After installing 3.6.0 it doesn't start due to Could not open file '/var/ossec/ossec-agent/etc/internal_options.conf'

Support/Development for OSSEC
greenhouse
New Forum User
New Forum User
Posts: 4
Joined: Mon Jun 28, 2021 6:35 am

After installing 3.6.0 it doesn't start due to Could not open file '/var/ossec/ossec-agent/etc/internal_options.conf'

Unread post by greenhouse »

Hi,

I have been an OSSEC user for many, many years and it's a great product.

With the latest version I keep having this problem that it doesn't want to start at all.
It's a fresh, "local" install and I moved my old, somwhat broken, install out of the way.

I am on a Debian 10.10 and I install it via "USE_GEOIP=yes ./install.sh". The following output looks ok, and it says
"Configuration finished properly.".

When starting via

/var/ossec/bin/ossec-control start
Starting OSSEC HIDS v3.6.0...
ossec-analysisd: Configuration error. Exiting.

Then I do a /var/ossec/bin/ossec-analysisd -t

2021/06/28 10:40:08 ossec-analysisd(1103): ERROR: Could not open file '/var/ossec/ossec-agent/etc/internal_options.conf' due to [(2)-(No such file or directory)].
2021/06/28 10:40:08 ossec-analysisd(2301): ERROR: Definition not found for: 'analysisd.debug'.

With any previous install an upgrade was literally just the ./install.sh. What has changed now? What am I missing here please?
Why does it require now an ossec-agent directory? In my old install that file was in etc/.
I tried to copy the file to the "new place", but then it complains about ar.conf, and I have no idea what's going on in there?

Why has it changed so significantly that it doesn't even start on a fresh install? It also doesn't say anything about I have to create that file?
There is still a internal_options.conf in the new etc/ directory.

What can I do to get it going again?


Regards

Tom
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: After installing 3.6.0 it doesn't start due to Could not open file '/var/ossec/ossec-agent/etc/internal_options.conf

Unread post by scott »

Did you pick "hybrid" by some chance? Or did you have a hybrid install before? This part here:

2021/06/28 10:40:08 ossec-analysisd(1103): ERROR: Could not open file '/var/ossec/ossec-agent/etc/internal_options.conf' due to [(2)-(No such file or directory)].

See how it says /var/ossec/ossec-agent, that is something a hybrid install would create
greenhouse
New Forum User
New Forum User
Posts: 4
Joined: Mon Jun 28, 2021 6:35 am

Re: After installing 3.6.0 it doesn't start due to Could not open file '/var/ossec/ossec-agent/etc/internal_options.conf

Unread post by greenhouse »

I might have tried that in an much earlier attempt to get it working again.
This particular run I definitely chose "local".
greenhouse
New Forum User
New Forum User
Posts: 4
Joined: Mon Jun 28, 2021 6:35 am

Re: After installing 3.6.0 it doesn't start due to Could not open file '/var/ossec/ossec-agent/etc/internal_options.conf

Unread post by greenhouse »

I just ran USE_GEOIP=yes ./install.sh again, please see below.
It seems this forum has a problem with its SPF record:
2021-06-28 10:29:32 H=(www3.atomicorp.com) [74.208.64.153]:34686 I=[XXXX]:25
X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no F=<atomicforums@forums.atomicorp.com> rejected RCPT
<tom@preissler.co.uk>: SPF check failed.

The install is definitely done as "local", but starting it it thinks it's hybrid.
I cleared now /var/ossec and still the same behaviour.

