not compiled with mysql

[김혜정]

Hi I installed the latest version of wazuh and set the type of database_output from the ossec.conf file to mysql. 

and I installed mysql-devel

<database_output>

   <hostname>127.0.0.1</hostname>

   <username>ossec</username>

   <password>*****</password>

   <database>ossec</database>

   <type>mysql</type>

</database_output>

But there is such an error.

[root@localhost bin]# ./ossec-control enable database

[root@localhost bin]# ./ossec-control restart

2018/10/11 20:57:29 ossec-dbd: ERROR: (5207): OSSEC not compiled with support for 'mysql'.

2018/10/11 20:57:29 ossec-dbd: CRITICAL: (1202): Configuration error at '/var/ossec/etc/ossec.conf'.

ossec-dbd: Configuration error. Exiting

I set the make TARGET=server DATABASE=mysql in Wazuh/src in advance 

and the installation was finished by running install.sh 

[root@localhost src]# make TARGET=server DATABASE=mysql

make ossec-maild - ossec-csyslogd - ossec-agentlessd - ossec-execd - ossec-logcollector - ossec-remoted ossec-agentd manage_agents utils ossec-syscheckd ossec-monitord ossec-reportd ossec-authd ossec-analysisd ossec-logtest ossec-makelists ossec-dbd - ossec-integratord wazuh-modulesd wazuh-db

make[1]: Entering directory `/wazuh/src'

make[1]: `ossec-maild' is up to date.

make[1]: `ossec-csyslogd' is up to date.

make[1]: `ossec-agentlessd' is up to date.

make[1]: `ossec-execd' is up to date.

make[1]: `ossec-logcollector' is up to date.

make[1]: `ossec-remoted' is up to date.

make[1]: `ossec-agentd' is up to date.

make[1]: `manage_agents' is up to date.

make[1]: Nothing to be done for `utils'.

make[1]: `ossec-syscheckd' is up to date.

make[1]: `ossec-monitord' is up to date.

make[1]: `ossec-reportd' is up to date.

make[1]: `ossec-authd' is up to date.

make[1]: `ossec-analysisd' is up to date.

make[1]: `ossec-logtest' is up to date.

make[1]: `ossec-makelists' is up to date.

make[1]: `ossec-dbd' is up to date.

make[1]: `ossec-integratord' is up to date.

make[1]: `wazuh-modulesd' is up to date.

make[1]: `wazuh-db' is up to date.

make[1]: Leaving directory `/wazuh/src'

make settings

make[1]: Entering directory `/wazuh/src'

General settings:

    TARGET:             server

    V:                  

    DEBUG:              

    DEBUGAD             

    PREFIX:             /var/ossec

    MAXAGENTS:          14000

    REUSE_ID:           no

    DATABASE:           mysql

    ONEWAY:             no

    CLEANFULL:          no

    RESOURCES_URL:      https://packages.wazuh.com/deps/3.6

User settings:

    OSSEC_GROUP:        ossec

    OSSEC_USER:         ossec

    OSSEC_USER_MAIL:    ossecm

    OSSEC_USER_REM:     ossecr

USE settings:

    USE_ZEROMQ:         no

    USE_GEOIP:          no

    USE_PRELUDE:        no

    USE_INOTIFY:        no

    USE_BIG_ENDIAN:     no

    USE_SELINUX:        yes

    USE_AUDIT:          yes

    USE_EXEC_ENVIRON:   yes

    USE_FRAMEWORK_LIB:  no

Mysql settings:

    includes:           -I/usr/include/mysql

    libs:               -L/usr/lib64/mysql -lmysqlclient -lpthread -lm -ldl

Pgsql settings:

    includes:           

    libs:               

Defines:

    -DMAX_AGENTS=14000 -DOSSECHIDS -DDEFAULTDIR="/var/ossec" -DUSER="ossec" -DREMUSER="ossecr" -DGROUPGLOBAL="ossec" -DMAILUSER="ossecm" -DLinux -DINOTIFY_ENABLED -D_XOPEN_SOURCE=600 -D_GNU_SOURCE -DENABLE_SYSC -DENABLE_CISCAT -DENABLE_SHARED -DUSE_EXEC_ENVIRON -DENABLE_AUDIT -DMYSQL_DATABASE_ENABLED

Compiler:

