Daniel,
Thanks for the info. I have gotten most of the problems resolved. As it
turns out, active response
was disabled in the config file when our admin installed it, which was
where the queue errors were
coming from. When I fixed the client configs and updated all the keys,
all is well now.
Daniel,
Thanks, that was very helpful. Anyway to hardcode the UDP port that
client communicates
to the server with? Looks like a random port in the 5s.
Snippet from tcpdump.
11:24:50.443020 IP ossec.server.1514 loadbalance.54244: UDP, length 73
Being able to lock that to one port would
Here are some errors on the client side.
2007/07/26 09:45:07 ossec-agentd(1210): Queue '/queue/alerts/execq' not
accessible.
2007/07/26 09:45:22 ossec-agentd(1301): Unable to connect to active
response queue.
2007/07/26 09:45:23 ossec-agentd(4102): Connected to the server.
2007/07/26 10:15:26
Reggie,
Do you not have perhaps an out of band network for this sort of
communication? I would think you wouldn't want to use the public interfaces
for such for internal information?
Haz
On 7/25/07, Daniel Cid [EMAIL PROTECTED] wrote:
Hi Reggie,
OSSEC should work with systems behind a
Hi Reggie,
Looking at your previous e-mail, you are having these errors because
you used the
same agent id/name into multiple systems. Even if they have the same
IP, you need
to give different ids/names. If you make this change and re-import all
the keys, it should
all work.
Regarding the