[ossec-list] OSSEC Agents randomly disconnecting from Manager
Hi, I'm having a strange issue. I have agents that normally report to the manager just fine, but after an undetermined amount of time, this appears in the logs 2019/12/16 01:20:55 rootcheck: INFO: Starting rootcheck scan. 2019/12/16 01:40:58 rootcheck: INFO: Ending rootcheck scan. 2019/12/16 13:18:52 ossec-agentd: WARN: Server unavailable. Setting lock. 2019/12/16 13:19:13 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'SERVER-IP'. 2019/12/16 13:19:15 ossec-agentd: INFO: Trying to connect to server SERVER- IP, port 1514. 2019/12/16 13:19:15 INFO: Connected to SERVER-IP at address SERVER-IP, port 1514 2019/12/16 13:19:36 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'SERVER-IP'. 2019/12/16 13:19:56 ossec-agentd: INFO: Trying to connect to server SERVER- IP, port 1514. 2019/12/16 13:19:56 INFO: Connected to SERVER-IP at address SERVER-IP, port 1514 2019/12/16 13:20:17 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'SERVER-IP'. 2019/12/16 13:20:51 ossec-logcollector: WARN: Process locked. Waiting for permission... 2019/12/16 13:20:55 ossec-agentd: INFO: Trying to connect to server SERVER- IP, port 1514. 2019/12/16 13:20:55 INFO: Connected to SERVER-IP at address SERVER-IP, port 1514 2019/12/16 13:21:16 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'SERVER-IP'. 2019/12/16 13:22:12 ossec-agentd: INFO: Trying to connect to server SERVER- IP, port 1514. 2019/12/16 13:22:12 INFO: Connected to SERVER-IP at address SERVER-IP, port 1514 2019/12/16 13:22:33 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'SERVER-IP'. 2019/12/16 13:23:47 ossec-agentd: INFO: Trying to connect to server SERVER- IP, port 1514. 2019/12/16 13:23:47 INFO: Connected to SERVER-IP at address SERVER-IP, port 1514 There's nothing in the manager logs to indicate any sort of issue, and other agents that are connected to the same manager keep on reporting fine. I have some agents that disconnect after a few hours, and others that have been connected for weeks without issue, though the large majority do end up disconnecting at some point. If I manually remove the agent from the manager, and then get a new key with `agent-auth` & `agent-authd` it continues working as normal. I've already tried configuring the `notify_time` to 60. I also have turned on debugging for a few agents, but due to the seeming randomness of the disconnects, I'd like to avoid waiting weeks to finally get a useful log / disconnect. The server is v3.3.0 and agents are generally either v3.2.0 or v3.3.0 Also I'm aware I can try switching from UDP to TCP, however that would require reconfiguring 100s of servers across a half dozen environments, so I'd like to avoid doing that unless I'm certain it will be the fix. -- This email and its attachments are confidential and may be privileged. Any unauthorized use or disclosure is prohibited. If you receive this email in error, please notify the sender and permanently delete the original without forwarding, making any copies or disclosing its contents. NextCapital is a brand name representing NextCapital Group, Inc. and its subsidiaries, NextCapital Software, Inc. and NextCapital Advisers, Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/6d4bbd12-8031-4be2-be52-0aeeecc4772f%40googlegroups.com.
[ossec-list] OSSEC agents spooling
Can somebody give some feedback in relation to the below please ; In the event an OSSEC core server was to go offline for an extended period of time will the agents keep storing syscheck alerts locally until the core comes back online? If the agents do spool alert logs locally the risk is disk space on agents filling up. Any settings to prevent this? Lastly, the local agent log OSSEC.log. Anyway to limit the size! Thanks a lot. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/b17e88a1-db72-4063-9a35-1000cde08353%40googlegroups.com.
Re: [ossec-list] OSSEC Agents are not Connecting to Different Network Segments
On Thu, Jul 18, 2019 at 1:39 AM sunitha s wrote: > > Hii All, > > I Have Installed the OSSEC version 3.1 in Ubuntu 16.04 in My Local PC. > I Have Installed OSSEC Agents in the same Network segment, the Agents are > connected and sending logs to OSSEC Server, and also installed agents in > different network segments,all the Configuration are done properly(like that > agent ip's are pinging,disabled the internal firewall),when i run the command > /var/ossec/bin/manage-agents it list down all the agents from the different > network segments, But when I am Run the command /var/ossec/bin/agent-control > -l it shows the agent state like "NEVER CONNECTED". > > > Can Anyone Help Me For Connecting the Agents From the Different Network > Segments. > Make sure they aren't communicating by checking for alerts from the not-connected agents. Make sure the IP address that the OSSEC server sees the agents as is the IP configured in manage_agents (no NAT). Use tcpdump to make sure the traffic from the agent is making it to the OSSEC server (default: port 1514 udp). Check the agent's ossec.log for errors. Check the server's ossec.log for errors. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/d239b3dc-bc99-4336-9573-44ead7916a44%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMp-U0kZKM9%2B-34d%3DmR2_S%2BpnUnKBU0ojCdQ0O_jxPRmyg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC Agents are not Connecting to Different Network Segments
Hii All, I Have Installed the OSSEC version 3.1 in Ubuntu 16.04 in My Local PC. I Have Installed OSSEC Agents in the same Network segment, the Agents are connected and sending logs to OSSEC Server, and also installed agents in different network segments,all the Configuration are done properly(like that agent ip's are pinging,disabled the internal firewall),when i run the command /var/ossec/bin/manage-agents it list down all the agents from the different network segments, But when I am Run the command /var/ossec/bin/agent-control -l it shows the agent state like "NEVER CONNECTED". Can Anyone Help Me For Connecting the Agents From the Different Network Segments. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/d239b3dc-bc99-4336-9573-44ead7916a44%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC Agents Unable to Connect to Server
On Mon, Mar 27, 2017 at 10:50 AM, Marc Bakerwrote: > OSSEC agents this morning were working without issue and then began > reporting as Disconnected. Agent logs are returning the following error: > > 2017/03/27 10:14:38 ossec-agent: WARN: Process locked. Waiting for > permission... > > 2017/03/27 10:14:49 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '. > > 2017/03/27 10:14:51 ossec-agent: INFO: Trying to connect to server (:1514). > > Nothing has changed on the server to the best of our knowledge. One anomaly > we are seeing that may be related is the following when restarting Wazuh > manager services: > > > Deleting PID file '/var/ossec/var/run/ossec-remoted-4816.pid' not used... Looks like remoted died. You might want to ask about this on the Wazuh mailing list. They should be able to help you track it down. > Killing ossec-monitord .. > Killing ossec-logcollector .. > ossec-remoted not running .. > Killing ossec-syscheckd .. > Killing ossec-analysisd .. > Killing ossec-maild .. > Killing ossec-execd .. > Killing wazuh-modulesd .. > Wazuh v2.0 Stopped > Starting Wazuh v2.0 (maintained by Wazuh Inc.)... > Started wazuh-modulesd... > Started ossec-maild... > Started ossec-execd... > Started ossec-analysisd... > Started ossec-logcollector... > Started ossec-remoted... > Started ossec-syscheckd... > Started ossec-monitord... > Completed. > > > /var/ossec/bin/ossec-analysisd -V > Wazuh v2.0 - Wazuh Inc. > > This program is free software; you can redistribute it and/or modify > it under the terms of the GNU General Public License (version 2) as > published by the Free Software Foundation. For more details, go to > http://www.ossec.net/main/license/ > > /etc/ossec-init.conf > DIRECTORY="/var/ossec" > NAME="Wazuh" > VERSION="v2.0" > DATE="Wed Mar 15 11:38:44 UTC 2017" > TYPE="server" > > Any suggestions would be greatly appreciated. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC Agents Unable to Connect to Server
