Bug 243723 - security/ossec-hids-agent: ossec-agentd: ERROR: msgbuf_write() error: Broken pipe (0x1)
Summary: security/ossec-hids-agent: ossec-agentd: ERROR: msgbuf_write() error: Broken ...
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-ports-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-01-30 10:25 UTC by Vinícius Zavam
Modified: 2020-02-12 15:43 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vinícius Zavam freebsd_committer 2020-01-30 10:25:15 UTC
ossec v3.5.0 does not work as expected under FreeBSD. rolling back it to previous version (v3.3.0) fixes the problem.

# uname -UKrips
FreeBSD 12.1-STABLE amd64 GENERIC 1201510 1201510

# pkg info -x oss
ossec-hids-agent-3.5.0
ossec-hids-agent-config-3.5.0

# /usr/local/ossec-hids/bin/ossec-agentd -d -f
 ...
2020/01/30 11:14:04 ossec-agentd [dns]: ERROR: socket error
2020/01/30 11:14:04 ossec-agentd: INFO: Trying to connect to server 10.0.5.16, port 1514.
2020/01/30 11:14:04 ossec-agentd: ERROR: msgbuf_write() error: Broken pipe (0x1)
2020/01/30 11:14:04 ossec-agentd: WARN: n == 0
2020/01/30 11:14:04 ossec-agentd: WARN2: n == 0
2020/01/30 11:14:04 ossec-agentd: ERROR Wrong imsg type.
2020/01/30 11:14:04 ossec-agentd [dns]: ERROR: socket error
2020/01/30 11:14:04 ossec-agentd: INFO: Trying to connect to server 10.0.5.16, port 1514.
2020/01/30 11:14:04 ossec-agentd: ERROR: msgbuf_write() error: Broken pipe (0x1)
^C2020/01/30 11:14:04 ossec-agentd(1225): INFO: SIGNAL [(2)-(Interrupt)] Received. Exit Cleaning...

it's definitely *NOT* an issue with DNS config or packet filtering, once just reverting OSSEC to its previous version fixes the problem.
Comment 1 Vinícius Zavam freebsd_committer 2020-02-03 16:31:57 UTC
(In reply to Vinícius Zavam from comment #0)

# uname -UKrips
FreeBSD 12.1-RELEASE-p2 amd64 GENERIC 1201000 1201000

same behavior.

PS: 10.0.5.16 was replaced on the first comment; it contains a hostname.
Comment 2 Dominik Lisiak 2020-02-05 05:26:04 UTC
(In reply to Vinícius Zavam from comment #1)
Does it work if you use the IP of the server instead of hostname?
<ossec_config>
    <client>
        <server-ip>10.0.5.16</server-ip>
    </client>
</ossec_config>
Comment 3 Vinícius Zavam freebsd_committer 2020-02-12 14:06:04 UTC
(In reply to Dominik Lisiak from comment #2)

hi,
sorry it took a while for me to write a feedback here.

I got a new machine for testing, using FreeBSD HEAD couple days ago and had time today for it.
now it pops a different issue; no matter if I use a hostname or an IP addr :)
----------

root@pizza-hog:~ # uname -prinsUK
FreeBSD pizza-hog.invader-zim.irk 13.0-CURRENT amd64 GENERIC-NODEBUG 1300076 1300076

root@pizza-hog:~ # grep server\\- /usr/local/ossec-hids/etc/ossec.conf
    <server-ip>10.0.5.16</server-ip>

root@pizza-hog:~ # grep oss /var/log/messages
Feb 12 11:24:49 pizza-hog pkg[26508]: ossec-hids-agent-3.5.0 installed
Feb 12 11:24:49 pizza-hog pkg[26508]: ossec-hids-agent-config-3.5.0 installed

root@pizza-hog:~ # /usr/local/ossec-hids/bin/ossec-agentd -d -f
2020/02/12 15:03:05 ossec-agentd: DEBUG: Starting ...
2020/02/12 15:03:05 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800
2020/02/12 15:03:05 going daemon
2020/02/12 15:03:05 starting imsg stuff
2020/02/12 15:03:05 Creating socketpair()
2020/02/12 15:03:05 os_dns imsg_init()
2020/02/12 15:03:05 ossec-agentd [dns]: INFO: Starting osdns
2020/02/12 15:03:05 agentd imsg_init()
2020/02/12 15:03:05 ossec-agentd [dns]: INFO: Starting libevent.
2020/02/12 15:03:05 ossec-agentd(1410): INFO: Reading authentication keys file.
2020/02/12 15:03:05 ossec-agentd: OS_StartCounter: keysize: 1
2020/02/12 15:03:05 ossec-agentd: INFO: No previous counter available for 'pizza-hog.invader-zim.irk'.
2020/02/12 15:03:05 ossec-agentd: INFO: Assigning counter for agent pizza-hog.invader-zim.irk: '0:0'.
2020/02/12 15:03:05 ossec-agentd: INFO: Assigning sender counter: 0:31
2020/02/12 15:03:05 ossec-agentd: INFO: Started (pid: 12397).
2020/02/12 15:03:05 ossec-agentd: INFO: Server 1: 10.0.5.16
2020/02/12 15:03:05 ossec-agentd: INFO: Trying to connect to server 10.0.5.16, port 1514.
2020/02/12 15:03:05 INFO: Connected to 10.0.5.16 at address 10.0.5.16, port 1514
2020/02/12 15:03:05 ossec-agentd [dns]: DEBUG: n == 0
2020/02/12 15:03:05 ossec-agentd: WARN: n == 0
2020/02/12 15:03:05 ossec-agentd: DEBUG: agt->sock: 9
2020/02/12 15:03:26 ossec-agentd(1210): ERROR: Queue '/queue/alerts/execq' not accessible: 'Queue not found'.
2020/02/12 15:03:26 ossec-agentd: INFO: Unable to connect to the active response queue (disabled).
2020/02/12 15:03:36 ossec-agentd(4102): INFO: Connected to server 10.0.5.16, port 1514.
2020/02/12 15:03:36 ossec-agentd: DEBUG: Sending agent notification.
ld-elf.so.1: /usr/local/ossec-hids/bin/ossec-agentd: Undefined symbol "rand@FBSD_1.6"

root@pizza-hog:~ # echo $?
1
----------

[root@membrane ~]# /var/ossec/bin/agent_control -l | grep pizza
   ID: 1109, Name: pizza-hog.invader-zim.irk, IP: any, Never connected
Comment 4 Vinícius Zavam freebsd_committer 2020-02-12 15:43:00 UTC
(In reply to Vinícius Zavam from comment #3)

after sharp update to a most recent version of HEAD, it seems to be working. I've got a 'ossec-agentd: DEBUG: Sending agent notification.' and at the server side, the agent is listed as Active now.

still needs to be tested against stable/12 once again.