[ossec-list] OSSEC Agents randomly disconnecting from Manager

[Will Furstenau]

Hi, I'm having a strange issue. I have agents that normally report to the 
manager just fine, but after an undetermined amount of time, this appears 
in the logs

2019/12/16 01:20:55 rootcheck: INFO: Starting rootcheck scan.
2019/12/16 01:40:58 rootcheck: INFO: Ending rootcheck scan.
2019/12/16 13:18:52 ossec-agentd: WARN: Server unavailable. Setting lock.
2019/12/16 13:19:13 ossec-agentd(4101): WARN: Waiting for server reply (not 
started). Tried: 'SERVER-IP'.
2019/12/16 13:19:15 ossec-agentd: INFO: Trying to connect to server SERVER-
IP, port 1514.
2019/12/16 13:19:15 INFO: Connected to SERVER-IP at address SERVER-IP, port 
1514
2019/12/16 13:19:36 ossec-agentd(4101): WARN: Waiting for server reply (not 
started). Tried: 'SERVER-IP'.
2019/12/16 13:19:56 ossec-agentd: INFO: Trying to connect to server SERVER-
IP, port 1514.
2019/12/16 13:19:56 INFO: Connected to SERVER-IP at address SERVER-IP, port 
1514
2019/12/16 13:20:17 ossec-agentd(4101): WARN: Waiting for server reply (not 
started). Tried: 'SERVER-IP'.
2019/12/16 13:20:51 ossec-logcollector: WARN: Process locked. Waiting for 
permission...
2019/12/16 13:20:55 ossec-agentd: INFO: Trying to connect to server SERVER-
IP, port 1514.
2019/12/16 13:20:55 INFO: Connected to SERVER-IP at address SERVER-IP, port 
1514
2019/12/16 13:21:16 ossec-agentd(4101): WARN: Waiting for server reply (not 
started). Tried: 'SERVER-IP'.
2019/12/16 13:22:12 ossec-agentd: INFO: Trying to connect to server SERVER-
IP, port 1514.
2019/12/16 13:22:12 INFO: Connected to SERVER-IP at address SERVER-IP, port 
1514
2019/12/16 13:22:33 ossec-agentd(4101): WARN: Waiting for server reply (not 
started). Tried: 'SERVER-IP'.
2019/12/16 13:23:47 ossec-agentd: INFO: Trying to connect to server SERVER-
IP, port 1514.
2019/12/16 13:23:47 INFO: Connected to SERVER-IP at address SERVER-IP, port 
1514

There's nothing in the manager logs to indicate any sort of issue, and 
other agents that are connected to the same manager keep on reporting fine. 
I have some agents that disconnect after a few hours, and others that have 
been connected for weeks without issue, though the large majority do end up 
disconnecting at some point. If I manually remove the agent from the 
manager, and then get a new key with `agent-auth` & `agent-authd` it 
continues working as normal. I've already tried configuring the 
`notify_time` to 60. I also have turned on debugging for a few agents, but 
due to the seeming randomness of the disconnects, I'd like to avoid waiting 
weeks to finally get a useful log / disconnect. The server is v3.3.0 and 
agents are generally either v3.2.0 or v3.3.0

Also I'm aware I can try switching from UDP to TCP, however that would 
require reconfiguring 100s of servers across a half dozen environments, so 
I'd like to avoid doing that unless I'm certain it will be the fix.


-- 
This email and its attachments are confidential and may be privileged.  Any 
unauthorized use or disclosure is prohibited.  If you receive this email in 
error, please notify the sender and permanently delete the original without 
forwarding, making any copies or disclosing its contents. NextCapital is a 
brand name representing NextCapital Group, Inc. and its subsidiaries, 
NextCapital Software, Inc. and NextCapital Advisers, Inc. 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/6d4bbd12-8031-4be2-be52-0aeeecc4772f%40googlegroups.com.

[ossec-list] OSSEC agents spooling

[Buser85]

Can somebody give some feedback in relation to the below please ; 

In the event an OSSEC core server was to go offline for an extended period of 
time will the agents keep storing syscheck alerts locally until the core comes 
back online?

If the agents do spool alert logs locally the risk is disk space on agents 
filling up. Any settings to prevent this?

Lastly, the local agent log OSSEC.log. Anyway to limit the size!

Thanks a lot.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/b17e88a1-db72-4063-9a35-1000cde08353%40googlegroups.com.

Re: [ossec-list] OSSEC Agents are not Connecting to Different Network Segments

[dan (ddp)]

On Thu, Jul 18, 2019 at 1:39 AM sunitha s  wrote:
>
> Hii All,
>
>   I Have Installed the OSSEC version 3.1 in Ubuntu 16.04 in My Local PC.
> I Have Installed OSSEC Agents in the same Network segment, the Agents are 
> connected and sending logs to OSSEC Server, and also installed agents in 
> different network segments,all the Configuration are done properly(like that 
> agent ip's are pinging,disabled the internal firewall),when i run the command 
> /var/ossec/bin/manage-agents it list down all the agents from the different 
> network segments, But when I am Run the command /var/ossec/bin/agent-control 
> -l it shows the  agent state like "NEVER CONNECTED".
>
>
> Can Anyone Help Me For Connecting the Agents From the Different Network 
> Segments.
>

Make sure they aren't communicating by checking for alerts from the
not-connected agents.
Make sure the IP address that the OSSEC server sees the agents as is
the IP configured in manage_agents (no NAT).
Use tcpdump to make sure the traffic from the agent is making it to
the OSSEC server (default: port 1514 udp).
Check the agent's ossec.log for errors.
Check the server's ossec.log for errors.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/d239b3dc-bc99-4336-9573-44ead7916a44%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMp-U0kZKM9%2B-34d%3DmR2_S%2BpnUnKBU0ojCdQ0O_jxPRmyg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC Agents are not Connecting to Different Network Segments

[sunitha s]

Hii All,
  
  I Have Installed the OSSEC version 3.1 in Ubuntu 16.04 in My Local PC.
I Have Installed OSSEC Agents in the same Network segment, the Agents are 
connected and sending logs to OSSEC Server, and also installed agents in 
different network segments,all the Configuration are done properly(like 
that agent ip's are pinging,disabled the internal firewall),when i run the 
command /var/ossec/bin/manage-agents it list down all the agents from the 
different network segments, But when I am Run the command 
/var/ossec/bin/agent-control -l it shows the  agent state like "NEVER 
CONNECTED".


Can Anyone Help Me For Connecting the Agents From the Different Network 
Segments. 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/d239b3dc-bc99-4336-9573-44ead7916a44%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Agents Unable to Connect to Server

[dan (ddp)]

On Mon, Mar 27, 2017 at 10:50 AM, Marc Baker  wrote:
> OSSEC agents this morning were working without issue and then began
> reporting as Disconnected. Agent logs are returning the following error:
>
> 2017/03/27 10:14:38 ossec-agent: WARN: Process locked. Waiting for
> permission...
>
> 2017/03/27 10:14:49 ossec-agent(4101): WARN: Waiting for server reply (not
> started). Tried: '.
>
> 2017/03/27 10:14:51 ossec-agent: INFO: Trying to connect to server (:1514).
>
> Nothing has changed on the server to the best of our knowledge. One anomaly
> we are seeing that may be related is the following when restarting Wazuh
> manager services:
>
>
> Deleting PID file '/var/ossec/var/run/ossec-remoted-4816.pid' not used...

Looks like remoted died. You might want to ask about this on the Wazuh
mailing list. They should be able to help you track it down.

