ERROR: Not compiled. Missing OpenSSL support with ossec-authd

[kapoorkapoorm]

Hello,

I am looking to get ossec-authd to work. I've installed ossec-hids-2.8.3 on my Ubuntu machine and want to use ossec-authd for adding multiple agents to the OSSEC manager. Whenever I run /var/ossec/bin/ossec-authd -p 1515 on my server, I get below error

ERROR: Not compiled. Missing OpenSSL support.
I've already installed the package libssl-dev on my Ubuntu 16.04 but that doesn't help.

Can someone advise me something?

Thanks
Kapoorm

[zvanderbilt]

Try reinstalling ossec. If you built ossec from the source then you'll definitely need to rebuild it assuming you installed libssl-dev after you noticed the error.

[ddpbsd]

Was there a make command for enabling openssl? It's been so long since I've had to use that version.

[kapoorkapoorm]

Thanks very much for the reply guys !!!. Reinstalling did work but I have a few questions on OSSEC.

I don't think real time alerts are working. Every time I update a file on the agent, I get an alert almost 6-7 minutes later. Shouldn't it be instantaneous? Sometimes I feel I get alerts but sometimes I don't. It seems to be flaky sometimes.

I have to install ossec on nearly 90 hosts for file integrity monitoring. As of now, I have installed a server and 2 agents.
changes that I have made in the ossec.conf on the server side for file monitoring/real time alerting are

<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>60</frequency>
<alert_new_files>yes</alert_new_files>
 <auto_ignore>no</auto_ignore>

<!-- Directories to check  (perform all possible verifications) -->
<directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories>

Added alert_by_email option in ossec_rules.conf

ossec syscheck_new_entry **alert_by_email** File added to the system. syscheck,

Added in local_rules.xml to get an alert for any new file added

ossec syscheck_new_entry File added to the system. syscheck,

Changed syscheck frequency on the agent side
60

That's all I have done. Do I need to do anything else? Please let me know.

Also, after automatic key exchange method, I noticed by running ./agent_control -lc on the server that one of the agents couldn't be seen active although I could see alerts in the alerts.log file.

Thanks in advance guys!!

[ddpbsd]

A frequency of 60 is way too small. I wouldn't set it to anything less than 300 seconds. While a full syscheck scan is running, realtime alerts will be disabled.

[kapoorkapoorm]

Hi Guys, back again with OSSEC issue

I'm not satisfied with the alerts I'm getting on ossec server. I want to run syscheck every 22 hours but for testing purposes, I have set the frequency to 300. So If modify a file on the agent, after how long should I be able to see an alert in the alerts.logs file as well as an email alert. I believe first of all it gets updated on the syscheck db on the server, then few mins later - I can see in alerts.log and again few minutes later an email alert. Sometimes, I just don't see an alert if a file is updated. I noticed, if I modify a file on the ossec agent and restart the agent, ONLY THEN I can see an alert in the alerts.log file. So, what should be the ideal behaviour in case syscheck runs evry 22 hours OR if it is set to run every 5 mins? How do I test it to be satified that everything is working fine. I can share the files with you.

My req is that whenever a file gets updated on the system - I should see an alert in alerts.log as well as recieve an email alert.

Please guys help me!!

[ddpbsd]

@kapoorkapoorm This should really be in a new issue. New issue, new issue.
With that said, 300 seconds may be too short of a time. It depends on how many files are being scanned and how long it takes to scan them. A longer frequency with the realtime option enabled could help speed it up (if your system supports this).
When you don't see anything in alerts.log, check the md5 or sha1 of the file and compare it to what's in the syscheck db (/var/ossec/queue/syscheck/(agent_name) IP_ADDRESS->syscheck). Does it match up, or did the change go un-noticed?
If you changed the file in the middle of a scan, that file could have been hashed already, and has to wait for another scan to see it.

[atomicturtle]

300s wouldnt even be long enough to finish the starting scan. Effectively you've configured it to never finish / never work

[kapoorkapoorm]

I modified 2 files under /var/www for which I could see alerts on the server but when I modified a file under /home/test/qaenv/config*, I could see no alerts. The activity was done at 11:12 am - logs of which have also been attached, neither did I recieve any EMAIL ALERTS!! Neither did I see any update in the last-entry @loc /var/ossec/queue/diff/local/home/test/qaenv/config/test.properties. Am I doing something wrong?