    CFLAGS            -Wl,--start-group -Iexternal/audit-userspace/lib -pthread -Iexternal/libdb/build_unix/ -O2 -DMAX_AGENTS=14000 -DOSSECHIDS -DDEFAULTDIR="/var/ossec" -DUSER="ossec" -DREMUSER="ossecr" -DGROUPGLOBAL="ossec" -DMAILUSER="ossecm" -DLinux -DINOTIFY_ENABLED -D_XOPEN_SOURCE=600 -D_GNU_SOURCE -DENABLE_SYSC -DENABLE_CISCAT -DENABLE_SHARED -DUSE_EXEC_ENVIRON -DENABLE_AUDIT -DMYSQL_DATABASE_ENABLED -pipe -Wall -Wextra -I./ -I./headers/ -Iexternal/openssl/include -Iexternal/cJSON/ -Iexternal/libyaml/include -Iexternal/curl/include

    LDFLAGS            '-Wl,-rpath,/../lib' -pthread -lrt -ldl -O2 -L/usr/lib64/mysql -lmysqlclient -lpthread -lm -ldl

    CC                cc

    MAKE              make

make[1]: Leaving directory `/wazuh/src'

Done building server

The reason for using mysql is to utilize analogi. The document states that mysql support is available. 

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/database-output.html?highlight=database_output

Thanks :) 

[juancarl...@wazuh.com]

Hello Renee,

I did a fresh install and I did not run into the same issue. I realize the documentation can be improved on this feature so there may have been an aditional step that was necessary.

I did the following:

  apt install libmysqld-dev mysql-server
  apt-get install python gcc make libc6-dev curl policycoreutils automake autoconf libtool
  curl -Ls https://github.com/wazuh/wazuh/archive/v3.6.1.tar.gz | tar zx
  cd wazuh-3.6.1/src
  make deps
  make TARGET=server DATABASE=mysql
  ../install.sh
  /var/ossec/bin/ossec-control enable database
mysql -p
mysql> CREATE USER 'ossec';
mysql> SET PASSWORD FOR 'ossec' = '*****';
mysql> CREATE DATABASE ossec;
mysql> GRANT ALL PRIVILEGES ON ossec.* to 'ossec';
mysql> exit
  mysql -u root -p ossec < /home/user/wazuh-3.6.1/src/os_dbd/mysql.schema
  service wazuh-manager start

After a while I saw it connected to the MySQL database and started adding information into the corresponding database.

In your case it does seem the issue arises before compilation so maybe you can verify those steps and let me know if the problem persists.

Regards,
Juan Carlos

[Renee Kim]

Thank you for answering. I tried as you told me. 

The whole process was smooth, but this problem has not been solved.

Wazuh-dbd runs but ossec-dbd does no. Configuration error is happened in this part.

<database_output> // ossec.conf file 

  <hostname>127.0.0.1</hostname>
  <username>ossec</username>
  <password>*****</password>
  <database>ossec</database>

  <type>mysql</type> <---this line.
</database_output>

Database_output is very important for using analogi. It seems like problem of ossec... but documents in version 3.0 state that mysql support is available. 

Please help me avoid compilation errors. Thank you.

2018년 10월 12일 금요일 오전 10시 34분 31초 UTC+9, Renee Kim 님의 말:

[juancarl...@wazuh.com]

Hi,

I wonder what could be happening. I followed all the steps from the previous message again to make sure I did not omit any, but besides editing the ossec.conf file to add the lines you provided, only those steps seem necessary for a correct system that outputs logs to the mysql database.

I worry there could be conflicting files from a previous compilation which did not include mysql support that would cause that error.

 

Is it possible you could test in a new environment?

Regards,
Juan Carlos

[Renee Kim]

I have tried many times but the error remains. Os is centOS7.
Still, adding <database_output> to var/ossec/etc/ossec.conf will indicate that mysql support is not available.
When you said that the execution was good, I would like to ask if you added <database_output> to the config file. 

If I don't put that part in, it works well.

The data_output error occurs in wazuh-3.6.1 but not in ossec-2.8.3

As the version went up, the compile method changed and the schema for mysql changed. 
The data table was deleted and some columns were merged into the alert table and some additional columns were added.

Analogi is approached signature, alert and location tables in database of ossec. However, logs do not accumulate in the database due to compile issues.

I'll be waiting for the reply. Thanks. 

2018년 10월 12일 금요일 오전 10시 34분 31초 UTC+9, Renee Kim 님의 말:

Hi I installed the latest version of wazuh and set the type of database_output from the ossec.conf file to mysql. 

[juancarl...@wazuh.com]

Hello,

I tried again on a virtual machine, this time with CentOS7. I see that compilation in CentOS is not as straightforward.
 
For one mysql-server is not in the default repositories. Also when compiling ld -lmysqlclient will fail to find the appropriate libraries, which in your case I see you already pointed to them at /usr/lib64/mysql, I just changed the Makefile accordingly.

