search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.33k stars 1.02k forks source link

ERROR: SSL read (unable to receive message) OSSEC #2099

Open manoj0772 opened 10 months ago

manoj0772 commented 10 months ago

From OSSEC Server :- [root@psappl215 ~]# /services/ossec/bin/ossec-authd -p 1515 [root@psappl215 ~]#

LOGS BELOW :- 023/08/24 13:57:10 ossec-authd: INFO: Started (pid: 2034). 2023/08/24 13:57:10 Accepting connections. Using password specified on file: /services/ossec//etc/authd.pass 2023/08/24 13:57:10 IPv4: 0.0.0.0 on port 1515 2023/08/24 13:57:10 Request for TCP listen() succeeded. 2023/08/24 13:57:10 Socket bound for IPv4: 0.0.0.0 on port 1515

[root@psappl215 logs]# netstat -tuplen | grep ossec tcp 0 0 0.0.0.0:1515 0.0.0.0:* LISTEN 0 36054 2034/ossec-authd [root@psappl215 logs]#

From OSSEC Agent :-

[root@psappl216 ~]# /var/ossec/bin/agent-auth -m 10.x.x.x -p 1515 -P /var/ossec/etc/authd.pass 2023/08/24 13:59:17 ossec-authd: INFO: Started (pid: 2122). INFO: Using specified password. 2023/08/24 13:59:17 INFO: Connected to 10.x.x.x at address 10.x.x.x, port 1515 INFO: Connected to 10.x.x.x.:1515 INFO: Using agent name as: psappl216.jewelry.acn INFO: Send request to manager. Waiting for reply. INFO: Received response with agent key INFO: Valid key created. Finished. ERROR: SSL read (unable to receive message) [root@psappl216 ~]#

Agent logs shows only this infor : 2023/08/24 13:59:17 ossec-authd: INFO: Started (pid: 2122). 2023/08/24 13:59:17 INFO: Connected to 10.x.x.x at address 10.x.x.x, port 1515

Any idea about error "ERROR: SSL read (unable to receive message)" ? I have check all logs and debug but no much information. I can see client key is created on ossec server but it is having issue sending data and communication back.

Running latest OSSEC version 3.7 on both SERVER and AGENT.

[root@psappl216 ~]# cat /var/ossec/etc/ossec-init.conf DIRECTORY="/var/ossec" VERSION="v3.7.0" DATE="Wed Aug 23 02:03:53 PM EDT 2023" TYPE="agent"

rolf-d2i commented 8 months ago

You can replicate this error on docker running on M2 mac when emulating AMD64 (because ARM support is missing). Probably the error can be replicated in any docker environment with a default docker network. Install an OSSEC server and a client on two different docker instance and try

/var/ossec/bin/agent-auth -m -A 023/11/09 12:26:30 ossec-authd: INFO: Started (pid: 133). WARN: No authentication password provided. Insecure mode started. 2023/11/09 12:26:30 INFO: Connected to at address 10.1.0.18, port 1515 INFO: Connected to :1515 INFO: Using agent name as: INFO: Send request to manager. Waiting for reply. INFO: Received response with agent key INFO: Valid key created. Finished. ERROR: SSL read (unable to receive message)

The key is created on the server correctly it appears as that can be listed on the ossec-server. The issue was not present in the previous version of OSSEC.