Logs -> 2018/08/21 11:12:12 ossec-logcollector(1225): INFO: SIGNAL Received. Exit Cleaning...
2018/08/21 11:12:12 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit Cleaning...
2018/08/21 11:12:12 ossec-agentd(1225): INFO: SIGNAL Received. Exit Cleaning...
2018/08/21 11:12:12 ossec-execd(1314): INFO: Shutdown received. Deleting responses.
2018/08/21 11:12:12 ossec-execd(1225): INFO: SIGNAL Received. Exit Cleaning...
2018/08/21 11:12:12 ossec-execd: INFO: Started (pid: 28063).
2018/08/21 11:12:12 ossec-agentd: INFO: Using notify time: 30 and max time to reconnect: 90
2018/08/21 11:12:12 ossec-agentd(1410): INFO: Reading authentication keys file.
2018/08/21 11:12:12 ossec-agentd: INFO: Assigning counter for agent ossecsrv01: '1:4632'.
2018/08/21 11:12:12 ossec-agentd: INFO: Assigning sender counter: 1:8684
2018/08/21 11:12:12 ossec-agentd: INFO: Started (pid: 28067).
2018/08/21 11:12:12 ossec-agentd: INFO: Server IP Address: 10.12.1.11
2018/08/21 11:12:12 ossec-agentd: INFO: Trying to connect to server (10.12.1.11:1514).
2018/08/21 11:12:12 ossec-agentd: INFO: Using IPv4 for: 10.12.1.11 .
2018/08/21 11:12:12 ossec-logcollector(1905): INFO: No file configured to monitor.
2018/08/21 11:12:12 ossec-config: including file '/home/test/qaenv/config/test.properties' for processing
2018/08/21 11:12:12 ossec-config: including directory '/var/www' for processing (all files)
2018/08/21 11:12:12 ossec-rootcheck: Rootcheck disabled. Exiting.
2018/08/21 11:12:12 ossec-syscheckd: WARN: Rootcheck module disabled.
2018/08/21 11:12:13 ossec-agentd(4102): INFO: Connected to the server (10.12.1.11:1514).
2018/08/21 11:12:16 ossec-syscheckd: INFO: Started (pid: 28075).
2018/08/21 11:12:16 ossec-syscheckd: INFO: Monitoring directory: '/home/test/qaenv/config/test.properties'.
2018/08/21 11:12:16 ossec-syscheckd: INFO: Monitoring directory: '/var/www'.
2018/08/21 11:12:16 ossec-syscheckd: INFO: Directory set for real time monitoring: '/home/test/qaenv/config/test.properties'.
2018/08/21 11:12:16 ossec-syscheckd: INFO: Directory set for real time monitoring: '/var/www'.
2018/08/21 11:12:18 ossec-logcollector: INFO: Started (pid: 28071).
2018/08/21 11:13:18 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2018/08/21 11:13:18 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
2018/08/21 11:13:18 ossec-syscheckd: INFO: Initializing real time file monitoring (not started).
2018/08/21 11:13:18 ossec-syscheckd: INFO: Real time file monitoring started.
2018/08/21 11:13:18 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).
2018/08/21 11:13:30 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database).

Snap-shot of the config file

no

<!-- Default frequency, every 24 hours. It doesn't need to be higher
  -  on most systems and one a day should be enough.
  -->
 <frequency>43200</frequency>
 <alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>

<scan_time>23:00</scan_time>

<!-- Start scan on agent start -->
<scan_on_start>yes</scan_on_start>

<!-- Folders to monitor -->
    <directories  check_all="yes" report_changes="yes" realtime="yes">/home/test/qaenv/config#*.properties</directories>
     <directories  check_all="yes" report_changes="yes" realtime="yes">/var/www</directories>
<ossec_config>


<!-- Ignore Section -->
<!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>

<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>

<client>
  <server-ip>10.12.1.11</server-ip>
  <notify_time>30</notify_time>
  <time-reconnect>90</time-reconnect>

Checked the entry in syscheck db and has the old checksum.
We are just monitoring 2 directories with 4-5 files in them atm

[ddpbsd]

2018/08/21 11:12:16 ossec-syscheckd: INFO: Monitoring directory: '/home/test/qaenv/config/test.properties'.
2018/08/21 11:12:16 ossec-syscheckd: INFO: Monitoring directory: '/var/www'.
2018/08/21 11:12:16 ossec-syscheckd: INFO: Directory set for real time monitoring: '/home/test/qaenv/config/test.properties'.
2018/08/21 11:12:16 ossec-syscheckd: INFO: Directory set for real time monitoring: '/var/www'.

Were you modifying /home/test/qaenv/config/test.properties? It doesn't look like syscheckd is picking up any other files in that directory (I think)?

[kapoorkapoorm]

Yes, I did modify the file test.properties at 11:12 am and even got an alert for that after 30 mins, when I restarted ossec agent. So, I believe I got few alerts after ossec agent was restarted but I should get the alerts even without the restart although I got all the alerts for /var/www ( without restart)and the files were modified at the same time.