Hi, it looks like you have other instance of *authd *running:
2017/06/16 06:06:33 ossec-authd: Unable to bind to port 1515 Kill the authd and run it again. Then register your agent and restart it. I hope it helps. On Friday, June 16, 2017 at 2:50:01 PM UTC+2, Arvind Lavania wrote: > > Hi, > > I have installed OSSEC SERVER on Centos 6.9. everything is working as > expected. > > One error i am noticing in my logs from client server. client server is > running on Centos 6.9 > > Details From OSSEC-Server/Manager > > [root@al ~]# /var/ossec/bin/ossec-authd -v /var/ossec/etc/sslmanager.cert > -d > > 2017/06/16 06:06:33 ossec-authd: DEBUG: Starting ... > > 2017/06/16 06:06:33 ossec-authd: INFO: Started (pid: 6097). > > 2017/06/16 06:06:33 ossec-authd: DEBUG: Peer verification requested. > > 2017/06/16 06:06:33 ossec-authd: DEBUG: Returning CTX for server. > > 2017/06/16 06:06:33 ossec-authd: Unable to bind to port 1515 > > > [root@al ~]# tcpdump -i eth0 port 1515 -vv > > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size > 65535 bytes > > 06:16:59.804739 IP (tos 0x10, ttl 64, id 31414, offset 0, flags [DF], > proto TCP (6), length 60) > > 10.24.211.130.56622 > x.x.x.37.ifor-protocol: Flags [S], cksum 0xfcd2 > (correct), seq 3432935783, win 17922, options [mss 8961,sackOK,TS val > 1444817 ecr 0,nop,wscale 6], length 0 > > 06:16:59.804780 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP > (6), length 60) > > 10.24.211.37.ifor-protocol > 10.24.211.130.56622: Flags [S.], cksum > 0x27c1 (correct), seq 1407314966, ack 3432935784, win 17898, options [mss > 8961,sackOK,TS val 1348875 ecr 1444817,nop,wscale 7], length 0 > > 06:16:59.805215 IP (tos 0x10, ttl 64, id 31415, offset 0, flags [DF], > proto TCP (6), length 52) > > 10.24.211.130.56622 > x.x.x.37.ifor-protocol: Flags [.], cksum 0xb8aa > (correct), seq 1, ack 1, win 281, options [nop,nop,TS val 1444818 ecr > 1348875], length 0 > > 06:17:02.704313 IP (tos 0x10, ttl 64, id 31416, offset 0, flags [DF], > proto TCP (6), length 57) > > 10.24.211.130.56622 > x.x.x.37.ifor-protocol: Flags [P.], cksum > 0xa757 (correct), seq 1:6, ack 1, win 281, options [nop,nop,TS val 1447717 > ecr 1348875], length 5 > > 06:17:02.704397 IP (tos 0x0, ttl 64, id 31004, offset 0, flags [DF], proto > TCP (6), length 52) > > 10.24.211.37.ifor-protocol > x.x.x.130.56622: Flags [.], cksum 0xa28c > (correct), seq 1, ack 6, win 140, options [nop,nop,TS val 1351774 ecr > 1447717], length 0 > > 2017/06/16 06:17:02 ossec-authd: ERROR: SSL Error (-1) > > 140489331664744:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version > number:s3_pkt.c:350: > > 06:17:02.713275 IP (tos 0x0, ttl 64, id 31005, offset 0, flags [DF], proto > TCP (6), length 52) > > > > [root@al ~]# netstat -tunlp > > Active Internet connections (only servers) > > Proto Recv-Q Send-Q Local Address Foreign Address > State PID/Program name > > tcp 0 0 0.0.0.0:9654 0.0.0.0:* > LISTEN 5939/python > > tcp 0 0 0.0.0.0:22 0.0.0.0:* > LISTEN 1089/sshd > > tcp 0 0 127.0.0.1:25 0.0.0.0:* > LISTEN 1187/master > > tcp 0 0 :::1515 :::* > LISTEN 6360/ossec-authd > > tcp 0 0 :::22 :::* > LISTEN 1089/sshd > > tcp 0 0 ::1:25 :::* > LISTEN 1187/master > > udp 0 0 0.0.0.0:68 0.0.0.0:* > 829/dhclient > > udp 0 0 :::1514 :::* > 6485/ossec-remoted > > > [root@al ~]# lsof -P -c ossec-remoted > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > ossec-rem 6485 ossecr cwd DIR 202,1 4096 401636 > /var/ossec > > ossec-rem 6485 ossecr rtd DIR 202,1 4096 401636 > /var/ossec > > ossec-rem 6485 ossecr txt REG 202,1 231568 6005 > /var/ossec/bin/ossec-remoted > > ossec-rem 6485 ossecr mem REG 202,1 66432 264229 > /lib64/libnss_files-2.12.so > > ossec-rem 6485 ossecr mem REG 202,1 122056 264206 > /lib64/libselinux.so.1 > > ossec-rem 6485 ossecr mem REG 202,1 111440 264239 > /lib64/libresolv-2.12.so > > ossec-rem 6485 ossecr mem