> Killing ossec-monitord ..
> Killing ossec-logcollector ..
> ossec-remoted not running ..
> Killing ossec-syscheckd ..
> Killing ossec-analysisd ..
> Killing ossec-maild ..
> Killing ossec-execd ..
> Killing wazuh-modulesd ..
> Wazuh v2.0 Stopped
> Starting Wazuh v2.0 (maintained by Wazuh Inc.)...
> Started wazuh-modulesd...
> Started ossec-maild...
> Started ossec-execd...
> Started ossec-analysisd...
> Started ossec-logcollector...
> Started ossec-remoted...
> Started ossec-syscheckd...
> Started ossec-monitord...
> Completed.
>
>
> /var/ossec/bin/ossec-analysisd -V
> Wazuh v2.0 - Wazuh Inc.
>
> This program is free software; you can redistribute it and/or modify
> it under the terms of the GNU General Public License (version 2) as
> published by the Free Software Foundation. For more details, go to
> http://www.ossec.net/main/license/
>
> /etc/ossec-init.conf
> DIRECTORY="/var/ossec"
> NAME="Wazuh"
> VERSION="v2.0"
> DATE="Wed Mar 15 11:38:44 UTC 2017"
> TYPE="server"
>
> Any suggestions would be greatly appreciated.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC Agents Unable to Connect to Server

[Marc Baker]

OSSEC agents this morning were working without issue and then began 
reporting as Disconnected. Agent logs are returning the following error:

2017/03/27 10:14:38 ossec-agent: WARN: Process locked. Waiting for 
permission...

2017/03/27 10:14:49 ossec-agent(4101): WARN: Waiting for server reply (not 
started). Tried: '.

2017/03/27 10:14:51 ossec-agent: INFO: Trying to connect to server (:1514).

Nothing has changed on the server to the best of our knowledge. One anomaly 
we are seeing that may be related is the following when restarting Wazuh 
manager services:


*Deleting PID file '/var/ossec/var/run/ossec-remoted-4816.pid' not used...*
Killing ossec-monitord ..
Killing ossec-logcollector ..
ossec-remoted not running ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
Killing ossec-execd ..
Killing wazuh-modulesd ..
Wazuh v2.0 Stopped
Starting Wazuh v2.0 (maintained by Wazuh Inc.)...
Started wazuh-modulesd...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.


/var/ossec/bin/ossec-analysisd -V
Wazuh v2.0 - Wazuh Inc.

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License (version 2) as
published by the Free Software Foundation. For more details, go to
http://www.ossec.net/main/license/

/etc/ossec-init.conf
DIRECTORY="/var/ossec"
NAME="Wazuh"
VERSION="v2.0"
DATE="Wed Mar 15 11:38:44 UTC 2017"
TYPE="server"

Any suggestions would be greatly appreciated.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server

[Jesus Linares]

Before doing what I said above, check if your client.keys doesn't have 
duplicated IPs.  

On Monday, June 20, 2016 at 9:35:12 AM UTC+2, Jesus Linares wrote:
>
> Hi Tahir,
>
> It could be an issue with the keys. OSSEC (agents and manager) keep a 
> counter of each message sent and received in /var/ossec/queue/rids. This is 
> a technique to prevent replay attacks. Let's try the following:
>
>- In an agent of your particular subnet: stop it and go to 
>/var/ossec/queue/rids and remove every file in there.
>- In the manager: stop it and remove the rids file with the same name 
>as the agent id that is reporting errors.
>- Restart the manager and the agent.
>
> Then, review the ossec.log of the agent to see what happens.
>
> In case that this works, you will need to do the same in each agent. Also, 
> if you don't need the feature to prevent replay attacks, you can disable it 
> changing *remoted.verify_msg_id* from 1 to 0 in 
> /var/ossec/etc/internal_options.conf.
>
> Regards.
>
> On Friday, June 17, 2016 at 12:45:46 PM UTC+2, dan (ddpbsd) wrote:
>>
>> On Fri, Jun 17, 2016 at 5:27 AM, Tahir Hafiz  wrote: 
>> > Thanks. I am seeing this in the alerts.log for the ones not connecting, 
>> I 
>> > mean they seem to be able to connect in network terms but not the OSSEC 
>> > server instance process: 
>> > ossec-remoted(1408): ERROR: Invalid ID for the source ip: 'a.b.c.d'. 
>> > ossec-remoted(1213): WARN: Message from a.b.c.d not allowed. 
>> > 
>> > Is there something we are not doing to allow these particular agents to 
>> > connect - a key file etc? 
>> > 
>>
>> Is that IP an IP you expect an agent to come from? 
>> Did you duplicate IPs when adding agents in manage_agents? 
>>
>> > 
>> > 
>> > 
>> > On Friday, 17 June 2016 08:49:28 UTC+1, Jesus Linares wrote: 
>> >> 
>> >> It should work with port 1514 UDP. First, check if you have 
>> connectivity 
>> >> between agents and manager (ping, telnet, tcpdump...) and review your 
>> >> network settings (routers, firewall rules, etc). Then, check out the 
>> >> ossec.log of each agent to see what it is the issue. 
>> >> 
>> >> On Thursday, June 16, 2016 at 6:41:10 PM UTC+2, dan (ddpbsd) wrote: 
>> >>> 
>> >>> On Thu, Jun 16, 2016 at 12:27 PM, Tahir Hafiz  
>> wrote: 
>> >>> > We have an OSSEC server located in one particular subnet and the 
>> >>> > majority of 
>> >>> > the agents are located in the same subnet and work fine. 
>> >>> > However, we have a few OSSEC agents located in a different subnet 
>> and 
>> >>> > they 
>> >>> > are having problems being able to connect to the server. 
>> >>> > 
>> >>> > We have opened up port 1514 UDP between subnets for ingress and 
>> egress 
>> >>> > traffic. 
>> >>> > 
>> >>> > Is there anything that we should do to allow server and agent 
>> >>> > communication? 
>> >>> > 
>> >>> 
>> >>> Do you see the traffic on the server from the hosts that are having 
>> >>> issues? 
>> >>> Do the source IPs match your expectations? 
>> >>> 
>> >>> > 
>> >>> > 
>> >>> > 
>> >>> > 
>> >>> > 
>> >>> > -- 
>> >>> > 
>> >>> > --- 
>> >>> > You received this message because you are subscribed to the Google 
>> >>> > Groups 
>> >>> > "ossec-list" group. 
>> >>> > To unsubscribe from this group and stop receiving emails from it, 
>> send 
>> >>> > an 
>> >>> > email to ossec-list+...@googlegroups.com. 
>> >>> > For more options, visit https://groups.google.com/d/optout. 
>> > 
>> > -- 
>> > 
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups 
>> > "ossec-list" group. 
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an 
>> > email to ossec-list+...@googlegroups.com. 
>> > For more options, visit https://groups.google.com/d/optout. 
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server

[Jesus Linares]

Hi Tahir,

It could be an issue with the keys. OSSEC (agents and manager) keep a 
counter of each message sent and received in /var/ossec/queue/rids. This is 
a technique to prevent replay attacks. Let's try the following:

   - In an agent of your particular subnet: stop it and go to 
   /var/ossec/queue/rids and remove every file in there.
   - In the manager: stop it and remove the rids file with the same name as 
   the agent id that is reporting errors.
   - Restart the manager and the agent.

Then, review the ossec.log of the agent to see what happens.

In case that this works, you will need to do the same in each agent. Also, 
if you don't need the feature to prevent replay attacks, you can disable it 
changing *remoted.verify_msg_id* from 1 to 0 in 
/var/ossec/etc/internal_options.conf.

Regards.

On Friday, June 17, 2016 at 12:45:46 PM UTC+2, dan (ddpbsd) wrote:
>
> On Fri, Jun 17, 2016 at 5:27 AM, Tahir Hafiz  > wrote: 
> > Thanks. I am seeing this in the alerts.log for the ones not connecting, 
> I 
> > mean they seem to be able to connect in network terms but not the OSSEC 
> > server instance process: 
> > ossec-remoted(1408): ERROR: Invalid ID for the source ip: 'a.b.c.d'. 
> > ossec-remoted(1213): WARN: Message from a.b.c.d not allowed. 
> > 
> > Is there something we are not doing to allow these particular agents to 
> > connect - a key file etc? 
> > 
>
> Is that IP an IP you expect an agent to come from? 
> Did you duplicate IPs when adding agents in manage_agents? 
>
> > 
> > 
> > 
> > On Friday, 17 June 2016 08:49:28 UTC+1, Jesus Linares wrote: 
> >> 
> >> It should work with port 1514 UDP. First, check if you have 
> connectivity 
> >> between agents and manager (ping, telnet, tcpdump...) and review your 
> >> network settings (routers, firewall rules, etc). Then, check out the 
> >> ossec.log of each agent to see what it is the issue. 
> >> 
> >> On Thursday, June 16, 2016 at 6:41:10 PM UTC+2, dan (ddpbsd) wrote: 
> >>> 
> >>> On Thu, Jun 16, 2016 at 12:27 PM, Tahir Hafiz  
> wrote: 
> >>> > We have an OSSEC server located in one particular subnet and the 
> >>> > majority of 
> >>> > the agents are located in the same subnet and work fine. 
> >>> > However, we have a few OSSEC agents located in a different subnet 
> and 
> >>> > they 
> >>> > are having problems being able to connect to the server. 
> >>> > 
> >>> > We have opened up port 1514 UDP between subnets for ingress and 
> egress 
> >>> > traffic. 
> >>> > 
> >>> > Is there anything that we should do to allow server and agent 
> >>> > communication? 
> >>> > 
> >>> 
> >>> Do you see the traffic on the server from the hosts that are having 
> >>> issues? 
> >>> Do the source IPs match your expectations? 
> >>> 
> >>> > 
> >>> > 
> >>> > 
> >>> > 
> >>> > 
> >>> > -- 
> >>> > 
> >>> > --- 
> >>> > You received this message because you are subscribed to the Google 
> >>> > Groups 
> >>> > "ossec-list" group. 
> >>> > To unsubscribe from this group and stop receiving emails from it, 
> send 
> >>> > an 
> >>> > email to ossec-list+...@googlegroups.com. 
> >>> > For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server