OSSEC agents this morning were working without issue and then began reporting as Disconnected. Agent logs are returning the following error: 2017/03/27 10:14:38 ossec-agent: WARN: Process locked. Waiting for permission... 2017/03/27 10:14:49 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '. 2017/03/27 10:14:51 ossec-agent: INFO: Trying to connect to server (:1514). Nothing has changed on the server to the best of our knowledge. One anomaly we are seeing that may be related is the following when restarting Wazuh manager services: *Deleting PID file '/var/ossec/var/run/ossec-remoted-4816.pid' not used...* Killing ossec-monitord .. Killing ossec-logcollector .. ossec-remoted not running .. Killing ossec-syscheckd .. Killing ossec-analysisd .. Killing ossec-maild .. Killing ossec-execd .. Killing wazuh-modulesd .. Wazuh v2.0 Stopped Starting Wazuh v2.0 (maintained by Wazuh Inc.)... Started wazuh-modulesd... Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-remoted... Started ossec-syscheckd... Started ossec-monitord... Completed. /var/ossec/bin/ossec-analysisd -V Wazuh v2.0 - Wazuh Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License (version 2) as published by the Free Software Foundation. For more details, go to http://www.ossec.net/main/license/ /etc/ossec-init.conf DIRECTORY="/var/ossec" NAME="Wazuh" VERSION="v2.0" DATE="Wed Mar 15 11:38:44 UTC 2017" TYPE="server" Any suggestions would be greatly appreciated. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server
Before doing what I said above, check if your client.keys doesn't have duplicated IPs. On Monday, June 20, 2016 at 9:35:12 AM UTC+2, Jesus Linares wrote: > > Hi Tahir, > > It could be an issue with the keys. OSSEC (agents and manager) keep a > counter of each message sent and received in /var/ossec/queue/rids. This is > a technique to prevent replay attacks. Let's try the following: > >- In an agent of your particular subnet: stop it and go to >/var/ossec/queue/rids and remove every file in there. >- In the manager: stop it and remove the rids file with the same name >as the agent id that is reporting errors. >- Restart the manager and the agent. > > Then, review the ossec.log of the agent to see what happens. > > In case that this works, you will need to do the same in each agent. Also, > if you don't need the feature to prevent replay attacks, you can disable it > changing *remoted.verify_msg_id* from 1 to 0 in > /var/ossec/etc/internal_options.conf. > > Regards. > > On Friday, June 17, 2016 at 12:45:46 PM UTC+2, dan (ddpbsd) wrote: >> >> On Fri, Jun 17, 2016 at 5:27 AM, Tahir Hafizwrote: >> > Thanks. I am seeing this in the alerts.log for the ones not connecting, >> I >> > mean they seem to be able to connect in network terms but not the OSSEC >> > server instance process: >> > ossec-remoted(1408): ERROR: Invalid ID for the source ip: 'a.b.c.d'. >> > ossec-remoted(1213): WARN: Message from a.b.c.d not allowed. >> > >> > Is there something we are not doing to allow these particular agents to >> > connect - a key file etc? >> > >> >> Is that IP an IP you expect an agent to come from? >> Did you duplicate IPs when adding agents in manage_agents? >> >> > >> > >> > >> > On Friday, 17 June 2016 08:49:28 UTC+1, Jesus Linares wrote: >> >> >> >> It should work with port 1514 UDP. First, check if you have >> connectivity >> >> between agents and manager (ping, telnet, tcpdump...) and review your >> >> network settings (routers, firewall rules, etc). Then, check out the >> >> ossec.log of each agent to see what it is the issue. >> >> >> >> On Thursday, June 16, 2016 at 6:41:10 PM UTC+2, dan (ddpbsd) wrote: >> >>> >> >>> On Thu, Jun 16, 2016 at 12:27 PM, Tahir Hafiz >> wrote: >> >>> > We have an OSSEC server located in one particular subnet and the >> >>> > majority of >> >>> > the agents are located in the same subnet and work fine. >> >>> > However, we have a few OSSEC agents located in a different subnet >> and >> >>> > they >> >>> > are having problems being able to connect to the server. >> >>> > >> >>> > We have opened up port 1514 UDP between subnets for ingress and >> egress >> >>> > traffic. >> >>> > >> >>> > Is there anything that we should do to allow server and agent >> >>> > communication? >> >>> > >> >>> >> >>> Do you see the traffic on the server from the hosts that are having >> >>> issues? >> >>> Do the source IPs match your expectations? >> >>> >> >>> > >> >>> > >> >>> > >> >>> > >> >>> > >> >>> > -- >> >>> > >> >>> > --- >> >>> > You received this message because you are subscribed to the Google >> >>> > Groups >> >>> > "ossec-list" group. >> >>> > To unsubscribe from this group and stop receiving emails from it, >> send >> >>> > an >> >>> > email to ossec-list+...@googlegroups.com. >> >>> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server
Hi Tahir, It could be an issue with the keys. OSSEC (agents and manager) keep a counter of each message sent and received in /var/ossec/queue/rids. This is a technique to prevent replay attacks. Let's try the following: - In an agent of your particular subnet: stop it and go to /var/ossec/queue/rids and remove every file in there. - In the manager: stop it and remove the rids file with the same name as the agent id that is reporting errors. - Restart the manager and the agent. Then, review the ossec.log of the agent to see what happens. In case that this works, you will need to do the same in each agent. Also, if you don't need the feature to prevent replay attacks, you can disable it changing *remoted.verify_msg_id* from 1 to 0 in /var/ossec/etc/internal_options.conf. Regards. On Friday, June 17, 2016 at 12:45:46 PM UTC+2, dan (ddpbsd) wrote: > > On Fri, Jun 17, 2016 at 5:27 AM, Tahir Hafiz> wrote: > > Thanks. I am seeing this in the alerts.log for the ones not connecting, > I > > mean they seem to be able to connect in network terms but not the OSSEC > > server instance process: > > ossec-remoted(1408): ERROR: Invalid ID for the source ip: 'a.b.c.d'. > > ossec-remoted(1213): WARN: Message from a.b.c.d not allowed. > > > > Is there something we are not doing to allow these particular agents to > > connect - a key file etc? > > > > Is that IP an IP you expect an agent to come from? > Did you duplicate IPs when adding agents in manage_agents? > > > > > > > > > On Friday, 17 June 2016 08:49:28 UTC+1, Jesus Linares wrote: > >> > >> It should work with port 1514 UDP. First, check if you have > connectivity > >> between agents and manager (ping, telnet, tcpdump...) and review your > >> network settings (routers, firewall rules, etc). Then, check out the > >> ossec.log of each agent to see what it is the issue. > >> > >> On Thursday, June 16, 2016 at 6:41:10 PM UTC+2, dan (ddpbsd) wrote: > >>> > >>> On Thu, Jun 16, 2016 at 12:27 PM, Tahir Hafiz > wrote: > >>> > We have an OSSEC server located in one particular subnet and the > >>> > majority of > >>> > the agents are located in the same subnet and work fine. > >>> > However, we have a few OSSEC agents located in a different subnet > and > >>> > they > >>> > are having problems being able to connect to the server. > >>> > > >>> > We have opened up port 1514 UDP between subnets for ingress and > egress > >>> > traffic. > >>> > > >>> > Is there anything that we should do to allow server and agent > >>> > communication? > >>> > > >>> > >>> Do you see the traffic on the server from the hosts that are having > >>> issues? > >>> Do the source IPs match your expectations? > >>> > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > -- > >>> > > >>> > --- > >>> > You received this message because you are subscribed to the Google > >>> > Groups > >>> > "ossec-list" group. > >>> > To unsubscribe from this group and stop receiving emails from it, > send > >>> > an > >>> > email to ossec-list+...@googlegroups.com. > >>> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server
