Hi,
I have been an OSSEC user for many, many years and it's a great product.
With the latest version I keep having this problem that it doesn't want to start at all.
It's a fresh, "local" install and I moved my old, somwhat broken, install out of the way.
I am on a Debian 10.10 and I install it via "USE_GEOIP=yes ./install.sh". The following output looks ok, and it says
"Configuration finished properly.".
When starting via
/var/ossec/bin/ossec-control start
Starting OSSEC HIDS v3.6.0...
ossec-analysisd: Configuration error. Exiting.
Then I do a /var/ossec/bin/ossec-analysisd -t
2021/06/28 10:40:08 ossec-analysisd(1103): ERROR: Could not open file '/var/ossec/ossec-agent/etc/internal_options.conf' due to [(2)-(No such file or directory)].
2021/06/28 10:40:08 ossec-analysisd(2301): ERROR: Definition not found for: 'analysisd.debug'.
With any previous install an upgrade was literally just the ./install.sh. What has changed now? What am I missing here please?
Why does it require now an ossec-agent directory? In my old install that file was in etc/.
I tried to copy the file to the "new place", but then it complains about ar.conf, and I have no idea what's going on in there?
Why has it changed so significantly that it doesn't even start on a fresh install? It also doesn't say anything about I have to create that file?
There is still a internal_options.conf in the new etc/ directory.
What can I do to get it going again?
Regards
Tom
After installing 3.6.0 it doesn't start due to Could not open file '/var/ossec/ossec-agent/etc/internal_options.conf'
-
- New Forum User
- Posts: 4
- Joined: Mon Jun 28, 2021 6:35 am
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: After installing 3.6.0 it doesn't start due to Could not open file '/var/ossec/ossec-agent/etc/internal_options.conf
Did you pick "hybrid" by some chance? Or did you have a hybrid install before? This part here:
2021/06/28 10:40:08 ossec-analysisd(1103): ERROR: Could not open file '/var/ossec/ossec-agent/etc/internal_options.conf' due to [(2)-(No such file or directory)].
See how it says /var/ossec/ossec-agent, that is something a hybrid install would create
2021/06/28 10:40:08 ossec-analysisd(1103): ERROR: Could not open file '/var/ossec/ossec-agent/etc/internal_options.conf' due to [(2)-(No such file or directory)].
See how it says /var/ossec/ossec-agent, that is something a hybrid install would create
-
- New Forum User
- Posts: 4
- Joined: Mon Jun 28, 2021 6:35 am
Re: After installing 3.6.0 it doesn't start due to Could not open file '/var/ossec/ossec-agent/etc/internal_options.conf
I might have tried that in an much earlier attempt to get it working again.
This particular run I definitely chose "local".
This particular run I definitely chose "local".
-
- New Forum User
- Posts: 4
- Joined: Mon Jun 28, 2021 6:35 am
Re: After installing 3.6.0 it doesn't start due to Could not open file '/var/ossec/ossec-agent/etc/internal_options.conf
I just ran USE_GEOIP=yes ./install.sh again, please see below.
It seems this forum has a problem with its SPF record:
2021-06-28 10:29:32 H=(www3.atomicorp.com) [74.208.64.153]:34686 I=[XXXX]:25
X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no F=<atomicforums@forums.atomicorp.com> rejected RCPT
<tom@preissler.co.uk>: SPF check failed.
The install is definitely done as "local", but starting it it thinks it's hybrid.
I cleared now /var/ossec and still the same behaviour.
It seems this forum has a problem with its SPF record:
2021-06-28 10:29:32 H=(www3.atomicorp.com) [74.208.64.153]:34686 I=[XXXX]:25
X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no F=<atomicforums@forums.atomicorp.com> rejected RCPT
<tom@preissler.co.uk>: SPF check failed.
The install is definitely done as "local", but starting it it thinks it's hybrid.
I cleared now /var/ossec and still the same behaviour.
Code: Select all
** Para instalação em português, escolha [br].
** 要使用中文进行安装, 请选择 [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** A Magyar nyelvű telepítéshez válassza [hu].
** Per l'installazione in Italiano, scegli [it].
** 日本語でインストールします.選択して下さい.[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalować w języku Polskim, wybierz [pl].
** Для инструкций по установке на русском ,введите [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türkçe kurulum için seçin [tr].
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]:
[H[2J[3J OSSEC HIDS v3.6.0 Installation Script - http://www.ossec.net
You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
- System: Linux XXXX 4.19.0-17-amd64
- User: XXXX
- Host: XXXX
-- Press ENTER to continue or Ctrl-C to abort. --
- You already have OSSEC installed. Do you want to update it? (y/n):
1- What kind of installation do you want (server, agent, local, hybrid or help)?