[dan (ddp)]

On Fri, Jun 17, 2016 at 5:27 AM, Tahir Hafiz  wrote:
> Thanks. I am seeing this in the alerts.log for the ones not connecting, I
> mean they seem to be able to connect in network terms but not the OSSEC
> server instance process:
> ossec-remoted(1408): ERROR: Invalid ID for the source ip: 'a.b.c.d'.
> ossec-remoted(1213): WARN: Message from a.b.c.d not allowed.
>
> Is there something we are not doing to allow these particular agents to
> connect - a key file etc?
>

Is that IP an IP you expect an agent to come from?
Did you duplicate IPs when adding agents in manage_agents?

>
>
>
> On Friday, 17 June 2016 08:49:28 UTC+1, Jesus Linares wrote:
>>
>> It should work with port 1514 UDP. First, check if you have connectivity
>> between agents and manager (ping, telnet, tcpdump...) and review your
>> network settings (routers, firewall rules, etc). Then, check out the
>> ossec.log of each agent to see what it is the issue.
>>
>> On Thursday, June 16, 2016 at 6:41:10 PM UTC+2, dan (ddpbsd) wrote:
>>>
>>> On Thu, Jun 16, 2016 at 12:27 PM, Tahir Hafiz  wrote:
>>> > We have an OSSEC server located in one particular subnet and the
>>> > majority of
>>> > the agents are located in the same subnet and work fine.
>>> > However, we have a few OSSEC agents located in a different subnet and
>>> > they
>>> > are having problems being able to connect to the server.
>>> >
>>> > We have opened up port 1514 UDP between subnets for ingress and egress
>>> > traffic.
>>> >
>>> > Is there anything that we should do to allow server and agent
>>> > communication?
>>> >
>>>
>>> Do you see the traffic on the server from the hosts that are having
>>> issues?
>>> Do the source IPs match your expectations?
>>>
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> > Groups
>>> > "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> > an
>>> > email to ossec-list+...@googlegroups.com.
>>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server

[Jose Luis Ruiz]

Hi Thair,

Your Agents configuration are with static IP, Network or set to ANY?


Regards
---
Jose Luis Ruiz
Wazuh Inc.
j...@wazuh.com

On June 17, 2016 at 11:27:22 AM, Tahir Hafiz (tahir.ha...@gmail.com) wrote:

ERROR: Invalid ID for the source ip

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server

[Tahir Hafiz]

Thanks. I am seeing this in the alerts.log for the ones not connecting, I 
mean they seem to be able to connect in network terms but not the OSSEC 
server instance process:
ossec-remoted(1408): ERROR: Invalid ID for the source ip: 'a.b.c.d'.
ossec-remoted(1213): WARN: Message from a.b.c.d not allowed.

Is there something we are not doing to allow these particular agents to 
connect - a key file etc?



On Friday, 17 June 2016 08:49:28 UTC+1, Jesus Linares wrote:
>
> It should work with port 1514 UDP. First, check if you have connectivity 
> between agents and manager (ping, telnet, tcpdump...) and review your 
> network settings (routers, firewall rules, etc). Then, check out the 
> ossec.log of each agent to see what it is the issue.
>
> On Thursday, June 16, 2016 at 6:41:10 PM UTC+2, dan (ddpbsd) wrote:
>>
>> On Thu, Jun 16, 2016 at 12:27 PM, Tahir Hafiz  
>> wrote: 
>> > We have an OSSEC server located in one particular subnet and the 
>> majority of 
>> > the agents are located in the same subnet and work fine. 
>> > However, we have a few OSSEC agents located in a different subnet and 
>> they 
>> > are having problems being able to connect to the server. 
>> > 
>> > We have opened up port 1514 UDP between subnets for ingress and egress 
>> > traffic. 
>> > 
>> > Is there anything that we should do to allow server and agent 
>> communication? 
>> > 
>>
>> Do you see the traffic on the server from the hosts that are having 
>> issues? 
>> Do the source IPs match your expectations? 
>>
>> > 
>> > 
>> > 
>> > 
>> > 
>> > -- 
>> > 
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups 
>> > "ossec-list" group. 
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an 
>> > email to ossec-list+...@googlegroups.com. 
>> > For more options, visit https://groups.google.com/d/optout. 
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server

[Jesus Linares]

It should work with port 1514 UDP. First, check if you have connectivity 
between agents and manager (ping, telnet, tcpdump...) and review your 
network settings (routers, firewall rules, etc). Then, check out the 
ossec.log of each agent to see what it is the issue.

On Thursday, June 16, 2016 at 6:41:10 PM UTC+2, dan (ddpbsd) wrote:
>
> On Thu, Jun 16, 2016 at 12:27 PM, Tahir Hafiz  > wrote: 
> > We have an OSSEC server located in one particular subnet and the 
> majority of 
> > the agents are located in the same subnet and work fine. 
> > However, we have a few OSSEC agents located in a different subnet and 
> they 
> > are having problems being able to connect to the server. 
> > 
> > We have opened up port 1514 UDP between subnets for ingress and egress 
> > traffic. 
> > 
> > Is there anything that we should do to allow server and agent 
> communication? 
> > 
>
> Do you see the traffic on the server from the hosts that are having 
> issues? 
> Do the source IPs match your expectations? 
>
> > 
> > 
> > 
> > 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server

[dan (ddp)]

On Thu, Jun 16, 2016 at 12:27 PM, Tahir Hafiz  wrote:
> We have an OSSEC server located in one particular subnet and the majority of
> the agents are located in the same subnet and work fine.
> However, we have a few OSSEC agents located in a different subnet and they
> are having problems being able to connect to the server.
>
> We have opened up port 1514 UDP between subnets for ingress and egress
> traffic.
>
> Is there anything that we should do to allow server and agent communication?
>

Do you see the traffic on the server from the hosts that are having issues?
Do the source IPs match your expectations?

>
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC agents on different subnet unable to connect OSSEC server

[Tahir Hafiz]

We have an OSSEC server located in one particular subnet and the majority 
of the agents are located in the same subnet and work fine. 
However, we have a few OSSEC agents located in a different subnet and they 
are having problems being able to connect to the server. 

We have opened up port 1514 UDP between subnets for ingress and egress 
traffic. 

Is there anything that we should do to allow server and agent communication?






-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agents show as Active even after the OSSEC Process on server is stopped

[Pedro S]

Jesus is totally right.

The time out he is talking about is:* 3*NOTIFY_TIME+30*, *NOTIFY_TIME* by 
default is 600 seconds.

Check the last modification file date on every agent-info/* file and wait 
until that time be more than 30'30''.

Best regards,

Pedro S.