Code: Select all

  ** Para instalação em português, escolha [br].
  ** 要使用中文进行安装, 请选择 [cn].
  ** Fur eine deutsche Installation wohlen Sie [de].
  ** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
  ** For installation in English, choose [en].
  ** Para instalar en Español , eliga [es].
  ** Pour une installation en français, choisissez [fr]
  ** A Magyar nyelvű telepítéshez válassza [hu].
  ** Per l'installazione in Italiano, scegli [it].
  ** 日本語でインストールします.選択して下さい.[jp].
  ** Voor installatie in het Nederlands, kies [nl].
  ** Aby instalować w języku Polskim, wybierz [pl].
  ** Для инструкций по установке на русском ,введите [ru].
  ** Za instalaciju na srpskom, izaberi [sr].
  ** Türkçe kurulum için seçin [tr].
  (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: 
[H[2J[3J OSSEC HIDS v3.6.0 Installation Script - http://www.ossec.net
 
 You are about to start the installation process of the OSSEC HIDS.
 You must have a C compiler pre-installed in your system.
 
  - System: Linux XXXX 4.19.0-17-amd64
  - User: XXXX
  - Host: XXXX


  -- Press ENTER to continue or Ctrl-C to abort. --

 - You already have OSSEC installed. Do you want to update it? (y/n): 

1- What kind of installation do you want (server, agent, local, hybrid or help)? 
  - Local installation chosen.

2- Setting up the installation environment.

 - Choose where to install the OSSEC HIDS [/var/ossec]: 
    - Installation will be made at  /var/ossec .

    - The installation directory already exists. Should I delete it? (y/n) [y]: 
3- Configuring the OSSEC HIDS.

  3.1- Do you want e-mail notification? (y/n) [y]:    - What's your e-mail address?    - What's your e-mail address? 
   - We found your SMTP server as: XXXX
   - Do you want to use it? (y/n) [y]: 
   --- Using SMTP server:  XXXX

  3.2- Do you want to run the integrity check daemon? (y/n) [y]: 
   - Running syscheck (integrity check daemon).

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]: 
   - Running rootcheck (rootkit detection).

  3.4- Active response allows you to execute a specific 
       command based on the events received. For example,
       you can block an IP address or disable access for
       a specific user.  
       More information at:
       http://www.ossec.net/en/manual.html#active-response
       
   - Do you want to enable active response? (y/n) [y]: 
     - Active response enabled.
   
   - By default, we can enable the host-deny and the 
     firewall-drop responses. The first one will add
     a host to the /etc/hosts.deny and the second one
     will block the host on iptables (if linux) or on
     ipfilter (if Solaris, FreeBSD or NetBSD).
   - They can be used to stop SSHD brute force scans, 
     portscans and some other forms of attacks. You can 
     also add them to block on snort events, for example.

   - Do you want to enable the firewall-drop response? (y/n) [y]: 
     - firewall-drop enabled (local) for levels >= 6

   - 
      - XXXX
      - XXXX

   - Do you want to add more IPs to the white list? (y/n)? [n]: 
  3.6- Setting the configuration to analyze the following logs:
    -- /var/log/messages
    -- /var/log/auth.log
    -- /var/log/syslog
    -- /var/log/mail.info
    -- /var/log/dpkg.log
    -- /var/log/nginx/access.log (apache log)
    -- /var/log/nginx/error.log (apache log)

 - If you want to monitor any other file, just change 
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at http://www.ossec.net .
   
   
   --- Press ENTER to continue ---
                            

5- Installing the system
 - Running the Makefile
make settings
make[1]: Entering directory '/usr/local/src/ossec-hids-3.6.0/src'

