-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OSSEC agent not connecting after Linux host restart #1946
Comments
Is your alienvault OSSIM using the same version of OSSEC? |
No it doesn't, it seems to run 2.9.1 (used command ossec-analysisd -V) and it's "embeded meaning you can't really touch it I think. But from what I understand so far, there is nothing wrong on server side, as if I restart the service on the client once booted, everything works fine. It seems like the network is not "ready" when HIDS service starts or something like that. |
Could not see anything on server side... Anyone? Any clue? Is there any way to change dependencies to start the service later? I'd like to try that. 😉 |
Cant say for sure if a 3.6.0 agent is supported by something as old as a 2.9.1 server, but assuming it would work, what happens when you restart the agent after the network is plumbed? If it works then, then youre right that the issue is the agent is starting before the network is available on the agent system. |
That is exactly what is happening, whenever I restart the service manually (because the service is started after reboot), it works straight away and I see new events right after in SIEM. I would probably know if I was a Linux expert, but I'm not! 😁 |
You can add something like |
So in nearly every case the network should already be plumbed before the ossec agent is started. Are you using a GUI desktop with your Linux system? If so, on many distros where the Desktop GUI is enabled, it doesnt start the network until after you log into the GUI, and Linux/UNIX normally starts the network way before that. Services, like the ossec agent, assume the network is started on boot (which is true 99% of the time, otherwise servers wouldnt work very well), so if case thats your case, thats your problem, configure the network to start on boot and not on login. Otherwise, somehow your system has been configured to start the network either after services like ossec are started, or somehoe the ossec agent has been configured to start way too early. In which case, Dans solution should work, but Id check the start order of your services if your network is start to be plumbed on boot. |
Nope, am I'm a purist Linux N0ob! I use either Fedora server or Centos 8 server without a gui! 😁 @ddpbsd I'll check your solution tomorrow, thanks for the help! 😉 |
Well, this was definitivelly a part of the solution, but "the last bit"... 😁 It has definitivelly something to do on how the service is installed. By default, the service "configuration" file will be located in /run/systemd/generator.late folder. In this location, something is handled automatically and you just can't edit the file to change the behaviour. It also starts very early in the boot process (read a lot of confusing things) So what I've tried, I moved this file to the default location (/usr/lib/systemd/system/) and edited the file to add the ExecStartPre line and an [Install] section that is necessary to install the service. ossec-hids.service file looks now like this:
With this, service starts automatically with a delay and this helps because it connects to the server without the need of a manual restart. So now, how do we fix that "forever"? PS: I repeat, I'm not a Linux specialist and I hope this doesn't open a security pandora box... 😉 |
Wouldnt something like this work? After=network.target |
I'll try that 😉 |
So unfortunatelly, this didn't work, still seems to be too early in the boot process. The following configuration seems to work... I kept the Before (removed the duplicates though) and added the same After and Wants dependencies as NGINX (I use it a lot):
|
Hi there,
I've a consistent issue with several Linux hosts (one is Fedora 33 server and the others CentOS 8 server)
I've no problem with any of my Windows hosts and my OSSEC server is Alienvault OSSIM.
Agent (3.6.0) was installed as a service with this command:
sudo systemctl enable --now ossec-hids.service
Everytime a host is rebooted, I'll get the following error message and agent will appear disconnected on the server side (and will never try again):
But if I restart the service manually, it connects successfully and I get that in the logs:
Behavior is consitent on all hosts. My config file is the default as I'm new with Linux hosts monitoring so the only modification I made is the section that points to my server.
Debugging log level to 2 didn't show more info in the logs but now, I'm open to any help! Thanks in advance 😉
The text was updated successfully, but these errors were encountered: