SlideShare a Scribd company logo

Troubleshooting OSSEC Common support issues for OSSEC_Atomic OSSEC.pdf

M
Mohamed Taoufik TEKAYA

Le support de présentation de la conférence de l'événement "OSSEC" pour l'édition de l'année "2023".

Software
1 of 20
Download to read offline
Troubleshooting OSSEC Common support issues for OSSEC/Atomic OSSEC Frank Iacovino fiacovino@atomicorp.com
Troubleshooting #1 OSSEC HUB Installation
Processes Will Not Start After Install 3 This could be the awpd process for the Atomic OSSEC or the remoted/analysisd This will usually happen when there is not enough space on the /var drive Check the drive and if needed, provide more space to /var. Once completed restart the ossec-hids with systemctl start ossec-hids OSSEC HUB Installation
Provisioning Space For Installation 4 When provisioning your HUB server, keep in mind the recommended minimum resources: ● Cores: 4 min, 8 recommended ● Memory: 16GB ● Storage: 1TB ○ For the /var partition and dependant on specific retention requirements OSSEC HUB Installation
Updating the HUB 5 Using Atomic OSSEC, the updating process is automated and easy. Check the UI settings: Hub Configuration > General > Enable Automatic Updates If the settings are correct, verify that you are able to connect to the Atomicorp update servers OSSEC HUB Installation
UI Will Not Load 6 ● Check that the HUB is active ● Verify the awpwebd process is running ● Verify that the port 30001 is open and accessible ● Check internal firewalls OSSEC HUB Installation
Troubleshooting #2 Agent Connectivity
Check the Status of the Agent If there is a connection problem with an agent, check the status of the agent on the CLI with: /var/ossec/bin/agent_control -l This command will list all agents, active or not. Here is an example of what that output may look like: Agent Connectivity
Look at the OSSEC Logs on the Disconnected Agent Navigate to the log of the agent. Linux: cd /var/ossec/logs/ossec.log Windows: C:Program Files (x86)ossec-agentossec.log Agent Connectivity
Confirm the Communication Ports are Open 1 0 Agent Connectivity
Verify Firewall Rules and/or Security Groups Allow the Connection 1 1 If you have the following message on the agent log 2021/04/19 12:42:54 ossec-agentd(4101): Waiting for server reply (not started). 2021/04/19 12:43:10 ossec-agentd(4101): Waiting for server reply (not started). 2021/04/19 12:43:41 ossec-agentd(4101): Waiting for server reply (not started). 2021/04/19 12:44:27 ossec-agentd(4101): Waiting for server reply (not started). And nothing on the server log, you probably have a firewall between the two devices. Make sure to open port 1514 UDP between them (keeping state –the agent connects to the server and expects a reply back) Agent Connectivity
Confirm Packets on OSSEC HUB 1 2 Verify traffic is reaching your OSSEC manager by using TCPDUMP on the manager. OSSEC uses port 1514 by default, udp protocol # tcpdump -i eth33 port 1514 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes Agent Connectivity
Troubleshooting #3 Notifications and Emails
Not Receiving Notification Emails for Alerts? 1 4 Check that the email is configured The destination email address and mail host should be configured inside the <global> section of the /var/ossec/etc/ossec.conf Notifications and Emails Remember to restart ossec-hids when making changes in the CLI
Are Notifications Turned On? 1 5 In the HUB UI this can be configured at hub Configuration > General > Enable email notifications In the CLI, you will find this setting in /var/etc/ossec/ossec.conf Notifications and Emails
Is Postfix Configured Properly? 1 6 You will want to look at your /etc/postfix/main.cf configuration file and verify the settings are correct and that postfix is running correctly. There are many sources online for tutorials on setting up postfix for your environment Notifications and Emails
Troubleshooting #4 FIM Troubles
Not Seeing FIM for a Certain Directory/Path 1 8 Is the path configured to be monitored? Agent Connectivity This can be done easily in the Atomic OSSEC UI or adding a directory to the watch rules can be done in /var/ossec/etc/ossec.conf under syscheck <syscheck> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/root/users.txt,/bsd,/root/db.html</directories> </syscheck>
How to Reach Out For Help 1 9 ossec.slack.com atomicorp-support.slack.com support@atomicorp.com ossec.net https://github.com/ossec Notifications and Emails
Questions, Comments, Concerns?

Recommended

AEO Training - 2023.pdf
AEO Training - 2023.pdfAEO Training - 2023.pdf
AEO Training - 2023.pdfMohamed Taoufik TEKAYA
 
Evaluation of OpenFlow in RB750GL
Evaluation of OpenFlow in RB750GLEvaluation of OpenFlow in RB750GL
Evaluation of OpenFlow in RB750GLToshiki Tsuboi
 
RAC 12c
RAC 12cRAC 12c
RAC 12cWaseem Shahzad
 
2nodesoracle12craconyourlaptopvirtualboxstepbystepguide1 0-130627143310-phpapp02
2nodesoracle12craconyourlaptopvirtualboxstepbystepguide1 0-130627143310-phpapp022nodesoracle12craconyourlaptopvirtualboxstepbystepguide1 0-130627143310-phpapp02
2nodesoracle12craconyourlaptopvirtualboxstepbystepguide1 0-130627143310-phpapp02shaikyunus1980
 
Network Automation Tools
Network Automation ToolsNetwork Automation Tools
Network Automation ToolsEdwin Beekman
 
Vbox virtual box在oracle linux 5 - shoug 梁洪响
Vbox virtual box在oracle linux 5 - shoug 梁洪响Vbox virtual box在oracle linux 5 - shoug 梁洪响
Vbox virtual box在oracle linux 5 - shoug 梁洪响maclean liu
 
Network performance test plan_v0.3
Network performance test plan_v0.3Network performance test plan_v0.3
Network performance test plan_v0.3David Pasek
 
OSDC 2014: Christopher Kunz - Software defined networking in an open-source c...
OSDC 2014: Christopher Kunz - Software defined networking in an open-source c...OSDC 2014: Christopher Kunz - Software defined networking in an open-source c...
OSDC 2014: Christopher Kunz - Software defined networking in an open-source c...NETWAYS
 

Recommended

AEO Training - 2023.pdf
AEO Training - 2023.pdfAEO Training - 2023.pdf
AEO Training - 2023.pdfMohamed Taoufik TEKAYA
 
Evaluation of OpenFlow in RB750GL
Evaluation of OpenFlow in RB750GLEvaluation of OpenFlow in RB750GL
Evaluation of OpenFlow in RB750GLToshiki Tsuboi
 
RAC 12c
RAC 12cRAC 12c
RAC 12cWaseem Shahzad
 
2nodesoracle12craconyourlaptopvirtualboxstepbystepguide1 0-130627143310-phpapp02
2nodesoracle12craconyourlaptopvirtualboxstepbystepguide1 0-130627143310-phpapp022nodesoracle12craconyourlaptopvirtualboxstepbystepguide1 0-130627143310-phpapp02
2nodesoracle12craconyourlaptopvirtualboxstepbystepguide1 0-130627143310-phpapp02shaikyunus1980
 
Network Automation Tools
Network Automation ToolsNetwork Automation Tools
Network Automation ToolsEdwin Beekman
 
Vbox virtual box在oracle linux 5 - shoug 梁洪响
Vbox virtual box在oracle linux 5 - shoug 梁洪响Vbox virtual box在oracle linux 5 - shoug 梁洪响
Vbox virtual box在oracle linux 5 - shoug 梁洪响maclean liu
 
Network performance test plan_v0.3
Network performance test plan_v0.3Network performance test plan_v0.3
Network performance test plan_v0.3David Pasek
 
OSDC 2014: Christopher Kunz - Software defined networking in an open-source c...
OSDC 2014: Christopher Kunz - Software defined networking in an open-source c...OSDC 2014: Christopher Kunz - Software defined networking in an open-source c...
OSDC 2014: Christopher Kunz - Software defined networking in an open-source c...NETWAYS
 
PFSENSE Load Balance with Fail Over From Version Beta3
PFSENSE Load Balance with Fail Over From Version Beta3PFSENSE Load Balance with Fail Over From Version Beta3
PFSENSE Load Balance with Fail Over From Version Beta3series09
 
How to setup OpenVPN Server and Client on Ubuntu 14.04
How to setup OpenVPN Server and Client on Ubuntu 14.04How to setup OpenVPN Server and Client on Ubuntu 14.04
How to setup OpenVPN Server and Client on Ubuntu 14.04VEXXHOST Private Cloud
 
Nemo server manual_v1
Nemo server manual_v1Nemo server manual_v1
Nemo server manual_v1ZIZI Yahia
 
HPC in the Cloud
HPC in the CloudHPC in the Cloud
HPC in the CloudGuy Tel-Zur
 
FreeBSD, ipfw and OpenVPN 2.1 server
FreeBSD, ipfw and OpenVPN 2.1 serverFreeBSD, ipfw and OpenVPN 2.1 server
FreeBSD, ipfw and OpenVPN 2.1 serverTomaz Muraus
 
OVN operationalization at scale at eBay
OVN operationalization at scale at eBayOVN operationalization at scale at eBay
OVN operationalization at scale at eBayAliasgar Ginwala
 
Kernel Recipes 2017 - HDMI CEC: Status Report - Hans Verkuil
Kernel Recipes 2017 - HDMI CEC: Status Report - Hans VerkuilKernel Recipes 2017 - HDMI CEC: Status Report - Hans Verkuil
Kernel Recipes 2017 - HDMI CEC: Status Report - Hans VerkuilAnne Nicolas
 
Oracle 12c RAC On your laptop Step by Step Implementation Guide 1.0
Oracle 12c RAC On your laptop Step by Step Implementation Guide 1.0Oracle 12c RAC On your laptop Step by Step Implementation Guide 1.0
Oracle 12c RAC On your laptop Step by Step Implementation Guide 1.0Yury Velikanov
 
Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3David Pasek
 
Tesla Hacking to FreedomEV
Tesla Hacking to FreedomEVTesla Hacking to FreedomEV
Tesla Hacking to FreedomEVJasper Nuyens
 
Azbox me
Azbox meAzbox me
Azbox meTELE-audiovision eng
 
Rac on NFS
Rac on NFSRac on NFS
Rac on NFSmengjiagou
 
Erp 2.50 openbravo environment installation openbravo-wiki
Erp 2.50 openbravo environment installation openbravo-wikiErp 2.50 openbravo environment installation openbravo-wiki
Erp 2.50 openbravo environment installation openbravo-wikiyaranusa
 
Fn project quick installation guide
Fn project quick installation guideFn project quick installation guide
Fn project quick installation guideJohan Louwers
 
Openvpn
OpenvpnOpenvpn
Openvpnmato2012
 
Openstack Testbed_ovs_virtualbox_devstack_single node
Openstack Testbed_ovs_virtualbox_devstack_single nodeOpenstack Testbed_ovs_virtualbox_devstack_single node
Openstack Testbed_ovs_virtualbox_devstack_single nodeYongyoon Shin
 
Install Solaris 11.1 on a Virtualbox VM
Install Solaris 11.1 on a Virtualbox VMInstall Solaris 11.1 on a Virtualbox VM
Install Solaris 11.1 on a Virtualbox VMLaurent Leturgez
 
How to debug ocfs2 hang problem
How to debug ocfs2 hang problemHow to debug ocfs2 hang problem
How to debug ocfs2 hang problemGang He
 
High performance content hosting
High performance content hosting High performance content hosting
High performance content hosting Aleksey Korzun
 
Fault tolerance ease of setup comparison: NEC hardware-based FT vs. software-...
Fault tolerance ease of setup comparison: NEC hardware-based FT vs. software-...Fault tolerance ease of setup comparison: NEC hardware-based FT vs. software-...
Fault tolerance ease of setup comparison: NEC hardware-based FT vs. software-...Principled Technologies
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...masabamasaba
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park masabamasaba
 

More Related Content

Similar to Troubleshooting OSSEC Common support issues for OSSEC_Atomic OSSEC.pdf

PFSENSE Load Balance with Fail Over From Version Beta3
PFSENSE Load Balance with Fail Over From Version Beta3PFSENSE Load Balance with Fail Over From Version Beta3
PFSENSE Load Balance with Fail Over From Version Beta3series09
 
How to setup OpenVPN Server and Client on Ubuntu 14.04
How to setup OpenVPN Server and Client on Ubuntu 14.04How to setup OpenVPN Server and Client on Ubuntu 14.04
How to setup OpenVPN Server and Client on Ubuntu 14.04VEXXHOST Private Cloud
 
Nemo server manual_v1
Nemo server manual_v1Nemo server manual_v1
Nemo server manual_v1ZIZI Yahia
 
HPC in the Cloud
HPC in the CloudHPC in the Cloud
HPC in the CloudGuy Tel-Zur
 
FreeBSD, ipfw and OpenVPN 2.1 server
FreeBSD, ipfw and OpenVPN 2.1 serverFreeBSD, ipfw and OpenVPN 2.1 server
FreeBSD, ipfw and OpenVPN 2.1 serverTomaz Muraus
 
OVN operationalization at scale at eBay
OVN operationalization at scale at eBayOVN operationalization at scale at eBay
OVN operationalization at scale at eBayAliasgar Ginwala
 
Kernel Recipes 2017 - HDMI CEC: Status Report - Hans Verkuil
Kernel Recipes 2017 - HDMI CEC: Status Report - Hans VerkuilKernel Recipes 2017 - HDMI CEC: Status Report - Hans Verkuil
Kernel Recipes 2017 - HDMI CEC: Status Report - Hans VerkuilAnne Nicolas
 
Oracle 12c RAC On your laptop Step by Step Implementation Guide 1.0
Oracle 12c RAC On your laptop Step by Step Implementation Guide 1.0Oracle 12c RAC On your laptop Step by Step Implementation Guide 1.0
Oracle 12c RAC On your laptop Step by Step Implementation Guide 1.0Yury Velikanov
 
Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3David Pasek
 
Tesla Hacking to FreedomEV
Tesla Hacking to FreedomEVTesla Hacking to FreedomEV
Tesla Hacking to FreedomEVJasper Nuyens
 
Erp 2.50 openbravo environment installation openbravo-wiki
Erp 2.50 openbravo environment installation openbravo-wikiErp 2.50 openbravo environment installation openbravo-wiki
Erp 2.50 openbravo environment installation openbravo-wikiyaranusa
 
Fn project quick installation guide
Fn project quick installation guideFn project quick installation guide
Fn project quick installation guideJohan Louwers
 
Openstack Testbed_ovs_virtualbox_devstack_single node
Openstack Testbed_ovs_virtualbox_devstack_single nodeOpenstack Testbed_ovs_virtualbox_devstack_single node
Openstack Testbed_ovs_virtualbox_devstack_single nodeYongyoon Shin
 
Install Solaris 11.1 on a Virtualbox VM
Install Solaris 11.1 on a Virtualbox VMInstall Solaris 11.1 on a Virtualbox VM
Install Solaris 11.1 on a Virtualbox VMLaurent Leturgez
 
How to debug ocfs2 hang problem
How to debug ocfs2 hang problemHow to debug ocfs2 hang problem
How to debug ocfs2 hang problemGang He
 
High performance content hosting
High performance content hosting High performance content hosting
High performance content hosting Aleksey Korzun
 
Fault tolerance ease of setup comparison: NEC hardware-based FT vs. software-...
Fault tolerance ease of setup comparison: NEC hardware-based FT vs. software-...Fault tolerance ease of setup comparison: NEC hardware-based FT vs. software-...
Fault tolerance ease of setup comparison: NEC hardware-based FT vs. software-...Principled Technologies
 