REG 202,1 10192 267113 > /lib64/libkeyutils.so.1.3 > > ossec-rem 6485 ossecr mem REG 202,1 43728 267126 > /lib64/libkrb5support.so.0.1 > > ossec-rem 6485 ossecr mem REG 202,1 174840 267122 > /lib64/libk5crypto.so.3.1 > > ossec-rem 6485 ossecr mem REG 202,1 14664 264654 > /lib64/libcom_err.so.2.1 > > ossec-rem 6485 ossecr mem REG 202,1 946048 267124 > /lib64/libkrb5.so.3.3 > > ossec-rem 6485 ossecr mem REG 202,1 277704 267118 > /lib64/libgssapi_krb5.so.2.2 > > ossec-rem 6485 ossecr mem REG 202,1 1924768 264213 > /lib64/libc-2.12.so > > ossec-rem 6485 ossecr mem REG 202,1 1971488 267162 > /usr/lib64/libcrypto.so.1.0.1e > > ossec-rem 6485 ossecr mem REG 202,1 443416 267164 > /usr/lib64/libssl.so.1.0.1e > > ossec-rem 6485 ossecr mem REG 202,1 44472 264241 > /lib64/librt-2.12.so > > ossec-rem 6485 ossecr mem REG 202,1 88600 264623 > /lib64/libz.so.1.2.3 > > ossec-rem 6485 ossecr mem REG 202,1 20024 264219 > /lib64/libdl-2.12.so > > ossec-rem 6485 ossecr mem REG 202,1 218880 280017 > /usr/lib64/libGeoIP.so.1.6.9 > > ossec-rem 6485 ossecr mem REG 202,1 143280 264237 > /lib64/libpthread-2.12.so > > ossec-rem 6485 ossecr mem REG 202,1 596864 264221 > /lib64/libm-2.12.so > > ossec-rem 6485 ossecr mem REG 202,1 159232 264193 > /lib64/ld-2.12.so > > ossec-rem 6485 ossecr 0u CHR 1,3 0t0 3923 > /dev/null > > ossec-rem 6485 ossecr 1u CHR 1,3 0t0 3923 > /dev/null > > ossec-rem 6485 ossecr 2u CHR 1,3 0t0 3923 > /dev/null > > ossec-rem 6485 ossecr 3u IPv6 576376 0t0 UDP > *:1514 > > ossec-rem 6485 ossecr 4u unix 0xffff88007bfe0780 0t0 576379 > /queue/alerts/ar > > ossec-rem 6485 ossecr 5u unix 0xffff88007bfe0b00 0t0 576399 > socket > > ossec-rem 6485 ossecr 6u REG 202,1 7 6196 > /var/ossec/queue/rids/1024 > > ossec-rem 6485 ossecr 7u REG 202,1 6 6217 > /var/ossec/queue/rids/sender_counter > > > [root@al ~]# lsof -P -a -i -c ossec-remoted > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > ossec-rem 6485 ossecr 3u IPv6 576376 0t0 UDP *:1514 > > > [root@al ~]# ps aux | grep oss > > root 5939 0.0 0.5 254816 9672 pts/0 Sl 06:05 0:00 > /usr/bin/python /opt/auto-ossec/auto_server.py > > root 16049 0.0 0.1 44188 2840 pts/0 S 06:33 0:00 > /var/ossec/bin/ossec-authd -p 1515 > > ossecm 16157 0.0 0.0 46200 916 ? S 06:33 0:00 > /var/ossec/bin/ossec-maild > > root 16160 0.0 0.0 46692 888 ? S 06:33 0:00 > /var/ossec/bin/ossec-execd > > ossec 16165 0.0 0.1 45872 2836 ? S 06:33 0:00 > /var/ossec/bin/ossec-analysisd > > root 16169 0.0 0.0 42040 904 ? S 06:33 0:00 > /var/ossec/bin/ossec-logcollector > > root 16175 0.5 0.0 42640 1716 ? S 06:33 0:03 > /var/ossec/bin/ossec-syscheckd > > ossec 16178 0.0 0.0 44224 880 ? S 06:33 0:00 > /var/ossec/bin/ossec-monitord > > root 16396 0.0 0.0 103328 876 pts/0 S+ 06:44 0:00 grep oss > Here is the information from Agent-Server > > 2017/06/16 06:35:11 ossec-agentd(1218): ERROR: Unable to send message to > 'server'. > > 2017/06/16 06:35:12 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: 'ossec-server.al'. > > 2017/06/16 06:35:14 ossec-agentd: INFO: Trying to connect to server > ossec-server.al, port 1514. > > 2017/06/16 06:35:14 INFO: Connected to ossec-server.al at address > x.x.x.37, port 1514 > > 2017/06/16 06:35:24 ossec-agentd(1218): ERROR: Unable to send message to > 'server'. > > 2017/06/16 06:35:36 ossec-agentd(1218): ERROR: Unable to send message to > 'server'. > > > One more interesting thing i am noticing whenever i am hitting telnet from > my agent server > > [root@al-a ~]# telnet ossec-server.al 1515 > > Trying x.x.x.37... > > Connected to ossec-server.al. > > Escape character is '^]'. > > > OSSEC SERVER/Manager showing this: > > [root@x.x.x-37 ~]# 2017/06/16 06:15:03 ossec-authd: ERROR: SSL Error (-1) > > 1404891111664744:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version > number:s3_pkt.c:350: > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