On Fri, Jun 17, 2016 at 5:27 AM, Tahir Hafizwrote: > Thanks. I am seeing this in the alerts.log for the ones not connecting, I > mean they seem to be able to connect in network terms but not the OSSEC > server instance process: > ossec-remoted(1408): ERROR: Invalid ID for the source ip: 'a.b.c.d'. > ossec-remoted(1213): WARN: Message from a.b.c.d not allowed. > > Is there something we are not doing to allow these particular agents to > connect - a key file etc? > Is that IP an IP you expect an agent to come from? Did you duplicate IPs when adding agents in manage_agents? > > > > On Friday, 17 June 2016 08:49:28 UTC+1, Jesus Linares wrote: >> >> It should work with port 1514 UDP. First, check if you have connectivity >> between agents and manager (ping, telnet, tcpdump...) and review your >> network settings (routers, firewall rules, etc). Then, check out the >> ossec.log of each agent to see what it is the issue. >> >> On Thursday, June 16, 2016 at 6:41:10 PM UTC+2, dan (ddpbsd) wrote: >>> >>> On Thu, Jun 16, 2016 at 12:27 PM, Tahir Hafiz wrote: >>> > We have an OSSEC server located in one particular subnet and the >>> > majority of >>> > the agents are located in the same subnet and work fine. >>> > However, we have a few OSSEC agents located in a different subnet and >>> > they >>> > are having problems being able to connect to the server. >>> > >>> > We have opened up port 1514 UDP between subnets for ingress and egress >>> > traffic. >>> > >>> > Is there anything that we should do to allow server and agent >>> > communication? >>> > >>> >>> Do you see the traffic on the server from the hosts that are having >>> issues? >>> Do the source IPs match your expectations? >>> >>> > >>> > >>> > >>> > >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to ossec-list+...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server
Hi Thair, Your Agents configuration are with static IP, Network or set to ANY? Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On June 17, 2016 at 11:27:22 AM, Tahir Hafiz (tahir.ha...@gmail.com) wrote: ERROR: Invalid ID for the source ip -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server
Thanks. I am seeing this in the alerts.log for the ones not connecting, I mean they seem to be able to connect in network terms but not the OSSEC server instance process: ossec-remoted(1408): ERROR: Invalid ID for the source ip: 'a.b.c.d'. ossec-remoted(1213): WARN: Message from a.b.c.d not allowed. Is there something we are not doing to allow these particular agents to connect - a key file etc? On Friday, 17 June 2016 08:49:28 UTC+1, Jesus Linares wrote: > > It should work with port 1514 UDP. First, check if you have connectivity > between agents and manager (ping, telnet, tcpdump...) and review your > network settings (routers, firewall rules, etc). Then, check out the > ossec.log of each agent to see what it is the issue. > > On Thursday, June 16, 2016 at 6:41:10 PM UTC+2, dan (ddpbsd) wrote: >> >> On Thu, Jun 16, 2016 at 12:27 PM, Tahir Hafiz>> wrote: >> > We have an OSSEC server located in one particular subnet and the >> majority of >> > the agents are located in the same subnet and work fine. >> > However, we have a few OSSEC agents located in a different subnet and >> they >> > are having problems being able to connect to the server. >> > >> > We have opened up port 1514 UDP between subnets for ingress and egress >> > traffic. >> > >> > Is there anything that we should do to allow server and agent >> communication? >> > >> >> Do you see the traffic on the server from the hosts that are having >> issues? >> Do the source IPs match your expectations? >> >> > >> > >> > >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server
It should work with port 1514 UDP. First, check if you have connectivity between agents and manager (ping, telnet, tcpdump...) and review your network settings (routers, firewall rules, etc). Then, check out the ossec.log of each agent to see what it is the issue. On Thursday, June 16, 2016 at 6:41:10 PM UTC+2, dan (ddpbsd) wrote: > > On Thu, Jun 16, 2016 at 12:27 PM, Tahir Hafiz> wrote: > > We have an OSSEC server located in one particular subnet and the > majority of > > the agents are located in the same subnet and work fine. > > However, we have a few OSSEC agents located in a different subnet and > they > > are having problems being able to connect to the server. > > > > We have opened up port 1514 UDP between subnets for ingress and egress > > traffic. > > > > Is there anything that we should do to allow server and agent > communication? > > > > Do you see the traffic on the server from the hosts that are having > issues? > Do the source IPs match your expectations? > > > > > > > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server
On Thu, Jun 16, 2016 at 12:27 PM, Tahir Hafizwrote: > We have an OSSEC server located in one particular subnet and the majority of > the agents are located in the same subnet and work fine. > However, we have a few OSSEC agents located in a different subnet and they > are having problems being able to connect to the server. > > We have opened up port 1514 UDP between subnets for ingress and egress > traffic. > > Is there anything that we should do to allow server and agent communication? > Do you see the traffic on the server from the hosts that are having issues? Do the source IPs match your expectations? > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC agents on different subnet unable to connect OSSEC server
We have an OSSEC server located in one particular subnet and the majority of the agents are located in the same subnet and work fine. However, we have a few OSSEC agents located in a different subnet and they are having problems being able to connect to the server. We have opened up port 1514 UDP between subnets for ingress and egress traffic. Is there anything that we should do to allow server and agent communication? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC agents show as Active even after the OSSEC Process on server is stopped
Jesus is totally right. The time out he is talking about is:* 3*NOTIFY_TIME+30*, *NOTIFY_TIME* by default is 600 seconds. Check the last modification file date on every agent-info/* file and wait until that time be more than 30'30''. Best regards, Pedro S. On Thursday, April 7, 2016 at 8:08:02 PM UTC+2, Jesus Linares wrote: > > Hi, > > in order to know if an agent is connected, disconnected or never connected > OSSEC reads the modification date of the files in > */var/ossec/queue/agent-info/*:* > >- if there is no file for the agent the status is *never connected* >- if the modification time of the file is less than a defined tiemout, >the status is *actived*. If it is greater then the status is >*disconnected*. > > I guess those files are updated by the Manager each time that the agents > send a "keep-alive". > > I'm not sure, but I think the timeout is around 30 minutes. > > Regards, > Jesus Linares. > > On Tuesday, April 5, 2016 at 5:26:10 PM UTC+2, sandeep wrote: >> >> Hello Dan, >> >> Thanksf for the reply. Yeah its the old data, I ran ./agent_control >> -lc|grep ID:|wc -l to list the count of agents active and it shows as 3k >> even though the manager's ossec process is stopped. I am trying to figure >> out where the cache is stored. I need to remove that data before starting >> the manager's OSSEC process back. >> >> Without removing that data, if i start back the manager's ossec process >> the 3k count remains the same and the remaining agents do not show up as >> active. >> >> Thanks, >> Sandeep. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC agents show as Active even after the OSSEC Process on server is stopped