On Thursday, April 7, 2016 at 8:08:02 PM UTC+2, Jesus Linares wrote:
>
> Hi,
>
> in order to know if an agent is connected, disconnected or never connected 
> OSSEC reads the modification date of the files in 
> */var/ossec/queue/agent-info/*:*
>
>- if there is no file for the agent the status is *never connected*
>- if the modification time of the file is less than a defined tiemout, 
>the status is *actived*. If it is greater then the status is 
>*disconnected*.
>
> I guess those files are updated by the Manager each time that the agents 
> send a "keep-alive".
>
> I'm not sure, but I think the timeout is around 30 minutes.
>
> Regards,
> Jesus Linares.
>
> On Tuesday, April 5, 2016 at 5:26:10 PM UTC+2, sandeep wrote:
>>
>> Hello Dan,
>>
>> Thanksf for the reply. Yeah its the old data, I ran ./agent_control 
>> -lc|grep ID:|wc -l to list the count of agents active and it shows as 3k 
>> even though the manager's ossec process is stopped. I am trying to figure 
>> out where the cache is stored. I need to remove that data before starting 
>> the manager's OSSEC process back.
>>
>> Without removing that data, if i start back the manager's ossec process 
>> the 3k count remains the same and the remaining agents do not show up as 
>> active.
>>
>> Thanks,
>> Sandeep.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agents show as Active even after the OSSEC Process on server is stopped

[Jesus Linares]

Hi,

in order to know if an agent is connected, disconnected or never connected 
OSSEC reads the modification date of the files in 
*/var/ossec/queue/agent-info/*:*

   - if there is no file for the agent the status is *never connected*
   - if the modification time of the file is less than a defined tiemout, 
   the status is *actived*. If it is greater then the status is 
   *disconnected*.

I guess those files are updated by the Manager each time that the agents 
send a "keep-alive".

I'm not sure, but I think the timeout is around 30 minutes.

Regards,
Jesus Linares.

On Tuesday, April 5, 2016 at 5:26:10 PM UTC+2, sandeep wrote:
>
> Hello Dan,
>
> Thanksf for the reply. Yeah its the old data, I ran ./agent_control 
> -lc|grep ID:|wc -l to list the count of agents active and it shows as 3k 
> even though the manager's ossec process is stopped. I am trying to figure 
> out where the cache is stored. I need to remove that data before starting 
> the manager's OSSEC process back.
>
> Without removing that data, if i start back the manager's ossec process 
> the 3k count remains the same and the remaining agents do not show up as 
> active.
>
> Thanks,
> Sandeep.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agents show as Active even after the OSSEC Process on server is stopped

[sandeep]

Hello Dan,

Thanksf for the reply. Yeah its the old data, I ran ./agent_control 
-lc|grep ID:|wc -l to list the count of agents active and it shows as 3k 
even though the manager's ossec process is stopped. I am trying to figure 
out where the cache is stored. I need to remove that data before starting 
the manager's OSSEC process back.

Without removing that data, if i start back the manager's ossec process the 
3k count remains the same and the remaining agents do not show up as active.

Thanks,
Sandeep.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agents show as Active even after the OSSEC Process on server is stopped

[dan (ddp)]

On Tue, Apr 5, 2016 at 11:01 AM, sandeep ganti  wrote:
> Hello,
>
> I do have like 6k servers in my environment connected to one of the OSSEC
> Server/manager. Out of the 6k only approx 3k are showing up as active and
> the rest they are shown as disconnected. I decided to kill the OSSEC Process
> on the Server/manager and perform a restart so that upon the restart i could
> see all the 6k to be active but to my surprise even after stopping the OSSEC
> process on the server/manager those 3k servers still show as Active.
>
> I believe there is something wrong on the Server/manager. Can someone please
> suggest me on this ? I have waited for like 15-30 mins for those 3k agents
> to show as disconnected and then to restart the OSSEC process on the server
> but they still remain as Active even after the OSSEC process is stopped on
> the Server.
>

If the manager's ossec processes aren't running, how is it going to
update the status?
I'm not sure where the info is cached (or how you're checking the
status), but it's probably old data.

> Thanks,
> Sandeep.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC agents show as Active even after the OSSEC Process on server is stopped

[sandeep ganti]

Hello,

I do have like 6k servers in my environment connected to one of the OSSEC 
Server/manager. Out of the 6k only approx 3k are showing up as active and 
the rest they are shown as disconnected. I decided to kill the OSSEC 
Process on the Server/manager and perform a restart so that upon the 
restart i could see all the 6k to be active but to my surprise even after 
stopping the OSSEC process on the server/manager those 3k servers still 
show as Active.

I believe there is something wrong on the Server/manager. Can someone 
please suggest me on this ? I have waited for like 15-30 mins for those 3k 
agents to show as disconnected and then to restart the OSSEC process on the 
server but they still remain as Active even after the OSSEC process is 
stopped on the Server.

Thanks,
Sandeep.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agents frequently alternating between active and disconnected

[Santiago Bassett]

Hi Steve,

yes, what you said makes sense. Those kind of messages are typically
related with network issues, so I think there might be something we are
missing.

If that is ok with you I'll send you a private message, since I've been a
long-term Alienvault employee and maybe I can help.

Best

On Mon, May 11, 2015 at 11:00 AM, Steve MacDougall smacdoug...@bluepay.com
wrote:

 I added the agents using the IP address of the OSSEC server, which is
 statically configured. The server has multiple interfaces, but I used the
 IP address appropriate for the VLAN my agents were connecting from. I've
 confirmed the connections come in on the expected interface fro the
 expected IP. I checked the other interface to make sure the responses
 weren't going back out another interface for some reason.

 The only thing I ever see in the log is this:

 2015/05/11 13:49:23 ossec-agentd(4101): WARN: Waiting for server reply
 (not started). Tried: '10.10.1.203'.
 2015/05/11 13:52:43 ossec-agentd: INFO: Trying to connect to server (
 10.10.1.203:1514).
 2015/05/11 13:52:43 ossec-agentd: INFO: Using IPv4 for: 10.10.1.203 .
 2015/05/11 13:53:04 ossec-agentd(4101): WARN: Waiting for server reply
 (not started). Tried: '10.10.1.203'.

 The only thing I've found related to this error is check for a firewall.
 Since these connections are local, there's no firewall in the way. Some of
 the agents are on servers with local firewalls, but I've verified that the
 OSSEC connections are hitting the server, so firewalls aren't the issue.
 The server is, for some reason, not responding.


 On Monday, May 11, 2015 at 12:27:34 PM UTC-4, Santiago Bassett wrote:

 Hi Steve,

 do you use DHCP or fixed IP addresses in your environment? Do your
 servers have one or more than one IP?

 When you added the agents, did you used fixed IPs for each one? Is
 tcpdump output showing the same IP you used when adding those?

 Best





 On Mon, May 11, 2015 at 8:54 AM, Steve MacDougall smacd...@bluepay.com
 wrote:

 I have OSSEC running as part of an Alienvault installation, with about
 20 agents configured. Recently I've observed that most of the agents will
 show as disconnected. After a few hours all of them except for one or two
 will show active again. Then within a short period of time, most of them
 will go back to disconnected. This goes on throughout the day, with
 different numbers of agents showing active or disconnected at any given
 time. There's no specific group of agents this happens to. It can be any
 agent.

 There's nothing in the log to suggest any issue with keys. I've also
 deleted and re-installed agents with no success.

 Forewalls aren't and issue since the agents are on the same VLAN as the
 AlienVault interface they're connecting to and they are able to connect at
 times.

 Although there's nothing in the logs to suggest a problem with counters,
 I shut down the server and agents, deleted everything in
 /var/ossec/queue/rids and restarted everything. Initially this seemed to
 work. All the agents connected, but within half an hour most were
 disconnected again. For laughs, I also tried setting
 'remoted.verify_msg_id=0' on the server, but this didn't help.

 I Played around with notify_time and time-reconnect client options, but
 these didn't help.

 I've turned on full debugging on client and server, as well but nothing
 shows up in the log to help me troubleshoot. A tcpdump on the server side
 shows traffic from the agents, but no server response,

 I have a support case open with AlienVault as well, but I suspect people
 in this group may have more specific OSSEC experience than AlienVault
 support. The server and all the agents are running OSSEC 2.8.1.

 --

 ---
 You received this message because you are subscribed to the Google
 Groups ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to ossec-list+...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


  --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agents frequently alternating between active and disconnected

[Steve MacDougall]

Sure. That would be great. As I mentioned, I have a case open with AV
already, but I think the tech that's working on my case is in Ireland, so
our work hours don't overlap much. Anything you can do to help would be
appreciated. If you have access to the support cases, it's case # 00056663.