- Local installation chosen.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]:
- Installation will be made at /var/ossec .
- The installation directory already exists. Should I delete it? (y/n) [y]:
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [y]: - What's your e-mail address? - What's your e-mail address?
- We found your SMTP server as: XXXX
- Do you want to use it? (y/n) [y]:
--- Using SMTP server: XXXX
3.2- Do you want to run the integrity check daemon? (y/n) [y]:
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
- Running rootcheck (rootkit detection).
3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response
- Do you want to enable active response? (y/n) [y]:
- Active response enabled.
- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.
- Do you want to enable the firewall-drop response? (y/n) [y]:
- firewall-drop enabled (local) for levels >= 6
-
- XXXX
- XXXX
- Do you want to add more IPs to the white list? (y/n)? [n]:
3.6- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/auth.log
-- /var/log/syslog
-- /var/log/mail.info
-- /var/log/dpkg.log
-- /var/log/nginx/access.log (apache log)
-- /var/log/nginx/error.log (apache log)
- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .
--- Press ENTER to continue ---
5- Installing the system
- Running the Makefile
make settings
make[1]: Entering directory '/usr/local/src/ossec-hids-3.6.0/src'
General settings:
TARGET: local
V:
DEBUG:
DEBUGAD:
PREFIX: /var/ossec
MAXAGENTS: 2048
REUSE_ID: no
DATABASE:
ONEWAY: no
CLEANFULL: no
User settings:
OSSEC_GROUP: ossec
OSSEC_USER: ossec
OSSEC_USER_MAIL: ossecm
OSSEC_USER_REM: ossecr
ZLIB settings:
ZLIB_SYSTEM: yes
ZLIB_INCLUDE:
ZLIB_LIB: os_zlib.a
PCRE2 settings:
PCRE2_SYSTEM: yes
PCRE2_INCLUDE:
Lua settings:
LUA_PLAT: posix
LUA_ENABLE: no
USE settings:
USE_ZEROMQ: no
USE_GEOIP: yes
USE_PRELUDE: no
USE_OPENSSL: auto
USE_INOTIFY: no
USE_SQLITE:
USE_PCRE2_JIT: yes
Mysql settings:
includes:
libs:
Pgsql settings:
includes:
libs:
Defines:
-DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR="/var/ossec" -DUSER="ossec" -DREMUSER="ossecr" -DGROUPGLOBAL="ossec" -DMAILUSER="ossecm" -DLinux -DINOTIFY_ENABLED -DZLIB_SYSTEM -DUSE_PCRE2_JIT -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED -DLOCAL
Compiler:
CFLAGS -I./external/compat -DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR="/var/ossec" -DUSER="ossec" -DREMUSER="ossecr" -DGROUPGLOBAL="ossec" -DMAILUSER="ossecm" -DLinux -DINOTIFY_ENABLED -DZLIB_SYSTEM -DUSE_PCRE2_JIT -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED -DLOCAL -Wall -Wextra -I./ -I./headers/
LDFLAGS -lm -lpthread -lpcre2-8 -lGeoIP -lssl -lcrypto -lz
CC cc
MAKE make
make[1]: Leaving directory '/usr/local/src/ossec-hids-3.6.0/src'
Done building local
make settings
make[1]: Entering directory '/usr/local/src/ossec-hids-3.6.0/src'
General settings:
TARGET: local
V:
DEBUG:
DEBUGAD:
PREFIX: /var/ossec
MAXAGENTS: 2048
REUSE_ID: no
DATABASE:
ONEWAY: no
CLEANFULL: no
User settings:
OSSEC_GROUP: ossec
OSSEC_USER: ossec
OSSEC_USER_MAIL: ossecm
OSSEC_USER_REM: ossecr
ZLIB settings:
ZLIB_SYSTEM: yes
ZLIB_INCLUDE:
ZLIB_LIB: os_zlib.a
PCRE2 settings:
PCRE2_SYSTEM: yes
PCRE2_INCLUDE:
Lua settings:
LUA_PLAT: posix
LUA_ENABLE: no
USE settings:
USE_ZEROMQ: no
USE_GEOIP: yes
USE_PRELUDE: no
USE_OPENSSL: auto
USE_INOTIFY: no
USE_SQLITE:
USE_PCRE2_JIT: yes
Mysql settings:
includes:
libs:
Pgsql settings:
includes:
libs:
Defines:
-DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR="/var/ossec" -DUSER="ossec" -DREMUSER="ossecr" -DGROUPGLOBAL="ossec" -DMAILUSER="ossecm" -DLinux -DINOTIFY_ENABLED -DZLIB_SYSTEM -DUSE_PCRE2_JIT -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED -DLOCAL
Compiler:
CFLAGS -I./external/compat -DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR="/var/ossec" -DUSER="ossec" -DREMUSER="ossecr" -DGROUPGLOBAL="ossec" -DMAILUSER="ossecm" -DLinux -DINOTIFY_ENABLED -DZLIB_SYSTEM -DUSE_PCRE2_JIT -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED -DLOCAL -Wall -Wextra -I./ -I./headers/
LDFLAGS -lm -lpthread -lpcre2-8 -lGeoIP -lssl -lcrypto -lz
CC cc
MAKE make
make[1]: Leaving directory '/usr/local/src/ossec-hids-3.6.0/src'
Done building local
./init/adduser.sh ossec ossecm ossecr ossec /var/ossec
Wait for success...
