[ossec-list] Re: Update Wazuh with standard Ossec files
The Wazuh fork is actually newer, but regardless there should never be a conflict from 2.x to 2.x with agent and server. When you say "conflict" - can you be more specific on the error you are seeing? Kat On Friday, January 20, 2017 at 5:14:09 PM UTC-6, Alejandro M wrote: > > Hello all. I just installed the Wazuh fork in a server but after a bit of > tinkering, I realized there were issues between a previously installed > agent and this server. > > After searching for information, it seems the error is that the agent > version(2.8.3) is newer than what what comes with Wazuh which apparently is > 2.8 and it causes a conflict. > > Could I update Wazuh's OSSEC with the official ossec files so the server > matches the agent, without risk of losing my configurations(logstash, etc) > or I just should use the Wazuh files for agent installation? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Update Wazuh with standard Ossec files
These are the messages I'm getting from Ossec on the side of the agent: 2017/01/22 09:42:44 ossec-agentd: INFO: Trying to connect to server (x.x.x.10:1514). 2017/01/22 09:42:44 ossec-agentd: INFO: Using IPv4 for: x.x.x.10 . 2017/01/22 09:42:45 ossec-agentd(1214): WARN: Problem receiving message from x.x.x.10. 2017/01/22 09:42:54 ossec-agentd(1214): WARN: Problem receiving message from x.x.x.10. 2017/01/22 09:42:59 ossec-agentd(1214): WARN: Problem receiving message from x.x.x.10. 2017/01/22 09:43:05 ossec-agentd(1214): WARN: Problem receiving message from x.x.x.10 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Update Wazuh with standard Ossec files
On Jan 22, 2017 4:16 PM, "Kat" wrote: The Wazuh fork is actually newer, but regardless there should never be a conflict from 2.x to 2.x with agent and server. When *With the caveat that this isn't explicitly tested. you say "conflict" - can you be more specific on the error you are seeing? Kat On Friday, January 20, 2017 at 5:14:09 PM UTC-6, Alejandro M wrote: > > Hello all. I just installed the Wazuh fork in a server but after a bit of > tinkering, I realized there were issues between a previously installed > agent and this server. > > After searching for information, it seems the error is that the agent > version(2.8.3) is newer than what what comes with Wazuh which apparently is > 2.8 and it causes a conflict. > > Could I update Wazuh's OSSEC with the official ossec files so the server > matches the agent, without risk of losing my configurations(logstash, etc) > or I just should use the Wazuh files for agent installation? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Update Wazuh with standard Ossec files
Hi Alejandro, Let me help here. I don't think your error is related with compatibility issues, and it is not true that the agent included on Wazuh is older than an OSSEC agent 2.8.3, in fact, is newer (based on OSSEC 2.9+). OSSEC Agents are totally compatible with Wazuh fork, meaning that you will be free to use/deploy OSSEC Agents (2.8.3 or older) or Wazuh fork agents, please be more specific about the error you are seeing and maybe I can help a little bit more here. About modifying Wazuh installation with some OSSEC files, that will cause some problems since the whole Elastic stack integration consists mainly in a JSON custom output, so you will need Wazuh core binaries. On Sun, Jan 22, 2017 at 10:26 PM, dan (ddp) wrote: > > > On Jan 22, 2017 4:16 PM, "Kat" wrote: > > The Wazuh fork is actually newer, but regardless there should never be a > conflict from 2.x to 2.x with agent and server. When > > > *With the caveat that this isn't explicitly tested. > > > you say "conflict" - can you be more specific on the error you are seeing? > > Kat > > > On Friday, January 20, 2017 at 5:14:09 PM UTC-6, Alejandro M wrote: >> >> Hello all. I just installed the Wazuh fork in a server but after a bit of >> tinkering, I realized there were issues between a previously installed >> agent and this server. >> >> After searching for information, it seems the error is that the agent >> version(2.8.3) is newer than what what comes with Wazuh which apparently is >> 2.8 and it causes a conflict. >> >> Could I update Wazuh's OSSEC with the official ossec files so the server >> matches the agent, without risk of losing my configurations(logstash, etc) >> or I just should use the Wazuh files for agent installation? >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Update Wazuh with standard Ossec files
Hi Alejandro, The issue seems to be a counter problem since any other error would print an additional error message. Try to remove the file: "/var/ossec/queue/rids/" from the agent, for N being the agent ID. For example: rm /var/ossec/queue/rids/$(cut -d' ' -f1 /var/ossec/etc/client.keys) /var/ossec/bin/ossec-control restart An easier option is to disable the message verification: echo "remoted.verify_msg_id=0" >> /var/ossec/etc/local_internal_options.conf /var/ossec/bin/ossec-control restart Hope it helps. Best regards. On Mon, Jan 23, 2017 at 5:22 AM, Alejandro M wrote: > These are the messages I'm getting from Ossec on the side of the agent: > > 2017/01/22 09:42:44 ossec-agentd: INFO: Trying to connect to server > (x.x.x.10:1514). > 2017/01/22 09:42:44 ossec-agentd: INFO: Using IPv4 for: x.x.x.10 . > 2017/01/22 09:42:45 ossec-agentd(1214): WARN: Problem receiving message > from x.x.x.10. > 2017/01/22 09:42:54 ossec-agentd(1214): WARN: Problem receiving message > from x.x.x.10. > 2017/01/22 09:42:59 ossec-agentd(1214): WARN: Problem receiving message > from x.x.x.10. > 2017/01/22 09:43:05 ossec-agentd(1214): WARN: Problem receiving message > from x.x.x.10 > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Victor M. Fernandez-Castro IT Security Engineer Wazuh Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
