Many records in ossec.log of type: 'queue/sockets/queue' not accessible: 'Message too long' AND 'queue/sockets/queue' not accessible: 'Bad file descriptor'

[JarkoFreeBsd]

Continue from https://www.reddit.com/r/freebsd/comments/1gwkb76/comment/m0pmpzq/

Modify src/headers/defs.h file into wazuh-manager port and change the following line from:
#define OS_MAXSTR OS_SIZE_65536
to
#define OS_MAXSTR OS_SIZE_1048576 

Environment: freebsd 14.2 , Wazuh 4.10.1, Two agents:

1. On opnsense ( freebsd 14.1) agent version 4.7.5
2. On windows server 2022 agent version 4.10.1

In process of making wazuh-manager issues with Python3 - module pip not installed fixed with python -m ensurepip --upgrade

After build and make install error when straining wazuh manager in wazuh-modulesd:
<jemalloc>: Error in dlsym(RTLD_NEXT, "pthread_create")
Abort trap (core dumped)
failure

Install again from pkg
Relapsing all binaries in /var/ossec/bin (except wazuh-modulesd and wazuh-db - this one did not start) with built ones from the port
Wazuh ecosystem starts and works but the errors are the same:

2025/01/23 11:41:26 wazuh-remoted[7441] mq_op.c:121 at SendMSGAction(): ERROR: socketerr (not available).
2025/01/23 11:41:26 wazuh-remoted[7441] secure.c:802 at HandleSecureMessage(): ERROR: (1210): Queue 'queue/sockets/queue' not accessible: 'Bad file descriptor'
2025/01/23 11:41:26 wazuh-remoted[7441] mq_op.c:52 at StartMQWithSpecificOwnerAndPerms(): DEBUG: Connected succesfully to 'queue/sockets/queue' after 0 attempts
2025/01/23 11:41:26 wazuh-remoted[7441] mq_op.c:53 at StartMQWithSpecificOwnerAndPerms(): DEBUG: (unix_domain) Maximum send buffer set to: '1048832'.
2025/01/23 11:41:26 wazuh-remoted[7441] secure.c:807 at HandleSecureMessage(): INFO: Successfully reconnected to 'queue/sockets/queue'
2025/01/23 11:41:26 wazuh-remoted[7441] mq_op.c:121 at SendMSGAction(): ERROR: socketerr (not available).
2025/01/23 11:41:26 wazuh-remoted[7441] secure.c:802 at HandleSecureMessage(): ERROR: (1210): Queue 'queue/sockets/queue' not accessible: 'Message too long'
2025/01/23 11:41:26 wazuh-remoted[7441] mq_op.c:52 at StartMQWithSpecificOwnerAndPerms(): DEBUG: Connected succesfully to 'queue/sockets/queue' after 0 attempts
2025/01/23 11:41:26 wazuh-remoted[7441] mq_op.c:53 at StartMQWithSpecificOwnerAndPerms(): DEBUG: (unix_domain) Maximum send buffer set to: '1048832'.
2025/01/23 11:41:26 wazuh-remoted[7441] secure.c:807 at HandleSecureMessage(): INFO: Successfully reconnected to 'queue/sockets/queue'
2025/01/23 11:41:26 wazuh-remoted[7441] mq_op.c:121 at SendMSGAction(): ERROR: socketerr (not available).

The Wazuh is working normaly, exept the ossec.log is flooded.
Any ideas how to go further will be appreciated.
Thanks for all work!!!

[JarkoFreeBsd]

Quick and dirty! this work for me ( FreeBSD 14.2. and Wazuh-manager 4.10.1) Do not use in production. Buffer overflow may be exploited:
/usr/ports/security/wazuh-manager/work/wazuh-4.10.1/src/shared/mq_op.c

--- mq_op.c.original	2025-01-15 16:26:54.000000000 +0200
+++ mq_op.c	2025-01-31 01:02:01.000000000 +0200
@@ -80,8 +80,8 @@
 /* Send message primitive. */
 STATIC int SendMSGAction(int queue, const char *message, const char *locmsg, char loc) {
     int __mq_rcode;
-    char tmpstr[OS_MAXSTR + 1] = {0};
-    char loc_buff[OS_SIZE_8192 + 1] = {0};
+    char tmpstr[OS_MAXSTR + 4] = {0};
+    char loc_buff[OS_SIZE_32768 + 1] = {0};
     static int reported = 0;
 
     tmpstr[OS_MAXSTR] = '\0';
@@ -117,11 +117,11 @@
 
     if ((__mq_rcode = OS_SendUnix(queue, tmpstr, 0)) < 0) {
         /* Error on the socket */
-        if (__mq_rcode == OS_SOCKTERR) {
-            merror("socketerr (not available).");
-            close(queue);
-            return (-1);
-        }
+        // if (__mq_rcode == OS_SOCKTERR) {
+            // merror("socketerr (not available).");
+            // close(queue);
+            // return (0);
+        // }
 