Hi, in order to know if an agent is connected, disconnected or never connected OSSEC reads the modification date of the files in */var/ossec/queue/agent-info/*:* - if there is no file for the agent the status is *never connected* - if the modification time of the file is less than a defined tiemout, the status is *actived*. If it is greater then the status is *disconnected*. I guess those files are updated by the Manager each time that the agents send a "keep-alive". I'm not sure, but I think the timeout is around 30 minutes. Regards, Jesus Linares. On Tuesday, April 5, 2016 at 5:26:10 PM UTC+2, sandeep wrote: > > Hello Dan, > > Thanksf for the reply. Yeah its the old data, I ran ./agent_control > -lc|grep ID:|wc -l to list the count of agents active and it shows as 3k > even though the manager's ossec process is stopped. I am trying to figure > out where the cache is stored. I need to remove that data before starting > the manager's OSSEC process back. > > Without removing that data, if i start back the manager's ossec process > the 3k count remains the same and the remaining agents do not show up as > active. > > Thanks, > Sandeep. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC agents show as Active even after the OSSEC Process on server is stopped
Hello Dan, Thanksf for the reply. Yeah its the old data, I ran ./agent_control -lc|grep ID:|wc -l to list the count of agents active and it shows as 3k even though the manager's ossec process is stopped. I am trying to figure out where the cache is stored. I need to remove that data before starting the manager's OSSEC process back. Without removing that data, if i start back the manager's ossec process the 3k count remains the same and the remaining agents do not show up as active. Thanks, Sandeep. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC agents show as Active even after the OSSEC Process on server is stopped
On Tue, Apr 5, 2016 at 11:01 AM, sandeep gantiwrote: > Hello, > > I do have like 6k servers in my environment connected to one of the OSSEC > Server/manager. Out of the 6k only approx 3k are showing up as active and > the rest they are shown as disconnected. I decided to kill the OSSEC Process > on the Server/manager and perform a restart so that upon the restart i could > see all the 6k to be active but to my surprise even after stopping the OSSEC > process on the server/manager those 3k servers still show as Active. > > I believe there is something wrong on the Server/manager. Can someone please > suggest me on this ? I have waited for like 15-30 mins for those 3k agents > to show as disconnected and then to restart the OSSEC process on the server > but they still remain as Active even after the OSSEC process is stopped on > the Server. > If the manager's ossec processes aren't running, how is it going to update the status? I'm not sure where the info is cached (or how you're checking the status), but it's probably old data. > Thanks, > Sandeep. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC agents show as Active even after the OSSEC Process on server is stopped
Hello, I do have like 6k servers in my environment connected to one of the OSSEC Server/manager. Out of the 6k only approx 3k are showing up as active and the rest they are shown as disconnected. I decided to kill the OSSEC Process on the Server/manager and perform a restart so that upon the restart i could see all the 6k to be active but to my surprise even after stopping the OSSEC process on the server/manager those 3k servers still show as Active. I believe there is something wrong on the Server/manager. Can someone please suggest me on this ? I have waited for like 15-30 mins for those 3k agents to show as disconnected and then to restart the OSSEC process on the server but they still remain as Active even after the OSSEC process is stopped on the Server. Thanks, Sandeep. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC agents frequently alternating between active and disconnected
Hi Steve, yes, what you said makes sense. Those kind of messages are typically related with network issues, so I think there might be something we are missing. If that is ok with you I'll send you a private message, since I've been a long-term Alienvault employee and maybe I can help. Best On Mon, May 11, 2015 at 11:00 AM, Steve MacDougall smacdoug...@bluepay.com wrote: I added the agents using the IP address of the OSSEC server, which is statically configured. The server has multiple interfaces, but I used the IP address appropriate for the VLAN my agents were connecting from. I've confirmed the connections come in on the expected interface fro the expected IP. I checked the other interface to make sure the responses weren't going back out another interface for some reason. The only thing I ever see in the log is this: 2015/05/11 13:49:23 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.10.1.203'. 2015/05/11 13:52:43 ossec-agentd: INFO: Trying to connect to server ( 10.10.1.203:1514). 2015/05/11 13:52:43 ossec-agentd: INFO: Using IPv4 for: 10.10.1.203 . 2015/05/11 13:53:04 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.10.1.203'. The only thing I've found related to this error is check for a firewall. Since these connections are local, there's no firewall in the way. Some of the agents are on servers with local firewalls, but I've verified that the OSSEC connections are hitting the server, so firewalls aren't the issue. The server is, for some reason, not responding. On Monday, May 11, 2015 at 12:27:34 PM UTC-4, Santiago Bassett wrote: Hi Steve, do you use DHCP or fixed IP addresses in your environment? Do your servers have one or more than one IP? When you added the agents, did you used fixed IPs for each one? Is tcpdump output showing the same IP you used when adding those? Best On Mon, May 11, 2015 at 8:54 AM, Steve MacDougall smacd...@bluepay.com wrote: I have OSSEC running as part of an Alienvault installation, with about 20 agents configured. Recently I've observed that most of the agents will show as disconnected. After a few hours all of them except for one or two will show active again. Then within a short period of time, most of them will go back to disconnected. This goes on throughout the day, with different numbers of agents showing active or disconnected at any given time. There's no specific group of agents this happens to. It can be any agent. There's nothing in the log to suggest any issue with keys. I've also deleted and re-installed agents with no success. Forewalls aren't and issue since the agents are on the same VLAN as the AlienVault interface they're connecting to and they are able to connect at times. Although there's nothing in the logs to suggest a problem with counters, I shut down the server and agents, deleted everything in /var/ossec/queue/rids and restarted everything. Initially this seemed to work. All the agents connected, but within half an hour most were disconnected again. For laughs, I also tried setting 'remoted.verify_msg_id=0' on the server, but this didn't help. I Played around with notify_time and time-reconnect client options, but these didn't help. I've turned on full debugging on client and server, as well but nothing shows up in the log to help me troubleshoot. A tcpdump on the server side shows traffic from the agents, but no server response, I have a support case open with AlienVault as well, but I suspect people in this group may have more specific OSSEC experience than AlienVault support. The server and all the agents are running OSSEC 2.8.1. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC agents frequently alternating between active and disconnected
