Problem starting OSSEC agent using Chef ossec cookbook


#1

While I believe ossec::server worked like a charm for my server, I’m seeing the following for clients when using ossec::client:

2011/11/23 01:49:22 ossec-execd: INFO: Started (pid: 21856).
2011/11/23 01:49:22 ossec-agentd(1410): INFO: Reading authentication keys file.
2011/11/23 01:49:22 ossec-agentd(1750): ERROR: No remote connection configured. Exiting.
2011/11/23 01:49:25 ossec-syscheckd(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:25 ossec-rootcheck(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:31 ossec-logcollector(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:31 ossec-logcollector(1211): ERROR: Unable to access queue: ‘/var/ossec/queue/ossec/queue’. Giving up…
2011/11/23 01:49:33 ossec-syscheckd(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:33 ossec-rootcheck(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:46 ossec-syscheckd(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:46 ossec-rootcheck(1211): ERROR: Unable to access queue: ‘/var/ossec/queue/ossec/queue’. Giving up…

I verified the client can access the server as the server has the client’s key is in /var/ossec/etc/client.keys.

Any ideas?


#2

Hi Clif!

On Nov 22, 2011, at 7:17 PM, Clif Smith wrote:

While I believe ossec::server worked like a charm for my server, I’m seeing the following for clients when using ossec::client:

2011/11/23 01:49:22 ossec-execd: INFO: Started (pid: 21856).
2011/11/23 01:49:22 ossec-agentd(1410): INFO: Reading authentication keys file.
2011/11/23 01:49:22 ossec-agentd(1750): ERROR: No remote connection configured. Exiting.
2011/11/23 01:49:25 ossec-syscheckd(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:25 ossec-rootcheck(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:31 ossec-logcollector(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:31 ossec-logcollector(1211): ERROR: Unable to access queue: ‘/var/ossec/queue/ossec/queue’. Giving up…
2011/11/23 01:49:33 ossec-syscheckd(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:33 ossec-rootcheck(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:46 ossec-syscheckd(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:46 ossec-rootcheck(1211): ERROR: Unable to access queue: ‘/var/ossec/queue/ossec/queue’. Giving up…

I verified the client can access the server as the server has the client’s key is in /var/ossec/etc/client.keys.

Any ideas?

It looks like ossec really wants the agents to exist in /var/ossec/etc/client.keys. Currently, only the server recipe is managing this, with the ossec-batch-manager.pl script. You’ll need to rerun chef-client on the server after ossec is up on the clients, and restart the ossec daemons on the client(s). I don’t know off-hand a great way to coordinate and handle this, yet.

I created http://tickets.opscode.com/browse/COOK-846 for tracking this.


Opscode, Inc
Joshua Timberman, Technical Program Manager
IRC, Skype, Twitter, Github: jtimberman


#3

Thanks for the reply! I tried adding the code from the ticket for the client but it appears to create another key which conflicts with the key the server creates?
On Nov 23, 2011, at 1:19 PM, Joshua Timberman wrote:

Hi Clif!

On Nov 22, 2011, at 7:17 PM, Clif Smith wrote:

While I believe ossec::server worked like a charm for my server, I’m seeing the following for clients when using ossec::client:

2011/11/23 01:49:22 ossec-execd: INFO: Started (pid: 21856).
2011/11/23 01:49:22 ossec-agentd(1410): INFO: Reading authentication keys file.
2011/11/23 01:49:22 ossec-agentd(1750): ERROR: No remote connection configured. Exiting.
2011/11/23 01:49:25 ossec-syscheckd(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:25 ossec-rootcheck(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:31 ossec-logcollector(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:31 ossec-logcollector(1211): ERROR: Unable to access queue: ‘/var/ossec/queue/ossec/queue’. Giving up…
2011/11/23 01:49:33 ossec-syscheckd(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:33 ossec-rootcheck(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:46 ossec-syscheckd(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:46 ossec-rootcheck(1211): ERROR: Unable to access queue: ‘/var/ossec/queue/ossec/queue’. Giving up…

I verified the client can access the server as the server has the client’s key is in /var/ossec/etc/client.keys.

Any ideas?

It looks like ossec really wants the agents to exist in /var/ossec/etc/client.keys. Currently, only the server recipe is managing this, with the ossec-batch-manager.pl script. You’ll need to rerun chef-client on the server after ossec is up on the clients, and restart the ossec daemons on the client(s). I don’t know off-hand a great way to coordinate and handle this, yet.

I created http://tickets.opscode.com/browse/COOK-846 for tracking this.


Opscode, Inc
Joshua Timberman, Technical Program Manager
IRC, Skype, Twitter, Github: jtimberman