-agentd -df
2017/09/12 19:31:29 ossec-agentd: DEBUG: (1228): Element 'log_format' without any option.
2017/09/12 19:31:29 ossec-agentd: DEBUG: Starting ...
2017/09/12 19:31:29 ossec-agentd: INFO: Using notify time: 10 and max time to reconnect: 60
2017/09/12 19:31:29 ossec-agentd: INFO: Version detected -> OpenBSD SERVIIO-OBSD.slaytor.com 5.9 GENERIC.MP#1888 amd64 [BSD|bsd: 5.9] - Wazuh v3.0.0-beta8
2017/09/12 19:31:29 ossec-agentd: INFO: (1410): Reading authentication keys file.
2017/09/12 19:31:29 ossec-agentd: CRITICAL: randombytes failed for all possible methods for accessing random data
#
Tail of the ossec.log
# tail -n 10 /var/ossec/logs/ossec.log
2017/09/12 19:22:12 ossec-syscheckd: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2017/09/12 19:22:12 rootcheck: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2017/09/12 19:22:25 ossec-syscheckd: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2017/09/12 19:22:25 rootcheck: CRITICAL: (1211): Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
2017/09/12 19:31:29 ossec-agentd: DEBUG: (1228): Element 'log_format' without any option.
2017/09/12 19:31:29 ossec-agentd: DEBUG: Starting ...
2017/09/12 19:31:29 ossec-agentd: INFO: Using notify time: 10 and max time to reconnect: 60
2017/09/12 19:31:29 ossec-agentd: INFO: Version detected -> OpenBSD SERVIIO-OBSD.slaytor.com 5.9 GENERIC.MP#1888 amd64 [BSD|bsd: 5.9] - Wazuh v3.0.0-beta8
2017/09/12 19:31:29 ossec-agentd: INFO: (1410): Reading authentication keys file.
2017/09/12 19:31:29 ossec-agentd: CRITICAL: randombytes failed for all possible methods for accessing random data
Any pointers would be greatly appreciated.
Simon
Santiago Bassett
Sep 12, 2017, 3:29:32 PM9/12/17
to Simon Slaytor, Wazuh mailing list
Hi Simon,
interesting, it looks like agentd is not starting due to the error:
"2017/09/12 19:31:29 ossec-agentd: CRITICAL: randombytes failed for all possible methods for accessing random data"
Our devel team will take a look at it and try to get it fixed soon. We will keep you posted,
Santiago.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3aa39c38-0a17-4ec4-a390-1acfe9558073%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Victor Fernandez
Sep 12, 2017, 5:55:57 PM9/12/17
to Santiago Bassett, Simon Slaytor, Wazuh mailing list
Hi Simon and Santiago,
you're right: the random number generator was not working correctly in agents on OpenBSD. Sorry for this inconvenience.
I have just fixed it in the branches master and 3.0 (they are currently the same branch). Please take in mind that version 3.0 is a development branch, if you want to use Wazuh agents in a production environment I recommend you to consider using the branch stable or 2.1.
Hope it help.
Best regards,
Victor.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAEb-Ba9WzUGvJkFQivh4Y0bUsai7nf1fkY1wy5NWjVWZmifHxQ%40mail.gmail.com.
Victor M. Fernandez-Castro
IT Security Engineer
Wazuh Inc.
Simon Slaytor
Sep 13, 2017, 4:33:05 AM9/13/17
to Wazuh mailing list
Perfect thank you!
Yes I would normally follow 'Stable', I only jumped to 'Master' in-case it was a known bug already and had been fixed upstream.
I have just pulled the latest master from GIT and confirm that the client now compiles and starts correctly :)
Victor Fernandez
Sep 13, 2017, 5:45:52 AM9/13/17
to Simon Slaytor, Wazuh mailing list
I'm glad it works.
Best regards.
Victor.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7f658eeb-9e2a-45da-a11c-2a69a77a9634%40googlegroups.com.
penelo...@gmail.com
Nov 27, 2017, 3:59:45 PM11/27/17
to Wazuh mailing list
Hello Everyone,
I downloaded 3.0.0-rc1 today and installed it on a linux client (RHEL 7) as agent. After the installation is over, I tried to ./ossec-control start, but received same error:
Could someone please make sure, this is corrected or I'm making a mistake?
Thank you,
Luis
[root@client wazuh-3.0.0-rc1]# /var/ossec/bin/./ossec-control start
Starting Wazuh v3.0.0-rc1 (maintained by Wazuh Inc.)...
Started ossec-execd...
Started wazuh-modulesd...
2017/11/27 15:40:48 ossec-agentd: INFO: Using notify time: 60 and max time to reconnect: 300
Started ossec-agentd...
Started ossec-logcollector...
2017/11/27 15:40:51 ossec-syscheckd: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2017/11/27 15:40:51 rootcheck: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2017/11/27 15:40:59 ossec-syscheckd: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2017/11/27 15:40:59 rootcheck: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2017/11/27 15:41:12 ossec-syscheckd: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2017/11/27 15:41:12 rootcheck: CRITICAL: (1211): Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
ossec-syscheckd did not start
I downloaded 3.0.0-rc1 today and installed it on a linux client (RHEL 7) as agent. After the installation is over, I tried to ./ossec-control start, but received same error:
Could someone please make sure, this is corrected or I'm making a mistake?
Thank you,
Luis
[root@client wazuh-3.0.0-rc1]# /var/ossec/bin/./ossec-control start
Starting Wazuh v3.0.0-rc1 (maintained by Wazuh Inc.)...
Started ossec-execd...
Started wazuh-modulesd...
2017/11/27 15:40:48 ossec-agentd: INFO: Using notify time: 60 and max time to reconnect: 300
Started ossec-agentd...
Started ossec-logcollector...
2017/11/27 15:40:51 ossec-syscheckd: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2017/11/27 15:40:51 rootcheck: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2017/11/27 15:40:59 ossec-syscheckd: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2017/11/27 15:40:59 rootcheck: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2017/11/27 15:41:12 ossec-syscheckd: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2017/11/27 15:41:12 rootcheck: CRITICAL: (1211): Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
ossec-syscheckd did not start
Victor Fernandez
Nov 27, 2017, 4:12:10 PM11/27/17
to penelo...@gmail.com, Wazuh mailing list
Hi Penelope,
this problem may be a client configuration issue. Just to rule out, did you set the server address in the installer prompt?
Edit the file /var/ossec/etc/ossec.conf:
$ sudo nano /var/ossec/etc/ossec.conf
If the <address> setting is empty or invalid, like this:
<ossec_config><client><server><address></address><port>1514</port><protocol>udp</protocol></server><config-profile>centos, centos7</config-profile><notify_time>60</notify_time><time-reconnect>300</time-reconnect><auto_restart>yes</auto_restart></client><!-- (...) -->
Then you should fill it with the address (IP or host name) of the server that agent is going to connect to.
Please check this setting and try to restart the agent.
Hope it help.
Best regards,
Victor.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3b549c30-db32-4689-9517-6ee69e43d9e1%40googlegroups.com.
penelo...@gmail.com
Nov 27, 2017, 4:49:57 PM11/27/17
to Wazuh mailing list
It worked. Sorry for the confusion.
Thanks,
Luis!!
Thanks,
Luis!!
Reply all
Reply to author
Forward
0 new messages