___
*Steve MacDougall* | *Sr. Systems/Network Administrator*
BluePay Canada

o:  647.258.3704-{l;tvjnpeotupouivnjg5987lcgno}
m:  289.924.1806
e:  smacdoug...@bluepay.ca
w:  www.bluepay.ca
http://cp.mcafee.com/d/5fHCMUpdEI9zxPdTQnztPqdSkT4QS6bCQrIFK9FIffCQrIFK9FIc8CQrI8LIInpKr4t1lJfZ2Ibr53BPtJfZ2Ibr53BPrXZNNEVhvvW_f8K6zAQsIZuVtdeWf8Icc6zBVfBHEShhlKqemul3PWApmU6CQjqpK_9TLuZXTLsTsS0287J-JFrHqrlgQzYdBg543S_mQJOVJ5ZBWVI5-Aq81Ejd40N8z3pJNYSyqejqCz8Lerw




On 11 May 2015 at 14:18, Santiago Bassett santiago.bass...@gmail.com
wrote:

 Hi Steve,

 yes, what you said makes sense. Those kind of messages are typically
 related with network issues, so I think there might be something we are
 missing.

 If that is ok with you I'll send you a private message, since I've been a
 long-term Alienvault employee and maybe I can help.

 Best

 On Mon, May 11, 2015 at 11:00 AM, Steve MacDougall 
 smacdoug...@bluepay.com wrote:

 I added the agents using the IP address of the OSSEC server, which is
 statically configured. The server has multiple interfaces, but I used the
 IP address appropriate for the VLAN my agents were connecting from. I've
 confirmed the connections come in on the expected interface fro the
 expected IP. I checked the other interface to make sure the responses
 weren't going back out another interface for some reason.

 The only thing I ever see in the log is this:

 2015/05/11 13:49:23 ossec-agentd(4101): WARN: Waiting for server reply
 (not started). Tried: '10.10.1.203'.
 2015/05/11 13:52:43 ossec-agentd: INFO: Trying to connect to server (
 10.10.1.203:1514).
 2015/05/11 13:52:43 ossec-agentd: INFO: Using IPv4 for: 10.10.1.203 .
 2015/05/11 13:53:04 ossec-agentd(4101): WARN: Waiting for server reply
 (not started). Tried: '10.10.1.203'.

 The only thing I've found related to this error is check for a firewall.
 Since these connections are local, there's no firewall in the way. Some of
 the agents are on servers with local firewalls, but I've verified that the
 OSSEC connections are hitting the server, so firewalls aren't the issue.
 The server is, for some reason, not responding.


 On Monday, May 11, 2015 at 12:27:34 PM UTC-4, Santiago Bassett wrote:

 Hi Steve,

 do you use DHCP or fixed IP addresses in your environment? Do your
 servers have one or more than one IP?

 When you added the agents, did you used fixed IPs for each one? Is
 tcpdump output showing the same IP you used when adding those?

 Best





 On Mon, May 11, 2015 at 8:54 AM, Steve MacDougall smacd...@bluepay.com
 wrote:

 I have OSSEC running as part of an Alienvault installation, with about
 20 agents configured. Recently I've observed that most of the agents will
 show as disconnected. After a few hours all of them except for one or two
 will show active again. Then within a short period of time, most of them
 will go back to disconnected. This goes on throughout the day, with
 different numbers of agents showing active or disconnected at any given
 time. There's no specific group of agents this happens to. It can be any
 agent.

 There's nothing in the log to suggest any issue with keys. I've also
 deleted and re-installed agents with no success.

 Forewalls aren't and issue since the agents are on the same VLAN as the
 AlienVault interface they're connecting to and they are able to connect at
 times.

 Although there's nothing in the logs to suggest a problem with
 counters, I shut down the server and agents, deleted everything in
 /var/ossec/queue/rids and restarted everything. Initially this seemed to
 work. All the agents connected, but within half an hour most were
 disconnected again. For laughs, I also tried setting
 'remoted.verify_msg_id=0' on the server, but this didn't help.

 I Played around with notify_time and time-reconnect client options, but
 these didn't help.

 I've turned on full debugging on client and server, as well but nothing
 shows up in the log to help me troubleshoot. A tcpdump on the server side
 shows traffic from the agents, but no server response,

 I have a support case open with AlienVault as well, but I suspect
 people in this group may have more specific OSSEC experience than
 AlienVault support. The server and all the agents are running OSSEC 2.8.1.

 --

 ---
 You received this message because you are subscribed to the Google
 Groups ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to ossec-list+...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


  --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving 

Re: [ossec-list] OSSEC agents frequently alternating between active and disconnected

[Steve MacDougall]

I added the agents using the IP address of the OSSEC server, which is 
statically configured. The server has multiple interfaces, but I used the 
IP address appropriate for the VLAN my agents were connecting from. I've 
confirmed the connections come in on the expected interface fro the 
expected IP. I checked the other interface to make sure the responses 
weren't going back out another interface for some reason.

The only thing I ever see in the log is this:

2015/05/11 13:49:23 ossec-agentd(4101): WARN: Waiting for server reply (not 
started). Tried: '10.10.1.203'.
2015/05/11 13:52:43 ossec-agentd: INFO: Trying to connect to server 
(10.10.1.203:1514).
2015/05/11 13:52:43 ossec-agentd: INFO: Using IPv4 for: 10.10.1.203 .
2015/05/11 13:53:04 ossec-agentd(4101): WARN: Waiting for server reply (not 
started). Tried: '10.10.1.203'.

The only thing I've found related to this error is check for a firewall. 
Since these connections are local, there's no firewall in the way. Some of 
the agents are on servers with local firewalls, but I've verified that the 
OSSEC connections are hitting the server, so firewalls aren't the issue. 
The server is, for some reason, not responding.


On Monday, May 11, 2015 at 12:27:34 PM UTC-4, Santiago Bassett wrote:

 Hi Steve,

 do you use DHCP or fixed IP addresses in your environment? Do your servers 
 have one or more than one IP? 

 When you added the agents, did you used fixed IPs for each one? Is tcpdump 
 output showing the same IP you used when adding those?

 Best





 On Mon, May 11, 2015 at 8:54 AM, Steve MacDougall smacd...@bluepay.com 
 javascript: wrote:

 I have OSSEC running as part of an Alienvault installation, with about 20 
 agents configured. Recently I've observed that most of the agents will show 
 as disconnected. After a few hours all of them except for one or two will 
 show active again. Then within a short period of time, most of them will go 
 back to disconnected. This goes on throughout the day, with different 
 numbers of agents showing active or disconnected at any given time. There's 
 no specific group of agents this happens to. It can be any agent.

 There's nothing in the log to suggest any issue with keys. I've also 
 deleted and re-installed agents with no success.

 Forewalls aren't and issue since the agents are on the same VLAN as the 
 AlienVault interface they're connecting to and they are able to connect at 
 times.

 Although there's nothing in the logs to suggest a problem with counters, 
 I shut down the server and agents, deleted everything in 
 /var/ossec/queue/rids and restarted everything. Initially this seemed to 
 work. All the agents connected, but within half an hour most were 
 disconnected again. For laughs, I also tried setting 
 'remoted.verify_msg_id=0' on the server, but this didn't help.

 I Played around with notify_time and time-reconnect client options, but 
 these didn't help.

 I've turned on full debugging on client and server, as well but nothing 
 shows up in the log to help me troubleshoot. A tcpdump on the server side 
 shows traffic from the agents, but no server response,

 I have a support case open with AlienVault as well, but I suspect people 
 in this group may have more specific OSSEC experience than AlienVault 
 support. The server and all the agents are running OSSEC 2.8.1.

 -- 

 --- 
 You received this message because you are subscribed to the Google Groups 
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an 
 email to ossec-list+...@googlegroups.com javascript:.
 For more options, visit https://groups.google.com/d/optout.




-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agents frequently alternating between active and disconnected

[Santiago Bassett]

Hi Steve,

do you use DHCP or fixed IP addresses in your environment? Do your servers
have one or more than one IP?

When you added the agents, did you used fixed IPs for each one? Is tcpdump
output showing the same IP you used when adding those?

