Fixing OSSEC issues

Submitted by ajlill on Fri, 07/15/2016 - 18:23

Just finished an upgrade of ossec from 2.7.1 to the latest 2.8.3. I'll skip the rant about projects that use homegrown install scripts that assume you are going to compile their software on every host, since I went through the headache of reverse-engineering that mess long ago and the anger has subsided!

Hit a few problems, or perhaps they were always there and I never noticed.

First I got

2016/07/15 17:07:33 ossec-remoted: WARN: Duplicate error:  global: 1, local: 3846, saved global: 2464, saved local:8074

2016/07/15 17:07:33 ossec-remoted(1407): ERROR: Duplicated counter for 'blah'.

The solution to this is to go into /var/ossec/queue/rids on the client and remove all the files there, and in the same directory on the server, remove the one for the troublesome client, then restart both.

Second, I got a number of

2016/07/15 17:07:31 ossec-remoted(1213): WARN: Message from not allowed.

2016/07/15 17:07:41 ossec-remoted(1403): ERROR: Incorrectly formated message from ''.

This was much much more straightforward, but more telling. Some of the not allowed messages were from multi-homed hosts. I tried using any instead of the IP address, but that didn't help. From googling, it seems that very few people can actually get the any address to work. It also seems that it may depend on exactly how you build the software, where some builds work and some don't. The format error came from duplicate IP addresses in the client.keys file.

So, without actually looking at the code, it seems that when a message comes in, ossec uses the IP address to match the entry in the client.keys file, which would probably explain why any doesn't work.