Sure. That would be great. As I mentioned, I have a case open with AV already, but I think the tech that's working on my case is in Ireland, so our work hours don't overlap much. Anything you can do to help would be appreciated. If you have access to the support cases, it's case # 00056663. ___ *Steve MacDougall* | *Sr. Systems/Network Administrator* BluePay Canada o: 647.258.3704-{l;tvjnpeotupouivnjg5987lcgno} m: 289.924.1806 e: smacdoug...@bluepay.ca w: www.bluepay.ca http://cp.mcafee.com/d/5fHCMUpdEI9zxPdTQnztPqdSkT4QS6bCQrIFK9FIffCQrIFK9FIc8CQrI8LIInpKr4t1lJfZ2Ibr53BPtJfZ2Ibr53BPrXZNNEVhvvW_f8K6zAQsIZuVtdeWf8Icc6zBVfBHEShhlKqemul3PWApmU6CQjqpK_9TLuZXTLsTsS0287J-JFrHqrlgQzYdBg543S_mQJOVJ5ZBWVI5-Aq81Ejd40N8z3pJNYSyqejqCz8Lerw On 11 May 2015 at 14:18, Santiago Bassett santiago.bass...@gmail.com wrote: Hi Steve, yes, what you said makes sense. Those kind of messages are typically related with network issues, so I think there might be something we are missing. If that is ok with you I'll send you a private message, since I've been a long-term Alienvault employee and maybe I can help. Best On Mon, May 11, 2015 at 11:00 AM, Steve MacDougall smacdoug...@bluepay.com wrote: I added the agents using the IP address of the OSSEC server, which is statically configured. The server has multiple interfaces, but I used the IP address appropriate for the VLAN my agents were connecting from. I've confirmed the connections come in on the expected interface fro the expected IP. I checked the other interface to make sure the responses weren't going back out another interface for some reason. The only thing I ever see in the log is this: 2015/05/11 13:49:23 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.10.1.203'. 2015/05/11 13:52:43 ossec-agentd: INFO: Trying to connect to server ( 10.10.1.203:1514). 2015/05/11 13:52:43 ossec-agentd: INFO: Using IPv4 for: 10.10.1.203 . 2015/05/11 13:53:04 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.10.1.203'. The only thing I've found related to this error is check for a firewall. Since these connections are local, there's no firewall in the way. Some of the agents are on servers with local firewalls, but I've verified that the OSSEC connections are hitting the server, so firewalls aren't the issue. The server is, for some reason, not responding. On Monday, May 11, 2015 at 12:27:34 PM UTC-4, Santiago Bassett wrote: Hi Steve, do you use DHCP or fixed IP addresses in your environment? Do your servers have one or more than one IP? When you added the agents, did you used fixed IPs for each one? Is tcpdump output showing the same IP you used when adding those? Best On Mon, May 11, 2015 at 8:54 AM, Steve MacDougall smacd...@bluepay.com wrote: I have OSSEC running as part of an Alienvault installation, with about 20 agents configured. Recently I've observed that most of the agents will show as disconnected. After a few hours all of them except for one or two will show active again. Then within a short period of time, most of them will go back to disconnected. This goes on throughout the day, with different numbers of agents showing active or disconnected at any given time. There's no specific group of agents this happens to. It can be any agent. There's nothing in the log to suggest any issue with keys. I've also deleted and re-installed agents with no success. Forewalls aren't and issue since the agents are on the same VLAN as the AlienVault interface they're connecting to and they are able to connect at times. Although there's nothing in the logs to suggest a problem with counters, I shut down the server and agents, deleted everything in /var/ossec/queue/rids and restarted everything. Initially this seemed to work. All the agents connected, but within half an hour most were disconnected again. For laughs, I also tried setting 'remoted.verify_msg_id=0' on the server, but this didn't help. I Played around with notify_time and time-reconnect client options, but these didn't help. I've turned on full debugging on client and server, as well but nothing shows up in the log to help me troubleshoot. A tcpdump on the server side shows traffic from the agents, but no server response, I have a support case open with AlienVault as well, but I suspect people in this group may have more specific OSSEC experience than AlienVault support. The server and all the agents are running OSSEC 2.8.1. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving
Re: [ossec-list] OSSEC agents frequently alternating between active and disconnected
I added the agents using the IP address of the OSSEC server, which is statically configured. The server has multiple interfaces, but I used the IP address appropriate for the VLAN my agents were connecting from. I've confirmed the connections come in on the expected interface fro the expected IP. I checked the other interface to make sure the responses weren't going back out another interface for some reason. The only thing I ever see in the log is this: 2015/05/11 13:49:23 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.10.1.203'. 2015/05/11 13:52:43 ossec-agentd: INFO: Trying to connect to server (10.10.1.203:1514). 2015/05/11 13:52:43 ossec-agentd: INFO: Using IPv4 for: 10.10.1.203 . 2015/05/11 13:53:04 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.10.1.203'. The only thing I've found related to this error is check for a firewall. Since these connections are local, there's no firewall in the way. Some of the agents are on servers with local firewalls, but I've verified that the OSSEC connections are hitting the server, so firewalls aren't the issue. The server is, for some reason, not responding. On Monday, May 11, 2015 at 12:27:34 PM UTC-4, Santiago Bassett wrote: Hi Steve, do you use DHCP or fixed IP addresses in your environment? Do your servers have one or more than one IP? When you added the agents, did you used fixed IPs for each one? Is tcpdump output showing the same IP you used when adding those? Best On Mon, May 11, 2015 at 8:54 AM, Steve MacDougall smacd...@bluepay.com javascript: wrote: I have OSSEC running as part of an Alienvault installation, with about 20 agents configured. Recently I've observed that most of the agents will show as disconnected. After a few hours all of them except for one or two will show active again. Then within a short period of time, most of them will go back to disconnected. This goes on throughout the day, with different numbers of agents showing active or disconnected at any given time. There's no specific group of agents this happens to. It can be any agent. There's nothing in the log to suggest any issue with keys. I've also deleted and re-installed agents with no success. Forewalls aren't and issue since the agents are on the same VLAN as the AlienVault interface they're connecting to and they are able to connect at times. Although there's nothing in the logs to suggest a problem with counters, I shut down the server and agents, deleted everything in /var/ossec/queue/rids and restarted everything. Initially this seemed to work. All the agents connected, but within half an hour most were disconnected again. For laughs, I also tried setting 'remoted.verify_msg_id=0' on the server, but this didn't help. I Played around with notify_time and time-reconnect client options, but these didn't help. I've turned on full debugging on client and server, as well but nothing shows up in the log to help me troubleshoot. A tcpdump on the server side shows traffic from the agents, but no server response, I have a support case open with AlienVault as well, but I suspect people in this group may have more specific OSSEC experience than AlienVault support. The server and all the agents are running OSSEC 2.8.1. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC agents frequently alternating between active and disconnected
