Solaris Agent not working - Wazuh 3.6
319 views
Skip to first unread message
Hassan Rahamathullah
Jun 22, 2019, 6:12:05 AM6/22/19
to Wazuh mailing list
Hi,
I have installed the wazuh agent for Solaris 11.3 and Solaris 10. The agent is able to register with Manager but I could not see any logs coming in /var/ossec/logs/archives/archives.json.
My agent 1 environment:
- OS: solaris 11.3
- Architecture: SPARC
- Agent version: wazuh-agent_v3.6.1-sol10-sparc.pkg
Why Solaris 10 agent on 11? because it requires gcc-45 as a dependency which cannot be installed in my server due to management rule.
As advised here(https://github.com/wazuh/wazuh/issues/2653#issuecomment-494331229), I installed Solaris 10 version on Solaris 11.
My agent 2 environment:
- OS: Solaris 10
- Architecture: SPARC
- Agent version : wazuh-agent_v3.6.1-sol10-sparc.pkg
My Manager environment:
- OS: RHEL 7
- Wazuh Manager version: 3.7.2
- Cluster with three managers load balanced using nginx
All the services are up when I check using wazuh-agent status except wazuh-modulesd.
I have attached /var/ossec/logs/ossec.log file and /var/ossec/etc/ossec.conf for the reference.
Please let me know if any faced same issue and resolved.
Cristina Garrido López
Jun 24, 2019, 3:04:53 AM6/24/19
to Wazuh mailing list
Hi Hassan,
First of all, could you tell me if you are using the TCP protocol in your manager as well?
It seems that at your agent, this function, OS_SetRecvTimeout, is using an additional function which is only available if you got a specific variable set, this variable is _XOPEN_SOURCE and it should be higher than 520 in order to use the second function. Our Makefile sets it up if it is a Linux system. Could you run the next command so that we can see which is your system's name? 'uname -s'.
Kind regards,
Cristina
Cristina Garrido López
Jun 24, 2019, 10:23:25 AM6/24/19
to Wazuh mailing list
Hi Hassan,
I come back with some news. Solaris SPARC is a big-endian architecture, this affects TCP packets to have their first 4 bytes reversed sorted, as this protocol has a little-endian header composed by those 4 bytes.
This was fixed for version 3.7.0, but I recommend you to upgrade to version 3.7.2, a more stable one.
Let us know if this fixed your issue.
Kind regards,
Cristina
Hassan Rahamathullah
Jun 25, 2019, 9:48:29 AM6/25/19
to Wazuh mailing list
Hi Cristina,
Great hearing back from you!
First, I installed Wazuh agent 3.7.2, in that ossec-logcollector service was not running. But registration was successful. Then I tried using the older version where ossec-logcollector is started but wazuh-modulesd is not starting.
The configuration for agent installation was the same for 3.7.2.
The manager is listening on TCP where other agents are working seamlessly.
Cristina Garrido López
Jun 25, 2019, 10:26:15 AM6/25/19
to Wazuh mailing list
Hi Hassan,
Have you taken a look to the ossec.log file? Is there any error, warning or critical message? You can use the next sentence in order to find it out easily:
cat /var/ossec/logs/ossec.log | grep -iE "error|critical|warn"
Please, let me know if you have found something so that we can narrow the problem.
Kind regards,
Cristina
Hassan Rahamathullah
Jun 26, 2019, 5:39:28 AM6/26/19
to Wazuh mailing list
Hi Cristina,
I didn't not capture the ossec.log file from 3.7.2. I will install it again on Solaris 11 & 10 and will update. Thanks.
Cristina Garrido López
Jun 26, 2019, 9:52:42 AM6/26/19
to Wazuh mailing list
Hi Hassan,
Perfect, let me know if you have any other problem, I'll be happy to help!
Regards,
Cristina
Hassan Rahamathullah
Jun 30, 2019, 3:44:59 PM6/30/19
to Wazuh mailing list
Hi Cristina,
I have tried installing the Wazuh agent 3.7.2 in Oracle Solaris 11 and 10. The agents got registered but ossec-logcollector was not working
-bash-3.2$ sudo /var/ossec/bin/ossec-control status
cat: cannot open /var/ossec/var/start-script-lock/pid
wazuh-modulesd is running...
ossec-logcollector not running...
ossec-syscheckd is running...
ossec-agentd is running...
ossec-execd is running...