Similar to Troubleshooting OSSEC Common support issues for OSSEC_Atomic OSSEC.pdf (20)

PFSENSE Load Balance with Fail Over From Version Beta3
PFSENSE Load Balance with Fail Over From Version Beta3PFSENSE Load Balance with Fail Over From Version Beta3
PFSENSE Load Balance with Fail Over From Version Beta3
 
How to setup OpenVPN Server and Client on Ubuntu 14.04
How to setup OpenVPN Server and Client on Ubuntu 14.04How to setup OpenVPN Server and Client on Ubuntu 14.04
How to setup OpenVPN Server and Client on Ubuntu 14.04
 
Nemo server manual_v1
Nemo server manual_v1Nemo server manual_v1
Nemo server manual_v1
 
HPC in the Cloud
HPC in the CloudHPC in the Cloud
HPC in the Cloud
 
FreeBSD, ipfw and OpenVPN 2.1 server
FreeBSD, ipfw and OpenVPN 2.1 serverFreeBSD, ipfw and OpenVPN 2.1 server
FreeBSD, ipfw and OpenVPN 2.1 server
 
OVN operationalization at scale at eBay
OVN operationalization at scale at eBayOVN operationalization at scale at eBay
OVN operationalization at scale at eBay
 
Kernel Recipes 2017 - HDMI CEC: Status Report - Hans Verkuil
Kernel Recipes 2017 - HDMI CEC: Status Report - Hans VerkuilKernel Recipes 2017 - HDMI CEC: Status Report - Hans Verkuil
Kernel Recipes 2017 - HDMI CEC: Status Report - Hans Verkuil
 
Oracle 12c RAC On your laptop Step by Step Implementation Guide 1.0
Oracle 12c RAC On your laptop Step by Step Implementation Guide 1.0Oracle 12c RAC On your laptop Step by Step Implementation Guide 1.0
Oracle 12c RAC On your laptop Step by Step Implementation Guide 1.0
 
Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3
 
Tesla Hacking to FreedomEV
Tesla Hacking to FreedomEVTesla Hacking to FreedomEV
Tesla Hacking to FreedomEV
 
Azbox me
Azbox meAzbox me
Azbox me
 
Rac on NFS
Rac on NFSRac on NFS
Rac on NFS
 
Erp 2.50 openbravo environment installation openbravo-wiki
Erp 2.50 openbravo environment installation openbravo-wikiErp 2.50 openbravo environment installation openbravo-wiki
Erp 2.50 openbravo environment installation openbravo-wiki
 
Fn project quick installation guide
Fn project quick installation guideFn project quick installation guide
Fn project quick installation guide
 
Openvpn
OpenvpnOpenvpn
Openvpn
 
Openstack Testbed_ovs_virtualbox_devstack_single node
Openstack Testbed_ovs_virtualbox_devstack_single nodeOpenstack Testbed_ovs_virtualbox_devstack_single node
Openstack Testbed_ovs_virtualbox_devstack_single node
 
Install Solaris 11.1 on a Virtualbox VM
Install Solaris 11.1 on a Virtualbox VMInstall Solaris 11.1 on a Virtualbox VM
Install Solaris 11.1 on a Virtualbox VM
 
How to debug ocfs2 hang problem
How to debug ocfs2 hang problemHow to debug ocfs2 hang problem
How to debug ocfs2 hang problem
 
High performance content hosting
High performance content hosting High performance content hosting
High performance content hosting
 
Fault tolerance ease of setup comparison: NEC hardware-based FT vs. software-...
Fault tolerance ease of setup comparison: NEC hardware-based FT vs. software-...Fault tolerance ease of setup comparison: NEC hardware-based FT vs. software-...
Fault tolerance ease of setup comparison: NEC hardware-based FT vs. software-...
 