Hi Steve, do you use DHCP or fixed IP addresses in your environment? Do your servers have one or more than one IP? When you added the agents, did you used fixed IPs for each one? Is tcpdump output showing the same IP you used when adding those? Best On Mon, May 11, 2015 at 8:54 AM, Steve MacDougall smacdoug...@bluepay.com wrote: I have OSSEC running as part of an Alienvault installation, with about 20 agents configured. Recently I've observed that most of the agents will show as disconnected. After a few hours all of them except for one or two will show active again. Then within a short period of time, most of them will go back to disconnected. This goes on throughout the day, with different numbers of agents showing active or disconnected at any given time. There's no specific group of agents this happens to. It can be any agent. There's nothing in the log to suggest any issue with keys. I've also deleted and re-installed agents with no success. Forewalls aren't and issue since the agents are on the same VLAN as the AlienVault interface they're connecting to and they are able to connect at times. Although there's nothing in the logs to suggest a problem with counters, I shut down the server and agents, deleted everything in /var/ossec/queue/rids and restarted everything. Initially this seemed to work. All the agents connected, but within half an hour most were disconnected again. For laughs, I also tried setting 'remoted.verify_msg_id=0' on the server, but this didn't help. I Played around with notify_time and time-reconnect client options, but these didn't help. I've turned on full debugging on client and server, as well but nothing shows up in the log to help me troubleshoot. A tcpdump on the server side shows traffic from the agents, but no server response, I have a support case open with AlienVault as well, but I suspect people in this group may have more specific OSSEC experience than AlienVault support. The server and all the agents are running OSSEC 2.8.1. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC agents frequently alternating between active and disconnected
I have OSSEC running as part of an Alienvault installation, with about 20 agents configured. Recently I've observed that most of the agents will show as disconnected. After a few hours all of them except for one or two will show active again. Then within a short period of time, most of them will go back to disconnected. This goes on throughout the day, with different numbers of agents showing active or disconnected at any given time. There's no specific group of agents this happens to. It can be any agent. There's nothing in the log to suggest any issue with keys. I've also deleted and re-installed agents with no success. Forewalls aren't and issue since the agents are on the same VLAN as the AlienVault interface they're connecting to and they are able to connect at times. Although there's nothing in the logs to suggest a problem with counters, I shut down the server and agents, deleted everything in /var/ossec/queue/rids and restarted everything. Initially this seemed to work. All the agents connected, but within half an hour most were disconnected again. For laughs, I also tried setting 'remoted.verify_msg_id=0' on the server, but this didn't help. I Played around with notify_time and time-reconnect client options, but these didn't help. I've turned on full debugging on client and server, as well but nothing shows up in the log to help me troubleshoot. A tcpdump on the server side shows traffic from the agents, but no server response, I have a support case open with AlienVault as well, but I suspect people in this group may have more specific OSSEC experience than AlienVault support. The server and all the agents are running OSSEC 2.8.1. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC Agents cache Events if OSSEC Server is down nowadays?
I just investigated this as I've been working on the eventchannel code quite a bit. The eventchannel stuff will both bookmark the last location so the agent can pick up again where it left off. Also, if the manager is down and seen as disconnected by the agent than it will also behave the same way as the evnetlog code does and wait for it to come back to life before sending more log data. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC Agents cache Events if OSSEC Server is down nowadays?
Hi, thx for your response. Considering some changelogs that i saw and the tests that i made, ossec still dont buffer the logs/ continue with the last not sent event. Indeed i tested NXLOG as the shipper for windows-events and it works pretty well in the comunity edition but dont have the ability to manage the configs of all agents from one server :/. But i think thats better than nothing. Cheers Am Dienstag, 17. Juni 2014 16:40:04 UTC+2 schrieb Michael Starks: On 2014-06-17 3:17, horst knete wrote: Hey Guys, we are implementing an OSSEC Installation in our Environment due the the great functionality of the System. We got Agents on both Linux and Windows and the Log Shippment is working fine. But as we tested what happen if the OSSEC Server goes down (i. e. for maintenance) the Windows-Logs which are produced in the downtime doesnt get shipped to the OSSEC Server after he is online again. I think the new eventchannel functionality is designed to bookmark the last location of the logs and ship them, but that may be only if the agent service is down, not the manager. And eventchannel doesn't work at all for me, so it may be a moot point. For this and other reasons, I don't use the OSSEC agent for log transport on Windows. Consider using something like NXLOG, which should be feature-full enough for your requirements, and then analyze the logs as syslog on the manager. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC Agents cache Events if OSSEC Server is down nowadays?
On Wed, Jun 18, 2014 at 2:19 AM, horst knete baduncl...@hotmail.de wrote: Hi, thx for your response. Considering some changelogs that i saw and the tests that i made, ossec still dont buffer the logs/ continue with the last not sent event. The OSSEC project does accept code contributions. Indeed i tested NXLOG as the shipper for windows-events and it works pretty well in the comunity edition but dont have the ability to manage the configs of all agents from one server :/. But i think thats better than nothing. Cheers Am Dienstag, 17. Juni 2014 16:40:04 UTC+2 schrieb Michael Starks: On 2014-06-17 3:17, horst knete wrote: Hey Guys, we are implementing an OSSEC Installation in our Environment due the the great functionality of the System. We got Agents on both Linux and Windows and the Log Shippment is working fine. But as we tested what happen if the OSSEC Server goes down (i. e. for maintenance) the Windows-Logs which are produced in the downtime doesnt get shipped to the OSSEC Server after he is online again. I think the new eventchannel functionality is designed to bookmark the last location of the logs and ship them, but that may be only if the agent service is down, not the manager. And eventchannel doesn't work at all for me, so it may be a moot point. For this and other reasons, I don't use the OSSEC agent for log transport on Windows. Consider using something like NXLOG, which should be feature-full enough for your requirements, and then analyze the logs as syslog on the manager. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC Agents cache Events if OSSEC Server is down nowadays?
Hey Guys, we are implementing an OSSEC Installation in our Environment due the the great functionality of the System. We got Agents on both Linux and Windows and the Log Shippment is working fine. But as we tested what happen if the OSSEC Server goes down (i. e. for maintenance) the Windows-Logs which are produced in the downtime doesnt get shipped to the OSSEC Server after he is online again. Regarded to this post: https://groups.google.com/forum/#!topic/ossec-list/F_izIq3zEi4 from the yeah 2010 the developer doesnt seem intereseted in impelmenting such an feature. Unfortunate our Environment is very critical and if Logs get lost this would be an unacceptable http://dict.leo.org/#/search=unacceptablesearchLoc=0resultOrder=basicmultiwordShowSingle=on behavior for us. Hopefully you can provide us with some good news :) -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC Agents cache Events if OSSEC Server is down nowadays?