The service was not getting started in both Solaris 10 and 11. I have attached ossec.log file and ossec.conf file. Thanks.
Note: I have installed solaris 10 agent on 11 due to the dependency gcc-45 cannot be installed.
Cristina Garrido López
Jul 2, 2019, 4:59:12 AM7/2/19
to Wazuh mailing list
Hi Hassan,
We have been reproducing your issue. Indeed logcollector does not work in 3.7.2. This is a bug happening on SPARC systems with this Wazuh version that has been fixed for 3.9.2. I recommend you to upgrade your agents to the last version where this problem is solved. As there are some problems with dependency gcc-45, you can install the Solaris 10 package on Solaris 11 as my co-worker said.
Kind regards,
Cristina
Hassan Rahamathullah
Jul 2, 2019, 6:14:56 AM7/2/19
to Wazuh mailing list
Hi Cristina,
Great hearing from you again! My Wazuh-manager is 3.7.2, so if I install wazuh-agent 3.9.2 will it work? because based on the compatibility matrix mentioned is:
"The compatibility between Wazuh Agent and Wazuh Manager is guaranteed when the Wazuh Manager has a newer or equal version than the Wazuh Agent."
If it does not work, I need to upgrade my Wazuh-manager to the latest version right?
Thanks.
Cristina Garrido López
Jul 2, 2019, 10:43:48 AM7/2/19
to Wazuh mailing list
Hi Hassan,
Yes, I should have mentioned that before. You need the manager to have a higher or equal version than the agents. Does this work for you? Let me know and I'll try to help if not.
Kind regards,
Cristina
Hassan Rahamathullah
Jul 2, 2019, 12:36:34 PM7/2/19
to Wazuh mailing list
Hi Cristina,
Currently, we have configured many agents to that Wazuh-manager 3.7.2. Very few servers are Solaris 10 and 11. So it is not feasible to upgrade the manager as of now. Do we have any workaround to install and make agent running in Solaris? or Can we upgrade the wazuh-manager without losing the connection from agents?
Thanks. Looking forward to your reply!
Cristina Garrido López
Jul 4, 2019, 3:05:51 AM7/4/19
to Wazuh mailing list
Hi Hassan,
If you mean having to register again the agents it won't be necessary, they will be connected after upgrading manager and agents. If you mean losing the connection, they will for a few seconds, as it is necessary to restart the Wazuh manager or agent after the upgrade.
Let me know if this clarified your doubt.
Kind regards,
Cristina
Hassan Rahamathullah
Jul 10, 2019, 1:52:20 AM7/10/19
to Wazuh mailing list
Hi Cristina,
Great to hear you back. We are using complete Elastic stack (ELK). Upgrading the Wazuh manager will impact as a major change in our environment which is not currently feasible. I checked the compatibility matrix here: https://documentation.wazuh.com/3.x/installation-guide/compatibility_matrix/index.html#api-and-kibana-app. Please let me know if there is any workaround to upgrade or to run the Solaris agent with the current stack.
Thanks.
Cristina Garrido López
Jul 12, 2019, 5:24:25 AM7/12/19
to Wazuh mailing list
Hello Hassan,
In order to answer your question I would need to know which is your ELK version. If you are using a higher or equal version than 6.8.0, you can upgrade to 3.9.2. If you are using 6.5.4 or higher, you could upgrade to 3.8.2 your manager and agents.
Let me know your Elastic version and I'll get back to you.
Kind regards,
Cristina
Hassan Rahamathullah
Jul 29, 2019, 10:34:46 AM7/29/19
to Wazuh mailing list
Hi Cristina,
We have successfully upgraded the wazuh manager to 3.9.3 without losing the connection with other agents. We have installed wazuh agent 3.9.3 sparc in Solaris 10 and 11. It works now. We are getting the data as expected.
It was very great to get prompt responses from you. Thank you so much for your support.
Cristina Garrido López
Jul 29, 2019, 10:50:10 AM7/29/19
to Wazuh mailing list
Hi Hassan,
I'm very glad you could solve this successfully. Don't forget we are here to help, so don't hesitate to ask if you have any other questions!
Best regards,
Cristina
Reply all
Reply to author
Forward
0 new messages