General settings:
    TARGET:           local
    V:                
    DEBUG:            
    DEBUGAD:          
    PREFIX:           /var/ossec
    MAXAGENTS:        2048
    REUSE_ID:         no
    DATABASE:         
    ONEWAY:           no
    CLEANFULL:        no
User settings:
    OSSEC_GROUP:      ossec
    OSSEC_USER:       ossec
    OSSEC_USER_MAIL:  ossecm
    OSSEC_USER_REM:   ossecr
ZLIB settings:
    ZLIB_SYSTEM:      yes
    ZLIB_INCLUDE:     
    ZLIB_LIB:         os_zlib.a
PCRE2 settings:
    PCRE2_SYSTEM:     yes
    PCRE2_INCLUDE:    
Lua settings:
    LUA_PLAT:         posix
    LUA_ENABLE:       no
USE settings:
    USE_ZEROMQ:       no
    USE_GEOIP:        yes
    USE_PRELUDE:      no
    USE_OPENSSL:      auto
    USE_INOTIFY:      no
    USE_SQLITE:       
    USE_PCRE2_JIT:    yes
Mysql settings:
    includes:         
    libs:             
Pgsql settings:
    includes:         
    libs:             
Defines:
    -DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR="/var/ossec" -DUSER="ossec" -DREMUSER="ossecr" -DGROUPGLOBAL="ossec" -DMAILUSER="ossecm" -DLinux -DINOTIFY_ENABLED -DZLIB_SYSTEM -DUSE_PCRE2_JIT -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED -DLOCAL
Compiler:
    CFLAGS          -I./external/compat -DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR="/var/ossec" -DUSER="ossec" -DREMUSER="ossecr" -DGROUPGLOBAL="ossec" -DMAILUSER="ossecm" -DLinux -DINOTIFY_ENABLED -DZLIB_SYSTEM -DUSE_PCRE2_JIT -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED -DLOCAL -Wall -Wextra -I./ -I./headers/
    LDFLAGS          -lm -lpthread -lpcre2-8 -lGeoIP -lssl -lcrypto -lz
    CC              cc
    MAKE            make
make[1]: Leaving directory '/usr/local/src/ossec-hids-3.6.0/src'

Done building local

make settings
make[1]: Entering directory '/usr/local/src/ossec-hids-3.6.0/src'

General settings:
    TARGET:           local
    V:                
    DEBUG:            
    DEBUGAD:          
    PREFIX:           /var/ossec
    MAXAGENTS:        2048
    REUSE_ID:         no
    DATABASE:         
    ONEWAY:           no
    CLEANFULL:        no
User settings:
    OSSEC_GROUP:      ossec
    OSSEC_USER:       ossec
    OSSEC_USER_MAIL:  ossecm
    OSSEC_USER_REM:   ossecr
ZLIB settings:
    ZLIB_SYSTEM:      yes
    ZLIB_INCLUDE:     
    ZLIB_LIB:         os_zlib.a
PCRE2 settings:
    PCRE2_SYSTEM:     yes
    PCRE2_INCLUDE:    
Lua settings:
    LUA_PLAT:         posix
    LUA_ENABLE:       no
USE settings:
    USE_ZEROMQ:       no
    USE_GEOIP:        yes
    USE_PRELUDE:      no
    USE_OPENSSL:      auto
    USE_INOTIFY:      no
    USE_SQLITE:       
    USE_PCRE2_JIT:    yes
Mysql settings:
    includes:         
    libs:             
Pgsql settings:
    includes:         
    libs:             
Defines:
    -DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR="/var/ossec" -DUSER="ossec" -DREMUSER="ossecr" -DGROUPGLOBAL="ossec" -DMAILUSER="ossecm" -DLinux -DINOTIFY_ENABLED -DZLIB_SYSTEM -DUSE_PCRE2_JIT -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED -DLOCAL
Compiler:
    CFLAGS          -I./external/compat -DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR="/var/ossec" -DUSER="ossec" -DREMUSER="ossecr" -DGROUPGLOBAL="ossec" -DMAILUSER="ossecm" -DLinux -DINOTIFY_ENABLED -DZLIB_SYSTEM -DUSE_PCRE2_JIT -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED -DLOCAL -Wall -Wextra -I./ -I./headers/
    LDFLAGS          -lm -lpthread -lpcre2-8 -lGeoIP -lssl -lcrypto -lz
    CC              cc
    MAKE            make
make[1]: Leaving directory '/usr/local/src/ossec-hids-3.6.0/src'