Best





On Mon, May 11, 2015 at 8:54 AM, Steve MacDougall smacdoug...@bluepay.com
wrote:

 I have OSSEC running as part of an Alienvault installation, with about 20
 agents configured. Recently I've observed that most of the agents will show
 as disconnected. After a few hours all of them except for one or two will
 show active again. Then within a short period of time, most of them will go
 back to disconnected. This goes on throughout the day, with different
 numbers of agents showing active or disconnected at any given time. There's
 no specific group of agents this happens to. It can be any agent.

 There's nothing in the log to suggest any issue with keys. I've also
 deleted and re-installed agents with no success.

 Forewalls aren't and issue since the agents are on the same VLAN as the
 AlienVault interface they're connecting to and they are able to connect at
 times.

 Although there's nothing in the logs to suggest a problem with counters, I
 shut down the server and agents, deleted everything in
 /var/ossec/queue/rids and restarted everything. Initially this seemed to
 work. All the agents connected, but within half an hour most were
 disconnected again. For laughs, I also tried setting
 'remoted.verify_msg_id=0' on the server, but this didn't help.

 I Played around with notify_time and time-reconnect client options, but
 these didn't help.

 I've turned on full debugging on client and server, as well but nothing
 shows up in the log to help me troubleshoot. A tcpdump on the server side
 shows traffic from the agents, but no server response,

 I have a support case open with AlienVault as well, but I suspect people
 in this group may have more specific OSSEC experience than AlienVault
 support. The server and all the agents are running OSSEC 2.8.1.

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC agents frequently alternating between active and disconnected

[Steve MacDougall]

I have OSSEC running as part of an Alienvault installation, with about 20 
agents configured. Recently I've observed that most of the agents will show 
as disconnected. After a few hours all of them except for one or two will 
show active again. Then within a short period of time, most of them will go 
back to disconnected. This goes on throughout the day, with different 
numbers of agents showing active or disconnected at any given time. There's 
no specific group of agents this happens to. It can be any agent.

There's nothing in the log to suggest any issue with keys. I've also 
deleted and re-installed agents with no success.

Forewalls aren't and issue since the agents are on the same VLAN as the 
AlienVault interface they're connecting to and they are able to connect at 
times.

Although there's nothing in the logs to suggest a problem with counters, I 
shut down the server and agents, deleted everything in 
/var/ossec/queue/rids and restarted everything. Initially this seemed to 
work. All the agents connected, but within half an hour most were 
disconnected again. For laughs, I also tried setting 
'remoted.verify_msg_id=0' on the server, but this didn't help.

I Played around with notify_time and time-reconnect client options, but 
these didn't help.

I've turned on full debugging on client and server, as well but nothing 
shows up in the log to help me troubleshoot. A tcpdump on the server side 
shows traffic from the agents, but no server response,

I have a support case open with AlienVault as well, but I suspect people in 
this group may have more specific OSSEC experience than AlienVault support. 
The server and all the agents are running OSSEC 2.8.1.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Agents cache Events if OSSEC Server is down nowadays?

[SoulAuctioneer]

I just investigated this as I've been working on the eventchannel code 
quite a bit. The eventchannel stuff will both bookmark the last location so 
the agent can pick up again where it left off. Also, if the manager is down 
and seen as disconnected by the agent than it will also behave the same 
way as the evnetlog code does and wait for it to come back to life before 
sending more log data.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Agents cache Events if OSSEC Server is down nowadays?

[horst knete]

Hi,

thx for your response.

Considering some changelogs that i saw and the tests that i made, ossec 
still dont buffer the logs/ continue with the last not sent event.

Indeed i tested NXLOG as the shipper for windows-events and it works pretty 
well in the comunity edition but dont have the ability to manage the 
configs of all agents from one server :/.

But i think thats better than nothing.

Cheers
Am Dienstag, 17. Juni 2014 16:40:04 UTC+2 schrieb Michael Starks:

 On 2014-06-17 3:17, horst knete wrote: 
  Hey Guys, 
  
  we are implementing an OSSEC Installation in our Environment due the 
  the great functionality of the System. 
  
  We got Agents on both Linux and Windows and the Log Shippment is 
  working fine. 
  
  But as we tested what happen if the OSSEC Server goes down (i. e. for 
  maintenance) the Windows-Logs which are produced in the downtime 
  doesnt get shipped to the OSSEC Server after he is online again. 

 I think the new eventchannel functionality is designed to bookmark the 
 last location of the logs and ship them, but that may be only if the 
 agent service is down, not the manager. And eventchannel doesn't work at 
 all for me, so it may be a moot point. For this and other reasons, I 
 don't use the OSSEC agent for log transport on Windows. Consider using 
 something like NXLOG, which should be feature-full enough for your 
 requirements, and then analyze the logs as syslog on the manager. 


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Agents cache Events if OSSEC Server is down nowadays?

[dan (ddp)]

On Wed, Jun 18, 2014 at 2:19 AM, horst knete baduncl...@hotmail.de wrote:
 Hi,

 thx for your response.

 Considering some changelogs that i saw and the tests that i made, ossec
 still dont buffer the logs/ continue with the last not sent event.


The OSSEC project does accept code contributions.

 Indeed i tested NXLOG as the shipper for windows-events and it works pretty
 well in the comunity edition but dont have the ability to manage the configs
 of all agents from one server :/.

 But i think thats better than nothing.

 Cheers
 Am Dienstag, 17. Juni 2014 16:40:04 UTC+2 schrieb Michael Starks:

 On 2014-06-17 3:17, horst knete wrote:
  Hey Guys,
 
  we are implementing an OSSEC Installation in our Environment due the
  the great functionality of the System.
 
  We got Agents on both Linux and Windows and the Log Shippment is
  working fine.
 
  But as we tested what happen if the OSSEC Server goes down (i. e. for
  maintenance) the Windows-Logs which are produced in the downtime
  doesnt get shipped to the OSSEC Server after he is online again.

 I think the new eventchannel functionality is designed to bookmark the
 last location of the logs and ship them, but that may be only if the
 agent service is down, not the manager. And eventchannel doesn't work at
 all for me, so it may be a moot point. For this and other reasons, I
 don't use the OSSEC agent for log transport on Windows. Consider using
 something like NXLOG, which should be feature-full enough for your
 requirements, and then analyze the logs as syslog on the manager.

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC Agents cache Events if OSSEC Server is down nowadays?

[horst knete]

Hey Guys,

we are implementing an OSSEC Installation in our Environment due the the 
great functionality of the System.

We got Agents on both Linux and Windows and the Log Shippment is working 
fine.

But as we tested what happen if the OSSEC Server goes down (i. e. for 
maintenance) the Windows-Logs which are produced in the downtime doesnt get 
shipped to the OSSEC Server after he is online again.

Regarded to this post: 
https://groups.google.com/forum/#!topic/ossec-list/F_izIq3zEi4 from the 
yeah 2010 the developer doesnt seem intereseted in impelmenting such an 
feature.

Unfortunate our Environment is very critical and if Logs get lost this 
would be an unacceptable 
http://dict.leo.org/#/search=unacceptablesearchLoc=0resultOrder=basicmultiwordShowSingle=on
 behavior 
for us.

Hopefully you can provide us with some good news :)

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Agents cache Events if OSSEC Server is down nowadays?

[dan (ddp)]

On Tue, Jun 17, 2014 at 4:17 AM, horst knete baduncl...@hotmail.de wrote:
 Hey Guys,

 we are implementing an OSSEC Installation in our Environment due the the
 great functionality of the System.

 We got Agents on both Linux and Windows and the Log Shippment is working
 fine.

 But as we tested what happen if the OSSEC Server goes down (i. e. for
 maintenance) the Windows-Logs which are produced in the downtime doesnt get
 shipped to the OSSEC Server after he is online again.

 Regarded to this post:
 https://groups.google.com/forum/#!topic/ossec-list/F_izIq3zEi4 from the yeah
 2010 the developer doesnt seem intereseted in impelmenting such an feature.


I don't believe anything has changed. You could check the release
notes for the past 4 years of releases though to make sure.

 Unfortunate our Environment is very critical and if Logs get lost this would
 be an unacceptable behavior for us.

 Hopefully you can provide us with some good news :)

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Agents cache Events if OSSEC Server is down nowadays?