Recently uploaded

%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...masabamasaba
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park masabamasaba
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...Jittipong Loespradit
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...SelfMade bd
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Bert Jan Schrijver
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...masabamasaba
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2
 

Recently uploaded (20)

%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 

Troubleshooting OSSEC Common support issues for OSSEC_Atomic OSSEC.pdf

  • 1. Troubleshooting OSSEC Common support issues for OSSEC/Atomic OSSEC Frank Iacovino fiacovino@atomicorp.com
  • 3. Processes Will Not Start After Install 3 This could be the awpd process for the Atomic OSSEC or the remoted/analysisd This will usually happen when there is not enough space on the /var drive Check the drive and if needed, provide more space to /var. Once completed restart the ossec-hids with systemctl start ossec-hids OSSEC HUB Installation
  • 4. Provisioning Space For Installation 4 When provisioning your HUB server, keep in mind the recommended minimum resources: ● Cores: 4 min, 8 recommended ● Memory: 16GB ● Storage: 1TB ○ For the /var partition and dependant on specific retention requirements OSSEC HUB Installation
  • 5. Updating the HUB 5 Using Atomic OSSEC, the updating process is automated and easy. Check the UI settings: Hub Configuration > General > Enable Automatic Updates If the settings are correct, verify that you are able to connect to the Atomicorp update servers OSSEC HUB Installation
  • 6. UI Will Not Load 6 ● Check that the HUB is active ● Verify the awpwebd process is running ● Verify that the port 30001 is open and accessible ● Check internal firewalls OSSEC HUB Installation
  • 8. Check the Status of the Agent If there is a connection problem with an agent, check the status of the agent on the CLI with: /var/ossec/bin/agent_control -l This command will list all agents, active or not. Here is an example of what that output may look like: Agent Connectivity
  • 9. Look at the OSSEC Logs on the Disconnected Agent Navigate to the log of the agent. Linux: cd /var/ossec/logs/ossec.log Windows: C:Program Files (x86)ossec-agentossec.log Agent Connectivity
  • 10. Confirm the Communication Ports are Open 1 0 Agent Connectivity
  • 11. Verify Firewall Rules and/or Security Groups Allow the Connection 1 1 If you have the following message on the agent log 2021/04/19 12:42:54 ossec-agentd(4101): Waiting for server reply (not started). 2021/04/19 12:43:10 ossec-agentd(4101): Waiting for server reply (not started). 2021/04/19 12:43:41 ossec-agentd(4101): Waiting for server reply (not started). 2021/04/19 12:44:27 ossec-agentd(4101): Waiting for server reply (not started). And nothing on the server log, you probably have a firewall between the two devices. Make sure to open port 1514 UDP between them (keeping state –the agent connects to the server and expects a reply back) Agent Connectivity
  • 12. Confirm Packets on OSSEC HUB 1 2 Verify traffic is reaching your OSSEC manager by using TCPDUMP on the manager. OSSEC uses port 1514 by default, udp protocol # tcpdump -i eth33 port 1514 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes Agent Connectivity
  • 14. Not Receiving Notification Emails for Alerts? 1 4 Check that the email is configured The destination email address and mail host should be configured inside the <global> section of the /var/ossec/etc/ossec.conf Notifications and Emails Remember to restart ossec-hids when making changes in the CLI
  • 15. Are Notifications Turned On? 1 5 In the HUB UI this can be configured at hub Configuration > General > Enable email notifications In the CLI, you will find this setting in /var/etc/ossec/ossec.conf Notifications and Emails
  • 16. Is Postfix Configured Properly? 1 6 You will want to look at your /etc/postfix/main.cf configuration file and verify the settings are correct and that postfix is running correctly. There are many sources online for tutorials on setting up postfix for your environment Notifications and Emails
  • 18. Not Seeing FIM for a Certain Directory/Path 1 8 Is the path configured to be monitored? Agent Connectivity This can be done easily in the Atomic OSSEC UI or adding a directory to the watch rules can be done in /var/ossec/etc/ossec.conf under syscheck <syscheck> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/root/users.txt,/bsd,/root/db.html</directories> </syscheck>
  • 19. How to Reach Out For Help 1 9 ossec.slack.com atomicorp-support.slack.com support@atomicorp.com ossec.net https://github.com/ossec Notifications and Emails