success
install -m 0550 -o root -g ossec -d /var/ossec/
install -m 0750 -o ossec -g ossec -d /var/ossec/logs
install -m 0660 -o ossec -g ossec /dev/null /var/ossec/logs/ossec.log
install -m 0550 -o root -g 0 -d /var/ossec/bin
install -m 0550 -o root -g 0 ossec-logcollector /var/ossec/bin
install -m 0550 -o root -g 0 ossec-syscheckd /var/ossec/bin
install -m 0550 -o root -g 0 ossec-execd /var/ossec/bin
install -m 0550 -o root -g 0 manage_agents /var/ossec/bin
install -m 0550 -o root -g 0 ../contrib/util.sh /var/ossec/bin/
install -m 0550 -o root -g 0 ./init/ossec-local.sh /var/ossec/bin/ossec-control
install -m 0550 -o root -g ossec -d /var/ossec/queue
install -m 0770 -o ossec -g ossec -d /var/ossec/queue/alerts
install -m 0750 -o ossec -g ossec -d /var/ossec/queue/ossec
install -m 0750 -o ossec -g ossec -d /var/ossec/queue/syscheck
install -m 0750 -o ossec -g ossec -d /var/ossec/queue/diff
install -m 0550 -o root -g ossec -d /var/ossec/etc
install -m 0440 -o root -g ossec /etc/localtime /var/ossec/etc
install -m 0440 -o root -g ossec /etc/resolv.conf /var/ossec/etc
install -m 1550 -o root -g ossec -d /var/ossec/tmp
install -m 0640 -o root -g ossec -b ../etc/internal_options.conf /var/ossec/etc/
install -m 0770 -o root -g ossec -d /var/ossec/etc/shared
install -m 0640 -o ossec -g ossec rootcheck/db/*.txt /var/ossec/etc/shared/
install -m 0550 -o root -g ossec -d /var/ossec/active-response
install -m 0550 -o root -g ossec -d /var/ossec/active-response/bin
install -m 0550 -o root -g ossec -d /var/ossec/agentless
install -m 0550 -o root -g ossec agentlessd/scripts/* /var/ossec/agentless/
install -m 0700 -o root -g ossec -d /var/ossec/.ssh
install -m 0550 -o root -g ossec ../active-response/*.sh /var/ossec/active-response/bin/
install -m 0550 -o root -g ossec ../active-response/firewalls/*.sh /var/ossec/active-response/bin/
install -m 0550 -o root -g ossec -d /var/ossec/var
install -m 0770 -o root -g ossec -d /var/ossec/var/run
./init/fw-check.sh execute
install -m 0660 -o ossec -g ossec /dev/null /var/ossec/logs/active-responses.log
install -m 0750 -o ossec -g ossec -d /var/ossec/logs/archives
install -m 0750 -o ossec -g ossec -d /var/ossec/logs/alerts
install -m 0750 -o ossec -g ossec -d /var/ossec/logs/firewall
install -m 0550 -o root -g 0 ossec-agentlessd /var/ossec/bin
install -m 0550 -o root -g 0 ossec-analysisd /var/ossec/bin
install -m 0550 -o root -g 0 ossec-monitord /var/ossec/bin
install -m 0550 -o root -g 0 ossec-reportd /var/ossec/bin
install -m 0550 -o root -g 0 ossec-maild /var/ossec/bin
install -m 0550 -o root -g 0 ossec-remoted /var/ossec/bin
install -m 0550 -o root -g 0 ossec-logtest /var/ossec/bin
install -m 0550 -o root -g 0 ossec-csyslogd /var/ossec/bin
install -m 0550 -o root -g 0 ossec-authd /var/ossec/bin
install -m 0550 -o root -g 0 ossec-dbd /var/ossec/bin
install -m 0550 -o root -g 0 ossec-makelists /var/ossec/bin
install -m 0550 -o root -g 0 verify-agent-conf /var/ossec/bin/
install -m 0550 -o root -g 0 clear_stats /var/ossec/bin/
install -m 0550 -o root -g 0 list_agents /var/ossec/bin/
install -m 0550 -o root -g 0 ossec-regex /var/ossec/bin/
install -m 0550 -o root -g 0 syscheck_update /var/ossec/bin/
install -m 0550 -o root -g 0 agent_control /var/ossec/bin/
install -m 0550 -o root -g 0 syscheck_control /var/ossec/bin/
install -m 0550 -o root -g 0 rootcheck_control /var/ossec/bin/
install -m 0750 -o ossec -g ossec -d /var/ossec/stats
install -m 0550 -o root -g ossec -d /var/ossec/rules