[dan (ddp)]

On Tue, Jun 17, 2014 at 4:17 AM, horst knete baduncl...@hotmail.de wrote:
 Hey Guys,

 we are implementing an OSSEC Installation in our Environment due the the
 great functionality of the System.

 We got Agents on both Linux and Windows and the Log Shippment is working
 fine.

 But as we tested what happen if the OSSEC Server goes down (i. e. for
 maintenance) the Windows-Logs which are produced in the downtime doesnt get
 shipped to the OSSEC Server after he is online again.

 Regarded to this post:
 https://groups.google.com/forum/#!topic/ossec-list/F_izIq3zEi4 from the yeah
 2010 the developer doesnt seem intereseted in impelmenting such an feature.


I don't believe anything has changed. You could check the release
notes for the past 4 years of releases though to make sure.

 Unfortunate our Environment is very critical and if Logs get lost this would
 be an unacceptable behavior for us.

 Hopefully you can provide us with some good news :)

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Agents cache Events if OSSEC Server is down nowadays?

[Michael Starks]

On 2014-06-17 3:17, horst knete wrote:

Hey Guys,

we are implementing an OSSEC Installation in our Environment due the
the great functionality of the System.

We got Agents on both Linux and Windows and the Log Shippment is
working fine.

But as we tested what happen if the OSSEC Server goes down (i. e. for
maintenance) the Windows-Logs which are produced in the downtime
doesnt get shipped to the OSSEC Server after he is online again.


I think the new eventchannel functionality is designed to bookmark the 
last location of the logs and ship them, but that may be only if the 
agent service is down, not the manager. And eventchannel doesn't work at 
all for me, so it may be a moot point. For this and other reasons, I 
don't use the OSSEC agent for log transport on Windows. Consider using 
something like NXLOG, which should be feature-full enough for your 
requirements, and then analyze the logs as syslog on the manager.


--

--- 
You received this message because you are subscribed to the Google Groups ossec-list group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Agents Spawned from Image?

[dan (ddp)]

On Thu, Apr 11, 2013 at 4:09 PM, Sam Oehlert somidsc...@gmail.com wrote:
 I can't find a ay to accomplish this, but basically the situation breaks
 down like this:

 We have a group of machines that are all booted off of one image over the
 network. We would like to have the agent running on them, but since they
 don't have persistent storage, that would have to be in the image. I'm not
 sure that would work as they would all share the same info then, which
 seemingly would cause issues.

 Can anyone think of a way to deal with this? Would it be possible to script
 a way to install all of these agents after they are booted somehow?


Have them either create a new key via agent-auth (and probably some
back-end shenanigans to keep the number of agents down) when they
boot. Or have them load a key from some network storage
(authenticating this could be difficult), and turn off rids.

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/groups/opt_out.



-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] OSSEC Agents Spawned from Image?

[Sam Oehlert]

I can't find a ay to accomplish this, but basically the situation breaks 
down like this:

We have a group of machines that are all booted off of one image over the 
network. We would like to have the agent running on them, but since they 
don't have persistent storage, that would have to be in the image. I'm not 
sure that would work as they would all share the same info then, which 
seemingly would cause issues.

Can anyone think of a way to deal with this? Would it be possible to script 
a way to install all of these agents after they are booted somehow?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Ossec agents dont generate alerts for missing files or directories

[dan (ddp)]

On Sun, Apr 7, 2013 at 8:44 PM, Erkki Saikkonen eki.saikko...@gmail.com wrote:
 Hi,

 New to using Ossec, need help with use and alerts. Why doesnt OSSEC agents
 generate alerts if you remove directory or file listed in syscheckd

Agents never generate alerts, only servers (and local installs) generate alerts.

 configuration in ossec.conf? Other thing is that OSSEC doesnt report changes

You should get alerts for this. Check for rule 553 in alerts.log.
Also, check for the file in the agent's syscheck db in
/var/ossec/queue/syscheck.

 of ownership or rights for directories at all. Only for files changes are
 alerted.

 I get a WARN in agents own ossec.log, but no alert to server alerts.log. Am
 I missing something here?

 Example piece of my configuration:
 directories check_all=yes%WINDIR%/important/important.txt/directories
 or
 directories check_all=yes%WINDIR%/important/directories

 Any help much appreciated!

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/groups/opt_out.



-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] Ossec agents dont generate alerts for missing files or directories

[Erkki Saikkonen]

Hi,

New to using Ossec, need help with use and alerts. Why doesnt OSSEC agents 
generate alerts if you remove directory or file listed in syscheckd 
configuration in ossec.conf? Other thing is that OSSEC doesnt report 
changes of ownership or rights for directories at all. Only for files 
changes are alerted.

I get a WARN in agents own ossec.log, but no alert to server alerts.log. Am 
I missing something here?

Example piece of my configuration:
directories check_all=yes%WINDIR%/important/important.txt/directories
or
directories check_all=yes%WINDIR%/important/directories

Any help much appreciated!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Ossec agents are not appearing in Ossec Server

[dan (ddp)]

On Mon, Mar 4, 2013 at 2:46 AM, Umair Mustafa umair.ksa2...@gmail.com wrote:
 I installed Ossec Server and some agents on other servers. But the thing is
 that out of 10 agents only 7 servers are able to communicate with Ossec
 Server and 3 are not.

 This is the Ossec Server information

 DIRECTORY=/var/ossec
 VERSION=v2.5.1
 DATE=Thu Jan 13 17:03:30 AST 2011
 TYPE=server


 And this is the Log which i collected from newly installed Agent

 2013/03/04 06:22:25 ossec-agentd(4101): WARN: Waiting for server reply
 (not started). Tried: '192.168.9.1'.

 2013/03/04 06:32:31 ossec-agentd: INFO: Trying to connect to server
 (192.168.9.1:1514).

 2013/03/04 06:32:31 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 .

 2013/03/04 06:32:52 ossec-agentd(4101): WARN: Waiting for server reply
 (not started). Tried: '192.168.9.1'.

 2013/03/04 07:49:27 ossec-agentd: INFO: Trying to connect to server
 (192.168.9.1:1514).

 2013/03/04 07:49:27 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 .

 2013/03/04 07:49:48 ossec-agentd(4101): WARN: Waiting for server reply
 (not started). Tried: '192.168.9.1'.

 2013/03/04 07:59:54 ossec-agentd: INFO: Trying to connect to server
 (192.168.9.1:1514).

 2013/03/04 07:59:54 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 .

 2013/03/04 08:00:15 ossec-agentd(4101): WARN: Waiting for server reply
 (not started). Tried: '192.168.9.1'.

 2013/03/04 09:17:08 ossec-agentd: INFO: Trying to connect to server
 (192.168.9.1:1514).

 2013/03/04 09:17:08 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 .

 2013/03/04 09:17:29 ossec-agentd(4101): WARN: Waiting for server reply
 (not started). Tried: '192.168.9.1'.

 2013/03/04 09:27:35 ossec-agentd: INFO: Trying to connect to server
 (192.168.9.1:1514).

 2013/03/04 09:27:35 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 .

 2013/03/04 09:27:56 ossec-agentd(4101): WARN: Waiting for server reply
 (not started). Tried: '192.168.9.1'.



 Agent Info

 [root@pdbosl02 etc]# cat ossec-init.conf
 DIRECTORY=/var/ossec
 VERSION=v2.6

Your server is version 2.5.1.

 DATE=Sat Aug 25 13:56:49 AST 2012
 TYPE=agent






 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/groups/opt_out.



-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] Ossec agents are not appearing in Ossec Server

[Umair Mustafa]

I installed Ossec Server and some agents on other servers. But the thing is 
that out of 10 agents only 7 servers are able to communicate with Ossec 
Server and 3 are not. 

This is the Ossec Server information 

DIRECTORY=/var/ossec
 VERSION=v2.5.1
 DATE=Thu Jan 13 17:03:30 AST 2011
 TYPE=server

 
And this is the Log which i collected from newly installed Agent 

2013/03/04 06:22:25 ossec-agentd(4101): WARN: Waiting for server reply (not 
 started). Tried: '192.168.9.1'.

 2013/03/04 06:32:31 ossec-agentd: INFO: Trying to connect to server 
 (192.168.9.1:1514).