On Tue, Jun 17, 2014 at 4:17 AM, horst knete baduncl...@hotmail.de wrote: Hey Guys, we are implementing an OSSEC Installation in our Environment due the the great functionality of the System. We got Agents on both Linux and Windows and the Log Shippment is working fine. But as we tested what happen if the OSSEC Server goes down (i. e. for maintenance) the Windows-Logs which are produced in the downtime doesnt get shipped to the OSSEC Server after he is online again. Regarded to this post: https://groups.google.com/forum/#!topic/ossec-list/F_izIq3zEi4 from the yeah 2010 the developer doesnt seem intereseted in impelmenting such an feature. I don't believe anything has changed. You could check the release notes for the past 4 years of releases though to make sure. Unfortunate our Environment is very critical and if Logs get lost this would be an unacceptable behavior for us. Hopefully you can provide us with some good news :) -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC Agents cache Events if OSSEC Server is down nowadays?
On Tue, Jun 17, 2014 at 4:17 AM, horst knete baduncl...@hotmail.de wrote: Hey Guys, we are implementing an OSSEC Installation in our Environment due the the great functionality of the System. We got Agents on both Linux and Windows and the Log Shippment is working fine. But as we tested what happen if the OSSEC Server goes down (i. e. for maintenance) the Windows-Logs which are produced in the downtime doesnt get shipped to the OSSEC Server after he is online again. Regarded to this post: https://groups.google.com/forum/#!topic/ossec-list/F_izIq3zEi4 from the yeah 2010 the developer doesnt seem intereseted in impelmenting such an feature. I don't believe anything has changed. You could check the release notes for the past 4 years of releases though to make sure. Unfortunate our Environment is very critical and if Logs get lost this would be an unacceptable behavior for us. Hopefully you can provide us with some good news :) -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC Agents cache Events if OSSEC Server is down nowadays?
On 2014-06-17 3:17, horst knete wrote: Hey Guys, we are implementing an OSSEC Installation in our Environment due the the great functionality of the System. We got Agents on both Linux and Windows and the Log Shippment is working fine. But as we tested what happen if the OSSEC Server goes down (i. e. for maintenance) the Windows-Logs which are produced in the downtime doesnt get shipped to the OSSEC Server after he is online again. I think the new eventchannel functionality is designed to bookmark the last location of the logs and ship them, but that may be only if the agent service is down, not the manager. And eventchannel doesn't work at all for me, so it may be a moot point. For this and other reasons, I don't use the OSSEC agent for log transport on Windows. Consider using something like NXLOG, which should be feature-full enough for your requirements, and then analyze the logs as syslog on the manager. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC Agents Spawned from Image?
On Thu, Apr 11, 2013 at 4:09 PM, Sam Oehlert somidsc...@gmail.com wrote: I can't find a ay to accomplish this, but basically the situation breaks down like this: We have a group of machines that are all booted off of one image over the network. We would like to have the agent running on them, but since they don't have persistent storage, that would have to be in the image. I'm not sure that would work as they would all share the same info then, which seemingly would cause issues. Can anyone think of a way to deal with this? Would it be possible to script a way to install all of these agents after they are booted somehow? Have them either create a new key via agent-auth (and probably some back-end shenanigans to keep the number of agents down) when they boot. Or have them load a key from some network storage (authenticating this could be difficult), and turn off rids. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] OSSEC Agents Spawned from Image?
I can't find a ay to accomplish this, but basically the situation breaks down like this: We have a group of machines that are all booted off of one image over the network. We would like to have the agent running on them, but since they don't have persistent storage, that would have to be in the image. I'm not sure that would work as they would all share the same info then, which seemingly would cause issues. Can anyone think of a way to deal with this? Would it be possible to script a way to install all of these agents after they are booted somehow? -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Ossec agents dont generate alerts for missing files or directories
On Sun, Apr 7, 2013 at 8:44 PM, Erkki Saikkonen eki.saikko...@gmail.com wrote: Hi, New to using Ossec, need help with use and alerts. Why doesnt OSSEC agents generate alerts if you remove directory or file listed in syscheckd Agents never generate alerts, only servers (and local installs) generate alerts. configuration in ossec.conf? Other thing is that OSSEC doesnt report changes You should get alerts for this. Check for rule 553 in alerts.log. Also, check for the file in the agent's syscheck db in /var/ossec/queue/syscheck. of ownership or rights for directories at all. Only for files changes are alerted. I get a WARN in agents own ossec.log, but no alert to server alerts.log. Am I missing something here? Example piece of my configuration: directories check_all=yes%WINDIR%/important/important.txt/directories or directories check_all=yes%WINDIR%/important/directories Any help much appreciated! -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Ossec agents dont generate alerts for missing files or directories
Hi, New to using Ossec, need help with use and alerts. Why doesnt OSSEC agents generate alerts if you remove directory or file listed in syscheckd configuration in ossec.conf? Other thing is that OSSEC doesnt report changes of ownership or rights for directories at all. Only for files changes are alerted. I get a WARN in agents own ossec.log, but no alert to server alerts.log. Am I missing something here? Example piece of my configuration: directories check_all=yes%WINDIR%/important/important.txt/directories or directories check_all=yes%WINDIR%/important/directories Any help much appreciated! -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Ossec agents are not appearing in Ossec Server
On Mon, Mar 4, 2013 at 2:46 AM, Umair Mustafa umair.ksa2...@gmail.com wrote: I installed Ossec Server and some agents on other servers. But the thing is that out of 10 agents only 7 servers are able to communicate with Ossec Server and 3 are not. This is the Ossec Server information DIRECTORY=/var/ossec VERSION=v2.5.1 DATE=Thu Jan 13 17:03:30 AST 2011 TYPE=server And this is the Log which i collected from newly installed Agent 2013/03/04 06:22:25 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 06:32:31 ossec-agentd: INFO: Trying to connect to server (192.168.9.1:1514). 2013/03/04 06:32:31 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 06:32:52 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 07:49:27 ossec-agentd: INFO: Trying to connect to server (192.168.9.1:1514). 2013/03/04 07:49:27 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 07:49:48 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 07:59:54 ossec-agentd: INFO: Trying to connect to server (192.168.9.1:1514). 2013/03/04 07:59:54 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 08:00:15 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 09:17:08 ossec-agentd: INFO: Trying to connect to server (192.168.9.1:1514). 2013/03/04 09:17:08 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 09:17:29 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 09:27:35 ossec-agentd: INFO: Trying to connect to server (192.168.9.1:1514). 2013/03/04 09:27:35 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 09:27:56 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. Agent Info [root@pdbosl02 etc]# cat ossec-init.conf DIRECTORY=/var/ossec VERSION=v2.6 Your server is version 2.5.1. DATE=Sat Aug 25 13:56:49 AST 2012 TYPE=agent -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Ossec agents are not appearing in Ossec Server
I installed Ossec Server and some agents on other servers. But the thing is that out of 10 agents only 7 servers are able to communicate with Ossec Server and 3 are not. This is the Ossec Server information DIRECTORY=/var/ossec VERSION=v2.5.1 DATE=Thu Jan 13 17:03:30 AST 2011 TYPE=server And this is the Log which i collected from newly installed Agent 2013/03/04 06:22:25 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 06:32:31 ossec-agentd: INFO: Trying to connect to server (192.168.9.1:1514). 2013/03/04 06:32:31 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 06:32:52 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 07:49:27 ossec-agentd: INFO: Trying to connect to server (192.168.9.1:1514). 2013/03/04 07:49:27 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 07:49:48 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 07:59:54 ossec-agentd: INFO: Trying to connect to server (192.168.9.1:1514). 2013/03/04 07:59:54 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 08:00:15 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 09:17:08 ossec-agentd: INFO: Trying to connect to server (192.168.9.1:1514). 2013/03/04 09:17:08 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 09:17:29 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 09:27:35 ossec-agentd: INFO: Trying to connect to server (192.168.9.1:1514). 2013/03/04 09:27:35 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 09:27:56 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. Agent Info [root@pdbosl02 etc]# cat ossec-init.conf DIRECTORY=/var/ossec VERSION=v2.6 DATE=Sat Aug 25 13:56:49 AST 2012 TYPE=agent -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] OSSEC agents
On Thu, May 31, 2012 at 1:07 PM, Maahkus mark.v...@gmail.com wrote: Is there a log file that displays what authenticated user or the date and time a new agent was added? I need to track a newly added agent to the user that added - can't seem to figure out how.. Regards, Nope. There may be a way to log who runs manage_agents through your OS.