So the process for CentOS7 would be:

  yum install python gcc make libc6-dev curl policycoreutils automake autoconf libtool
  curl http://repo.mysql.com/mysql-community-release-el7-7.noarch.rpm -o mysql-community-release-el7-7.noarch.rpm
  rpm -ivh mysql-community-release-el7-7.noarch.rpm
  yum update
  yum install mysql-server
  systemctl start mysqld
  curl -Ls https://github.com/wazuh/wazuh/archive/v3.6.1.tar.gz | tar zx
  cd wazuh-3.6.1/src
  make deps
  sed -i 's:-lmysqlclient:-L/usr/lib64/mysql/lmysqlclient:g' Makefile

  make TARGET=server DATABASE=mysql
  ../install.sh
  /var/ossec/bin/ossec-control enable database
mysql -p
mysql> CREATE USER 'ossec';

mysql> select password ('*****');
mysql> set password for 'ossec' = <41 character HEX output from previous command>;

mysql> CREATE DATABASE ossec;
mysql> GRANT ALL PRIVILEGES ON ossec.* to 'ossec';
mysql> exit

mysql -u root -p ossec < os_dbd/mysql.schema

Then edit the ossec.conf with your previous configuration and start wazuh.
 

systemctl start wazuh-manager

I'm afraid the message you're seeing points to an installation without mysql support. It could be either that a previous installation without mysql support is still the currently installed version (i.e. after compilation the ../install.sh script was not run, but a previous install of wazuh was already in place) or that having run the installation script in a system that had a previous ossec installation without mysql support left some files behind and they are conflicting.

I encourage you to try this in a clean environment like a virtual machine matching your system's characteristics to see if we still run into the same problem.

Alternatively you could backup any logs, keys and custom rules you may have set up in /var/ossec/ and then clean that folder. If you run the install script specifying that you do not wish to update it will prompt if you want to delete the previous installation. This should allow you to avoid any possible conflicting files, however be aware that any information in that folder may be lost (in case you there is a preexisting functioning installation).

I attach screenshots of the installation I just did in case there is something in there that could clear up any other information I may have omitted.

I hope this helps,
Juan Carlos

[nOBEL jUNG]

Hello Juan,

I followed your following guide without any problem, but "ossec_dbd is not running";
------------------------------------------------------------------
root@localhost wazuh-3.6.1]# cd /
[root@localhost /]# cd var/ossec/bin
[root@localhost bin]# ./ossec-controrl status
-bash: ./ossec-controrl: No such file or directory
[root@localhost bin]# ./ossec-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...
wazuh-db is running...
ossec-dbd not running...
ossec-authd is running.
.......----------------------------------

Please I need some more advice.

Many thanks,

Nobel Jung



2018년 10월 18일 목요일 오전 11시 33분 49초 UTC-4, juancarl...@wazuh.com 님의 말:

[juancarl...@wazuh.com]

Hello Nobel,

I'll be happy to help you, although we will probably need to first gather more information.

Firstly, did you edit your `/var/ossec/etc/ossec.conf` file to specify the database output?

I realize this wasn't explicitly stated in the steps I mentioned to Renee as well as installing mysql-devel since they had already done it.

I notice that `/var/ossec/bin/ossec-control status` may indicate that `ossec-dbd` is not running even though `ps -aux | grep ossec-dbd | grep -v grep` may show it is indeed running. Is this your case?.

We do recommend using systemctl for managing the daemons instead of the ossec-control function. Let me know if `systemctl status wazuh-manager` shows the ossec-dbd as started.

Another option that may help us determine the cause of any issue is to kill the ossec-dbd process and executing it in debug mode. To do so run the following commands:

ps -x | grep ossec-dbd | grep -v grep | awk '{print $1}'| xargs kill
/var/ossec/bin/ossec-dbd -d

And of course a good place to always look is the log file which is located at /var/ossec/logs/ossec.log.

Let me know what you find there so I may help you further.

Regards,
Juan Carlos

[nOBEL jUNG]

Hello Juan,

I found out that it, os_dbd, is working as your advice.

But still I can't connect MYSQL as the following;

vi /var/ossec/etc/ossec.conf

.............

<ossec_config>

    <database_output>
        <hostname>127.0.0.1</hostname>
        <username>ossec</username>

        <password>ossecpass</password>

        <database>ossec</database>
        <type>mysql</type>

    </database_output>

</ossec_config>

And I restarted wazuh-manager.

