On Sun, Nov 22, 2015 at 11:13 PM, <gregory.gilb...@oneclipboard.com> wrote: > Hi, all. I'm at my wit's end here, so I'm hoping someone can help. > > > I've got OSSEC installed in a server/agent configuration. The server itself > works; I get email notifications from changes on it. The issue is that the > agents won't connect to the server. Both the agents and the server have the > same sslmanager cert and key. > > > From the agents: > > > root@ip-10-y:/var/ossec# ./bin/agent-auth -m 10.x -p 1514 > 2015/11/23 03:48:43 ossec-authd: INFO: Started (pid: 3050). > 2015/11/23 03:48:43 ossec-authd: Unable to connect to 10.0.x:1514 >
agent-auth is supposed to register an agent to a server via ossec-authd. Is ossec-authd running on th eserver? Is it really listening on port 1514 (this is normally the port ossec-remoted is listening on)? If you're using ossec-authd/agent_auth, the workflow generally goes as follows: 1. Start ossec-authd listening on a port that ossec-remoted is not listening on (1515 is default I believe).. 2. Run agent-auth on the agent, telling it to connect to the server's IP on the port ossec-authd is listening on. 3. Restart the OSSEC processes on the server (if this is the first agent to be added to it). 4. Restart the OSSEC processes on the agent. > > When I try to restart OSSEC on the agents, I get this: > > > ERROR: Authentication key file '/var/ossec/etc/client.keys' not found. > > > IPTables are open: > > > $ iptables -nL > Chain INPUT (policy ACCEPT) > target prot opt source destination > ACCEPT udp -- 10.0.0.0/8 0.0.0.0/0 udp dpt:1514 > > > From the server debug (not sure if this is relevant): > > > 2015/11/23 03:57:08 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' > not accessible: 'Connection refused'. > 2015/11/23 03:57:08 ossec-analysisd(1301): ERROR: Unable to connect to > active response queue. > > > I've been able to get other OSSEC installs to work, so I'm not sure what's > different with this one. Any help anyone has on this would be most helpful! > Thanks! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