cp /var/ossec/rules/local_rules.xml /var/ossec/rules/local_rules.xml.installbackup
install -m 0640 -o root -g ossec -b ../etc/rules/*.xml /var/ossec/rules
install -m 0640 -o root -g ossec /var/ossec/rules/local_rules.xml.installbackup /var/ossec/rules/local_rules.xml
rm /var/ossec/rules/local_rules.xml.installbackup
install -m 0750 -o ossec -g ossec -d /var/ossec/queue/fts
install -m 0750 -o ossec -g ossec -d /var/ossec/queue/rootcheck
install -m 0750 -o ossecr -g ossec -d /var/ossec/queue/agent-info
install -m 0750 -o ossec -g ossec -d /var/ossec/queue/agentless
install -m 0750 -o ossecr -g ossec -d /var/ossec/queue/rids
install -m 0640 -o root -g ossec ../etc/decoder.xml /var/ossec/etc/
rm -f /var/ossec/etc/shared/merged.mg
- System is Debian (Ubuntu or derivative).
- Init script modified to start OSSEC HIDS during boot.
- Configuration finished properly.
- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start
- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at https://github.com/ossec/ossec-hids or using
our public maillist at
https://groups.google.com/forum/#!forum/ossec-list
More information can be found at http://www.ossec.net
--- Press ENTER to finish (maybe more information below). ---
-
- New Forum User
- Posts: 4
- Joined: Mon Jun 28, 2021 6:35 am
Re: After installing 3.6.0 it doesn't start due to Could not open file '/var/ossec/ossec-agent/etc/internal_options.conf
I am intrigued by this error.
cat /etc/ossec-init.conf
DIRECTORY="/var/ossec"
VERSION="v3.6.0"
DATE="Tue 29 Jun 09:33:45 GMT 2021"
TYPE="local"
and interestingly
strace -e trace=open -f /var/ossec/bin/ossec-logtest
2021/06/29 09:47:05 ossec-testrule(1226): ERROR: Error reading XML file '/var/ossec/ossec-agent/etc/ossec.conf': XMLERR: File '/var/ossec/ossec-agent/etc/ossec.conf' not found. (line 0).
2021/06/29 09:47:05 ossec-testrule(1202): ERROR: Configuration error at '/var/ossec/ossec-agent/etc/ossec.conf'. Exiting.
+++ exited with 1 +++
So it appears it "thinks" it's hybrid. Let me dig deeper:
....
so after doing a "make clean" in the same src directory I have always used, it installs it now properly.
cat /etc/ossec-init.conf
DIRECTORY="/var/ossec"
VERSION="v3.6.0"
DATE="Tue 29 Jun 09:33:45 GMT 2021"
TYPE="local"
and interestingly
strace -e trace=open -f /var/ossec/bin/ossec-logtest
2021/06/29 09:47:05 ossec-testrule(1226): ERROR: Error reading XML file '/var/ossec/ossec-agent/etc/ossec.conf': XMLERR: File '/var/ossec/ossec-agent/etc/ossec.conf' not found. (line 0).
2021/06/29 09:47:05 ossec-testrule(1202): ERROR: Configuration error at '/var/ossec/ossec-agent/etc/ossec.conf'. Exiting.
+++ exited with 1 +++
So it appears it "thinks" it's hybrid. Let me dig deeper:
....
so after doing a "make clean" in the same src directory I have always used, it installs it now properly.
Last edited by greenhouse on Tue Jun 29, 2021 6:20 am, edited 1 time in total.
-
- New Forum User
- Posts: 4
- Joined: Mon Jun 28, 2021 6:35 am
Re: After installing 3.6.0 it doesn't start due to Could not open file '/var/ossec/ossec-agent/etc/internal_options.conf
Ah sorry, I promise, last email.
I just realized how much I missed its emails...
Great tool, I really appreciate it.
I just realized how much I missed its emails...
Great tool, I really appreciate it.
Re: After installing 3.6.0 it doesn't start due to Could not open file '/var/ossec/ossec-agent/etc/internal_options.conf
So is everything working properly now?