But in the log, /var/ossec/logs/ossec.log is as the following;

2018/11/10 16:15:31 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2018/11/10 16:15:31 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
2018/11/10 16:15:43 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2018/11/10 16:19:00 ossec-dbd: ERROR: (5202): Error connecting to database '127.0.0.1'(ossec): ERROR: Access denied for user 'ossecuser'@'localhost' (using password: YES).
2018/11/10 16:19:48 ossec-dbd: INFO: Started (pid: 17947).
2018/11/10 16:20:32 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).
2018/11/10 16:20:37 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database).
2018/11/10 16:20:38 ossec-dbd: ERROR: (5202): Error connecting to database '127.0.0.1'(ossec): ERROR: Access denied for user 'ossecuser'@'localhost' (using password: YES).
2018/11/10 16:21:09 rootcheck: INFO: Ending rootcheck scan.
2018/11/10 16:21:17 ossec-dbd: ERROR: (5202): Error connecting to database '127.0.0.1'(ossec): ERROR: Access denied for user 'ossecuser'@'localhost' (using password: YES).
2018/11/10 16:24:00 ossec-dbd: ERROR: (5202): Error connecting to database '127.0.0.1'(ossec): ERROR: Access denied for user 'ossecuser'@'localhost' (using password: YES).

................

I do appreciate your time.

Many thanks,

N.J

2018년 10월 31일 수요일 오전 12시 48분 12초 UTC+9, juancarl...@wazuh.com 님의 말:

[juancarl...@wazuh.com]

Hello N.J,

This behavior could be due to a credential mismatch between the configuration in mysql and that stated in the ossec.conf file.

A way to test that the database has the proper credentials configured is to access it:

mysql -u ossecuser -p'ossecpass'

If the access is denied then the credentials should be reestablished with the process I mentioned before or in order to avoid copy/paste issues you can use this one-liner:

mysql -e "select password ('ossecpass');" | sed -n -e 2p | xargs -I % mysql -u root -e "set password for 'ossecuser' = '%';"

Also make sure that the ossec database has been created and the ossec user has privileges to it:

mysql -e "CREATE DATABASE ossec;"
mysql -e "GRANT ALL PRIVILEGES ON ossec.* to 'ossecuser';"

And don't forget to check that these credentials coincide with those in /var/ossec/etc/ossec.conf

If you want to verify which credentials the system is using when it fails, you may run:

/var/ossec/bin/ossec-dbd -df

where one of the last lines it will output will include the credentials used.

I hope this helps,
Juan Carlos

On Saturday, November 10, 2018 at 8:34:26 AM UTC+1, nOBEL jUNG wrote:

Hello Juan,

[Renee Kim]

Hello, Thanks to your help, the compilation problem has been solved.

Also, I have a question. An agent program is installed on AIX, Solaris and HPUX server of UNIX type to check the log data.

AIX and HP-UX have no problems with installation and operation, but Solaris has problems with the package installation. 

This version is Solaris 11 SPACK . Are these problems caused by the lack of libraries? The errors are as follows

Action install failed for 'ossec' (pkg://wazuh/wazuh-agent):

KeyError: 'gid'

pkg: install을(를) 수행하는 중 예상치 않은 오류가 발생했습니다. 'gid'
Traceback (most recent call last):
  File "/usr/bin/pkg", line 6254, in handle_errors
    __ret = func(*args, **kwargs)
  File "/usr/bin/pkg", line 6240, in main_func
    pargs=pargs, **opts)
  File "/usr/bin/pkg", line 1985, in install
    update_index=update_index)
  File "/usr/bin/pkg", line 1758, in __api_op
    ret_code = __api_execute_plan(_op, _api_inst)
  File "/usr/bin/pkg", line 1326, in __api_execute_plan
    api_inst.execute_plan()
  File "/usr/lib/python2.7/vendor-packages/pkg/client/api.py", line
2816, in execute_plan
    self._img.imageplan.execute()
  File "/usr/lib/python2.7/vendor-packages/pkg/client/imageplan.py",
line 4593, in execute
    p.execute_install(src, dest)
  File "/usr/lib/python2.7/vendor-packages/pkg/client/pkgplan.py",
line 563, in execute_install
    dest.install(self, src)
  File "/usr/lib/python2.7/vendor-packages/pkg/actions/group.py", line
80, in install
    if (cur_attrs["gid"] != self.attrs["gid"]):
KeyError: 'gid'
pkg: This is an internal error in pkg (5) version a1fb8dcc1a5e. the above information and
Including this message,
Record the service request.

Thanks.

2018년 10월 12일 금요일 오전 10시 34분 31초 UTC+9, Renee Kim 님의 말:

Hi I installed the latest version of wazuh and set the type of database_output from the ossec.conf file to mysql. 

[Alberto Rodriguez]

Hello Renee

  Sorry for the late response. This issue is caused by a wrong deletion of the user "ossec" in the uninstall process, which is a known issue. I recommend you to remove the Wazuh agent package, remove manually the user and group "ossec" and then, try again and install the agent. 

Please let me know if this works for you. 

Best regards, 

Alberto R.