 2013/03/04 06:32:31 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 .

 2013/03/04 06:32:52 ossec-agentd(4101): WARN: Waiting for server reply 
 (not started). Tried: '192.168.9.1'.

 2013/03/04 07:49:27 ossec-agentd: INFO: Trying to connect to server 
 (192.168.9.1:1514).

 2013/03/04 07:49:27 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 .

 2013/03/04 07:49:48 ossec-agentd(4101): WARN: Waiting for server reply 
 (not started). Tried: '192.168.9.1'.

 2013/03/04 07:59:54 ossec-agentd: INFO: Trying to connect to server 
 (192.168.9.1:1514).

 2013/03/04 07:59:54 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 .

 2013/03/04 08:00:15 ossec-agentd(4101): WARN: Waiting for server reply 
 (not started). Tried: '192.168.9.1'.

 2013/03/04 09:17:08 ossec-agentd: INFO: Trying to connect to server 
 (192.168.9.1:1514).

 2013/03/04 09:17:08 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 .

 2013/03/04 09:17:29 ossec-agentd(4101): WARN: Waiting for server reply 
 (not started). Tried: '192.168.9.1'.

 2013/03/04 09:27:35 ossec-agentd: INFO: Trying to connect to server 
 (192.168.9.1:1514).

 2013/03/04 09:27:35 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 .

 2013/03/04 09:27:56 ossec-agentd(4101): WARN: Waiting for server reply 
 (not started). Tried: '192.168.9.1'.


 
Agent Info

[root@pdbosl02 etc]# cat ossec-init.conf 
 DIRECTORY=/var/ossec
 VERSION=v2.6
 DATE=Sat Aug 25 13:56:49 AST 2012
 TYPE=agent




 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] OSSEC agents

[dan (ddp)]

On Thu, May 31, 2012 at 1:07 PM, Maahkus mark.v...@gmail.com wrote:
 Is there a log file that displays what authenticated user or the date
 and time a new agent was added? I need to track a newly added agent to
 the user that added - can't seem to figure out how..

 Regards,

Nope. There may be a way to log who runs manage_agents through your OS.

Re: [ossec-list] OSSEC agents

[Daniel Cid]

Every time an agent is first connected, OSSEC generates an alert for it:

Rule: 501 (level 3) - 'New ossec agent connected.'

So you can probably use that to get more information when it was first
connected... But
there is no easy (standard) way to detect when the client.keys file
was modified (only if you
add that to syscheck).

thanks,

--
Daniel B. Cid
http://dcid.me


On Thu, May 31, 2012 at 2:07 PM, Maahkus mark.v...@gmail.com wrote:
 Is there a log file that displays what authenticated user or the date
 and time a new agent was added? I need to track a newly added agent to
 the user that added - can't seem to figure out how..

 Regards,

[ossec-list] OSSEC agents

[Maahkus]

Is there a log file that displays what authenticated user or the date
and time a new agent was added? I need to track a newly added agent to
the user that added - can't seem to figure out how..

Regards,

[ossec-list] OSSEC agents grouping

[gopal krishnan]

Hi Dan,

I need a help on how to group the OSSEC agents?

For Example,

I have a OSSEC server already installed and up

Now i want to install OSSEC agents on nearly 300 servers

I want to group all these agents like the following,

Production Application
Production Web
Production SQL
Production Oracle
Stage Application
Stage Web

and samething for test environment also.

Please provide me the detailed steps on how to make this config.

Thanks In Advance!
-Gopal.C

Re: [ossec-list] OSSEC agents grouping

[dan (ddp)]

What do you mean by group them? In what?

On Tue, Jul 26, 2011 at 10:42 AM, gopal krishnan
gopikrishna...@gmail.com wrote:
 Hi Dan,

 I need a help on how to group the OSSEC agents?

 For Example,

 I have a OSSEC server already installed and up

 Now i want to install OSSEC agents on nearly 300 servers

 I want to group all these agents like the following,

 Production Application
 Production Web
 Production SQL
 Production Oracle
 Stage Application
 Stage Web

 and samething for test environment also.

 Please provide me the detailed steps on how to make this config.

 Thanks In Advance!
 -Gopal.C

[ossec-list] ossec agents

[Rob]

I have a ossec installed as master/agent setup.  There are about 30
agents running with one master.  I recently changed the ossec.conf to
monitor changes in directories to real time


 directories realtime=yes check_all=yes/etc,/usr/bin,/usr/sbin/
directories
directories realtime=yes check_all=yes/bin,/sbin/
directories


do i have to add this change ( realtime=yes ) to each agents
ossec.conf or is just changing it on the master and restarting ossec
enough.

Re: [ossec-list] ossec agents

[dan (ddp)]

You need to change it in each system's ossec.conf, or utilize the agent.conf.
Changing it in the manager's ossec.conf will only affect the manager.

On Thu, Feb 10, 2011 at 9:01 AM, Rob robr...@gmail.com wrote:
 I have a ossec installed as master/agent setup.  There are about 30
 agents running with one master.  I recently changed the ossec.conf to
 monitor changes in directories to real time


  directories realtime=yes check_all=yes/etc,/usr/bin,/usr/sbin/
 directories
    directories realtime=yes check_all=yes/bin,/sbin/
 directories


 do i have to add this change ( realtime=yes ) to each agents
 ossec.conf or is just changing it on the master and restarting ossec
 enough.

Re: [ossec-list] ossec agents

[Satish Patel]

I believe you have to do on all agent.

Also you can do centralized with configure agent.conf file at server.

--
Sent from my iPhone

On Feb 10, 2011, at 9:01 AM, Rob robr...@gmail.com wrote:


I have a ossec installed as master/agent setup.  There are about 30
agents running with one master.  I recently changed the ossec.conf to
monitor changes in directories to real time


directories realtime=yes check_all=yes/etc,/usr/bin,/usr/sbin/
directories
   directories realtime=yes check_all=yes/bin,/sbin/
directories


do i have to add this change ( realtime=yes ) to each agents
ossec.conf or is just changing it on the master and restarting ossec
enough.

[ossec-list] Ossec agents not communcating with the server

[Jose Luis Vázquez González]

The ossec agents are NOT communicating with the server...

1) IT IS NOT a firewall issue, FIRST I added the 1514/udp rule to the
server firewall, THEN I even tried to take down iptables completely in
both agents AND the server.

2) I reinstalled the keys (as explained here
http://www.ossec.net/wiki/index.php/Errors:AgentCommunication) on one
agent and it didn't work either.

Synthoms:

One agent complains that:
Process locked...
Trying to connect to server...
Error: Unable to connect to server

The other (the one with renewed keys) complains that:
Process locked... (and stays like taht for ever)

The server DOES NOT produce any output WHEN thet clients complain. But
I have checked some previous complains in wich ossec-remoted sais:
Error: No IP or network allowed in the access file list for
syslog...

Has this any solution or should I just give up and throw ossec to the
bin?

(I am a developer most of my time more than a sysadmin, so I don't
have much time to spare on things like this)

Thanks in adavance for any responses!

[ossec-list] ossec agents

[Dan]

hi list

i have a quick architecture questions.
i saw, that there are much less informations in the ossec.conf from  
the agent as in the server. Does the agent takes the ossec.conf from  
the server to do all tests?
What have i to do, when some agents need to check some logfiles which  
aren't on the server? is there a chance to have a customized client,  
or do i have to configure all on the server and the agents will get  
the ossec.conf from the server?

I saw in the ossec.conf, that there are some global rules, are there  
also local rules possible?

regards,
Dan

[ossec-list] OSSEC Agents on DHCP hosts

[Simpson, Brett]

I have a few hosts that use DHCP. The problem is if I add an agent with
a particular IP it's only good till the machine get's a new address. I
would prefer not to extend the lease or add the MAC addresses into DHCP
as some of the machines will move to different DHCP zones when
traveling.

Would it be possible to code in a non IP specific authentication method
for the agents to communicate?

Also another nice feature would be to configure the agents to use
primary and secondary's OSSEC servers. 
So let's say someone visits a remote site and no longer has access to
the primary or the WAN link is to slow to support the traffic then the
agent would try the next available one.
However the agent should be smart about it and first check to see if one
of the secondaries is closest to its current address.

Brett