         /* Unable to send. Socket busy */
         mdebug2("Socket busy, discarding message.");

[alonsobsd]

Continue from https://www.reddit.com/r/freebsd/comments/1gwkb76/comment/m0pmpzq/

Modify src/headers/defs.h file into wazuh-manager port and change the following line from:
#define OS_MAXSTR OS_SIZE_65536
to
#define OS_MAXSTR OS_SIZE_1048576 

Environment: freebsd 14.2 , Wazuh 4.10.1, Two agents:

1. On opnsense ( freebsd 14.1) agent version 4.7.5
2. On windows server 2022 agent version 4.10.1

In process of making wazuh-manager issues with Python3 - module pip not installed fixed with python -m ensurepip --upgrade

I cannot reproduce this issue. I have installed wazuh-manager from packages and ports and I have not had this issue

After build and make install error when straining wazuh manager in wazuh-modulesd:
<jemalloc>: Error in dlsym(RTLD_NEXT, "pthread_create")
Abort trap (core dumped)
failure

Install again from pkg Relapsing all binaries in /var/ossec/bin (except wazuh-modulesd and wazuh-db - this one did not start) with built ones from the port Wazuh ecosystem starts and works but the errors are the same:

I don't know if it is related to jmalloc error. I had a issue wazuh-modulesd. It was crashing on start. I changed at wazuh-manager ossec.conf config file <scan_on_start>yes</scan_on_start> to <scan_on_start>no</scan_on_start>. It was a workaround for this wazuh-manager issue.

[alonsobsd]

Quick and dirty! this work for me ( FreeBSD 14.2. and Wazuh-manager 4.10.1) Do not use in production. Buffer overflow may be exploited: /usr/ports/security/wazuh-manager/work/wazuh-4.10.1/src/shared/mq_op.c

--- mq_op.c.original	2025-01-15 16:26:54.000000000 +0200
+++ mq_op.c	2025-01-31 01:02:01.000000000 +0200
@@ -80,8 +80,8 @@
 /* Send message primitive. */
 STATIC int SendMSGAction(int queue, const char *message, const char *locmsg, char loc) {
     int __mq_rcode;
-    char tmpstr[OS_MAXSTR + 1] = {0};
-    char loc_buff[OS_SIZE_8192 + 1] = {0};
+    char tmpstr[OS_MAXSTR + 4] = {0};
+    char loc_buff[OS_SIZE_32768 + 1] = {0};
     static int reported = 0;
 
     tmpstr[OS_MAXSTR] = '\0';
@@ -117,11 +117,11 @@
 
     if ((__mq_rcode = OS_SendUnix(queue, tmpstr, 0)) < 0) {
         /* Error on the socket */
-        if (__mq_rcode == OS_SOCKTERR) {
-            merror("socketerr (not available).");
-            close(queue);
-            return (-1);
-        }
+        // if (__mq_rcode == OS_SOCKTERR) {
+            // merror("socketerr (not available).");
+            // close(queue);
+            // return (0);
+        // }
 
         /* Unable to send. Socket busy */
         mdebug2("Socket busy, discarding message.");

I'll try give me a time to review how could we fix it. Thanks for your PR

[JarkoFreeBsd]

Hi, Thank you for your work!
If you maintain this or you know port maintainer and have time ( which I suppose you have not), please alarm for the typo in
src\external\jemalloc\src\jemalloc.c, which produce warnings.
There should be comma(,) at the end in 1027 or 1028 should go on 1027
Thank you once again for your outstanding work!

1024 static const char *opts_explain[MALLOC_CONF_NSOURCES] = {
1025	"string specified via --with-malloc-conf",
1026	"string pointed to by the global variable malloc_conf",
1027          "\"name\" of the file referenced by the symbolic link named "
1028		    "/etc/malloc.conf",
1029        "value of the environment variable MALLOC_CONF"
1030	};