On Fri, Jun 16, 2017 at 7:39 PM, Anthony Egbujor <aegbu...@gmail.com> wrote: > Thank you, i realized that i did not let the udp 1514 port through the > firewall. It is working, but I now have one final issue. It is doing > everything it is now supposed to, however, the agent is now only triggering > alerts and notifying the server of it starting up. It does not trigger > alerts for creating, modifying or deleting files. I have the 3 rules enabled > in local_rules file, auto ignore is off and alert new file is on. What could > I be doing wrong? >
Check the ossec.log on the agent for messages about which directories will be monitored. If the files you're modifying are in those directories, check the md5 hash and compare it to the has on the server in the agent's syscheck file (/var/ossec/queue/syscheck/agent something or other). Is the file listed there? Is the md5 correct? > On Wednesday, June 14, 2017 at 2:26:11 PM UTC-7, dan (ddpbsd) wrote: >> >> On Tue, Jun 13, 2017 at 4:01 PM, Anthony Egbujor <aegb...@gmail.com> >> wrote: >> > Hello. I have an issue. I am able to proct alerts and have it sent to my >> > email, but I am having trouble getting the server to communicate with >> > the >> > agent. I already set the agent ip as the allowed Ip in secure in server, >> > set >> > the client with the right Ip and port, and already extracted the key and >> > imported it into the agent, but the agent still cannot connect to >> > server. >> > >> > >> > Error: >> > >> > 2017/06/13 11:38:15 ossec-agentd: INFO: Using IPv4 for: (ServerIP). >> > >> > 2017/06/13 11:38:25 ossec-agentd(1218): ERROR: Unable to send message to >> > server. >> > >> > 2017/06/13 11:38:37 ossec-agentd(1218): ERROR: Unable to send message to >> > server. >> > >> > 2017/06/13 11:38:38 ossec-agentd(4101): WARN: Waiting for server reply >> > (not >> > started). Tried: (ServerIP). >> > >> >> Are there any errors in the server's ossec.log? Restart the server >> processes in debug mode if necessary. >> Use tcpdump to see if the agent's traffic is making it to the server >> (from the expected source IP address). >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