Re: [ossec-list] OSSEC agents
Every time an agent is first connected, OSSEC generates an alert for it: Rule: 501 (level 3) - 'New ossec agent connected.' So you can probably use that to get more information when it was first connected... But there is no easy (standard) way to detect when the client.keys file was modified (only if you add that to syscheck). thanks, -- Daniel B. Cid http://dcid.me On Thu, May 31, 2012 at 2:07 PM, Maahkus mark.v...@gmail.com wrote: Is there a log file that displays what authenticated user or the date and time a new agent was added? I need to track a newly added agent to the user that added - can't seem to figure out how.. Regards,
[ossec-list] OSSEC agents
Is there a log file that displays what authenticated user or the date and time a new agent was added? I need to track a newly added agent to the user that added - can't seem to figure out how.. Regards,
[ossec-list] OSSEC agents grouping
Hi Dan, I need a help on how to group the OSSEC agents? For Example, I have a OSSEC server already installed and up Now i want to install OSSEC agents on nearly 300 servers I want to group all these agents like the following, Production Application Production Web Production SQL Production Oracle Stage Application Stage Web and samething for test environment also. Please provide me the detailed steps on how to make this config. Thanks In Advance! -Gopal.C
Re: [ossec-list] OSSEC agents grouping
What do you mean by group them? In what? On Tue, Jul 26, 2011 at 10:42 AM, gopal krishnan gopikrishna...@gmail.com wrote: Hi Dan, I need a help on how to group the OSSEC agents? For Example, I have a OSSEC server already installed and up Now i want to install OSSEC agents on nearly 300 servers I want to group all these agents like the following, Production Application Production Web Production SQL Production Oracle Stage Application Stage Web and samething for test environment also. Please provide me the detailed steps on how to make this config. Thanks In Advance! -Gopal.C
[ossec-list] ossec agents
I have a ossec installed as master/agent setup. There are about 30 agents running with one master. I recently changed the ossec.conf to monitor changes in directories to real time directories realtime=yes check_all=yes/etc,/usr/bin,/usr/sbin/ directories directories realtime=yes check_all=yes/bin,/sbin/ directories do i have to add this change ( realtime=yes ) to each agents ossec.conf or is just changing it on the master and restarting ossec enough.
Re: [ossec-list] ossec agents
You need to change it in each system's ossec.conf, or utilize the agent.conf. Changing it in the manager's ossec.conf will only affect the manager. On Thu, Feb 10, 2011 at 9:01 AM, Rob robr...@gmail.com wrote: I have a ossec installed as master/agent setup. There are about 30 agents running with one master. I recently changed the ossec.conf to monitor changes in directories to real time directories realtime=yes check_all=yes/etc,/usr/bin,/usr/sbin/ directories directories realtime=yes check_all=yes/bin,/sbin/ directories do i have to add this change ( realtime=yes ) to each agents ossec.conf or is just changing it on the master and restarting ossec enough.
Re: [ossec-list] ossec agents
I believe you have to do on all agent. Also you can do centralized with configure agent.conf file at server. -- Sent from my iPhone On Feb 10, 2011, at 9:01 AM, Rob robr...@gmail.com wrote: I have a ossec installed as master/agent setup. There are about 30 agents running with one master. I recently changed the ossec.conf to monitor changes in directories to real time directories realtime=yes check_all=yes/etc,/usr/bin,/usr/sbin/ directories directories realtime=yes check_all=yes/bin,/sbin/ directories do i have to add this change ( realtime=yes ) to each agents ossec.conf or is just changing it on the master and restarting ossec enough.
[ossec-list] Ossec agents not communcating with the server
The ossec agents are NOT communicating with the server... 1) IT IS NOT a firewall issue, FIRST I added the 1514/udp rule to the server firewall, THEN I even tried to take down iptables completely in both agents AND the server. 2) I reinstalled the keys (as explained here http://www.ossec.net/wiki/index.php/Errors:AgentCommunication) on one agent and it didn't work either. Synthoms: One agent complains that: Process locked... Trying to connect to server... Error: Unable to connect to server The other (the one with renewed keys) complains that: Process locked... (and stays like taht for ever) The server DOES NOT produce any output WHEN thet clients complain. But I have checked some previous complains in wich ossec-remoted sais: Error: No IP or network allowed in the access file list for syslog... Has this any solution or should I just give up and throw ossec to the bin? (I am a developer most of my time more than a sysadmin, so I don't have much time to spare on things like this) Thanks in adavance for any responses!
[ossec-list] ossec agents
hi list i have a quick architecture questions. i saw, that there are much less informations in the ossec.conf from the agent as in the server. Does the agent takes the ossec.conf from the server to do all tests? What have i to do, when some agents need to check some logfiles which aren't on the server? is there a chance to have a customized client, or do i have to configure all on the server and the agents will get the ossec.conf from the server? I saw in the ossec.conf, that there are some global rules, are there also local rules possible? regards, Dan
[ossec-list] OSSEC Agents on DHCP hosts
I have a few hosts that use DHCP. The problem is if I add an agent with a particular IP it's only good till the machine get's a new address. I would prefer not to extend the lease or add the MAC addresses into DHCP as some of the machines will move to different DHCP zones when traveling. Would it be possible to code in a non IP specific authentication method for the agents to communicate? Also another nice feature would be to configure the agents to use primary and secondary's OSSEC servers. So let's say someone visits a remote site and no longer has access to the primary or the WAN link is to slow to support the traffic then the agent would try the next available one. However the agent should be smart about it and first check to see if one of the secondaries is closest to its current address. Brett