Done building local

./init/adduser.sh ossec ossecm ossecr ossec /var/ossec
Wait for success...
success
install -m 0550 -o root -g ossec -d /var/ossec/
install -m 0750 -o ossec -g ossec -d /var/ossec/logs
install -m 0660 -o ossec -g ossec /dev/null /var/ossec/logs/ossec.log
install -m 0550 -o root -g 0 -d /var/ossec/bin
install -m 0550 -o root -g 0 ossec-logcollector /var/ossec/bin
install -m 0550 -o root -g 0 ossec-syscheckd /var/ossec/bin
install -m 0550 -o root -g 0 ossec-execd /var/ossec/bin
install -m 0550 -o root -g 0 manage_agents /var/ossec/bin
install -m 0550 -o root -g 0 ../contrib/util.sh /var/ossec/bin/
install -m 0550 -o root -g 0 ./init/ossec-local.sh /var/ossec/bin/ossec-control
install -m 0550 -o root -g ossec -d /var/ossec/queue
install -m 0770 -o ossec -g ossec -d /var/ossec/queue/alerts
install -m 0750 -o ossec -g ossec -d /var/ossec/queue/ossec
install -m 0750 -o ossec -g ossec -d /var/ossec/queue/syscheck
install -m 0750 -o ossec -g ossec -d /var/ossec/queue/diff
install -m 0550 -o root -g ossec -d /var/ossec/etc
install -m 0440 -o root -g ossec /etc/localtime /var/ossec/etc
install -m 0440 -o root -g ossec /etc/resolv.conf /var/ossec/etc
install -m 1550 -o root -g ossec -d /var/ossec/tmp
install -m 0640 -o root -g ossec -b ../etc/internal_options.conf /var/ossec/etc/
install -m 0770 -o root -g ossec -d /var/ossec/etc/shared
install -m 0640 -o ossec -g ossec rootcheck/db/*.txt /var/ossec/etc/shared/
install -m 0550 -o root -g ossec -d /var/ossec/active-response
install -m 0550 -o root -g ossec -d /var/ossec/active-response/bin
install -m 0550 -o root -g ossec -d /var/ossec/agentless
install -m 0550 -o root -g ossec agentlessd/scripts/* /var/ossec/agentless/
install -m 0700 -o root -g ossec -d /var/ossec/.ssh
install -m 0550 -o root -g ossec ../active-response/*.sh /var/ossec/active-response/bin/
install -m 0550 -o root -g ossec ../active-response/firewalls/*.sh /var/ossec/active-response/bin/
install -m 0550 -o root -g ossec -d /var/ossec/var
install -m 0770 -o root -g ossec -d /var/ossec/var/run
./init/fw-check.sh execute
install -m 0660 -o ossec -g ossec /dev/null /var/ossec/logs/active-responses.log
install -m 0750 -o ossec -g ossec -d /var/ossec/logs/archives
install -m 0750 -o ossec -g ossec -d /var/ossec/logs/alerts
install -m 0750 -o ossec -g ossec -d /var/ossec/logs/firewall
install -m 0550 -o root -g 0 ossec-agentlessd /var/ossec/bin
install -m 0550 -o root -g 0 ossec-analysisd /var/ossec/bin
install -m 0550 -o root -g 0 ossec-monitord /var/ossec/bin
install -m 0550 -o root -g 0 ossec-reportd /var/ossec/bin
install -m 0550 -o root -g 0 ossec-maild /var/ossec/bin
install -m 0550 -o root -g 0 ossec-remoted /var/ossec/bin
install -m 0550 -o root -g 0 ossec-logtest /var/ossec/bin
install -m 0550 -o root -g 0 ossec-csyslogd /var/ossec/bin
install -m 0550 -o root -g 0 ossec-authd /var/ossec/bin
install -m 0550 -o root -g 0 ossec-dbd /var/ossec/bin
install -m 0550 -o root -g 0 ossec-makelists /var/ossec/bin
install -m 0550 -o root -g 0 verify-agent-conf /var/ossec/bin/
install -m 0550 -o root -g 0 clear_stats /var/ossec/bin/
install -m 0550 -o root -g 0 list_agents /var/ossec/bin/
install -m 0550 -o root -g 0 ossec-regex /var/ossec/bin/
install -m 0550 -o root -g 0 syscheck_update /var/ossec/bin/
install -m 0550 -o root -g 0 agent_control /var/ossec/bin/
install -m 0550 -o root -g 0 syscheck_control /var/ossec/bin/
install -m 0550 -o root -g 0 rootcheck_control /var/ossec/bin/
install -m 0750 -o ossec -g ossec -d /var/ossec/stats
install -m 0550 -o root -g ossec -d /var/ossec/rules
cp /var/ossec/rules/local_rules.xml /var/ossec/rules/local_rules.xml.installbackup
install -m 0640 -o root -g ossec -b ../etc/rules/*.xml /var/ossec/rules
install -m 0640 -o root -g ossec /var/ossec/rules/local_rules.xml.installbackup /var/ossec/rules/local_rules.xml
rm /var/ossec/rules/local_rules.xml.installbackup
install -m 0750 -o ossec -g ossec -d /var/ossec/queue/fts
install -m 0750 -o ossec -g ossec -d /var/ossec/queue/rootcheck
install -m 0750 -o ossecr -g ossec -d /var/ossec/queue/agent-info
install -m 0750 -o ossec -g ossec -d /var/ossec/queue/agentless
install -m 0750 -o ossecr -g ossec -d /var/ossec/queue/rids
install -m 0640 -o root -g ossec ../etc/decoder.xml /var/ossec/etc/
rm -f /var/ossec/etc/shared/merged.mg


 - System is Debian (Ubuntu or derivative).
 - Init script modified to start OSSEC HIDS during boot.

 - Configuration finished properly.

 - To start OSSEC HIDS:
      /var/ossec/bin/ossec-control start

 - To stop OSSEC HIDS:
      /var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


    Thanks for using the OSSEC HIDS.
    If you have any question, suggestion or if you find any bug,
    contact us at https://github.com/ossec/ossec-hids or using
    our public maillist at  
    https://groups.google.com/forum/#!forum/ossec-list

    More information can be found at http://www.ossec.net

    ---  Press ENTER to finish (maybe more information below). ---
    
greenhouse
New Forum User
New Forum User
Posts: 4
Joined: Mon Jun 28, 2021 6:35 am

Re: After installing 3.6.0 it doesn't start due to Could not open file '/var/ossec/ossec-agent/etc/internal_options.conf

Unread post by greenhouse »

I am intrigued by this error.

cat /etc/ossec-init.conf
DIRECTORY="/var/ossec"
VERSION="v3.6.0"
DATE="Tue 29 Jun 09:33:45 GMT 2021"
TYPE="local"

and interestingly

strace -e trace=open -f /var/ossec/bin/ossec-logtest
2021/06/29 09:47:05 ossec-testrule(1226): ERROR: Error reading XML file '/var/ossec/ossec-agent/etc/ossec.conf': XMLERR: File '/var/ossec/ossec-agent/etc/ossec.conf' not found. (line 0).
2021/06/29 09:47:05 ossec-testrule(1202): ERROR: Configuration error at '/var/ossec/ossec-agent/etc/ossec.conf'. Exiting.
+++ exited with 1 +++

So it appears it "thinks" it's hybrid. Let me dig deeper:

....

so after doing a "make clean" in the same src directory I have always used, it installs it now properly.
Last edited by greenhouse on Tue Jun 29, 2021 6:20 am, edited 1 time in total.
greenhouse
New Forum User
New Forum User
Posts: 4
Joined: Mon Jun 28, 2021 6:35 am

Re: After installing 3.6.0 it doesn't start due to Could not open file '/var/ossec/ossec-agent/etc/internal_options.conf

Unread post by greenhouse »

Ah sorry, I promise, last email.
I just realized how much I missed its emails...

Great tool, I really appreciate it.
User avatar
cponton
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 61
Joined: Fri Oct 09, 2020 9:41 am

Re: After installing 3.6.0 it doesn't start due to Could not open file '/var/ossec/ossec-agent/etc/internal_options.conf

Unread post by cponton »

So is everything working properly now?
Post Reply