[ossec-list] Manager doesn't see agent

Hi list, I've got a thorny problem that I'm hoping will turn out to be a simple one. Our OSSEC Manager refuses to see the one agent currently connected to it. It's been connected in the past, and the manager remembers this - the agent shows as disconnected in agent_control rather than never

Re: [ossec-list] Manager doesn't see agent

Are you sure that isn't how one way agents always show up? I have no idea, I don't like that option. Was the manager updated recently (maybe the one way comms setting has to be set on the manager and someone forgot to set it)? You can try: Turn off the firewall on the manager. Run the manager's

Re: [ossec-list] Problems with ossec-maild

What's your mail configuration in the manager's ossec.conf? I wish ossec was compiled with -ggdb by default. It might make the gdb information a bit easier to follow. On Thu, Mar 22, 2012 at 1:47 PM, MDACC-Luckie luckief...@gmail.com wrote: I increased the number of agents my installation was

Re: [ossec-list] Solaris ossec-dbd crashes

There was no information with the segfault? Did you try running ossec-dbd under gdb? What database are you using? Any errors in ossec.log? Any errors in the DB's log? On Fri, Mar 23, 2012 at 12:37 PM, Nico Bugash nicobug...@gmail.com wrote: I have successfully installed the ossec server on

Re: [ossec-list] Database and File rules encrypted?

If an attacker has gotten privileged access to the system there should be a log somewhere detailing this. Hopefully there's a rule for that log message... What do you mean by use a directory or file not monitored to carry out the attack? You mean monitored by syscheckd? As soon as they change

[ossec-list] Re: Problems with ossec-maild

Our config is pretty standard with respect to the ossec.conf. The only non-standard thing we have is that we are usiing port 9025 for SMTP on the mail server we are using rather than 25. We have that changed in the sendmail.c file that is used when everything is compiled: OSSEC.CONF global

Re: [ossec-list] Database and File rules encrypted?

Plus the files/filesystem would have to be decrypted to use. A privileged user would probably have access to that decrypted data. On Thu, Mar 22, 2012 at 5:58 PM, Castle, Shane scas...@bouldercounty.org wrote: If this happened then it's game over. Encrypting the files/filesystem will do no

[ossec-list] Re: Manager doesn't see agent

One-way agents normally show as Connected like regular agents, actually. All the one-way flag does afaik is skip the section in the agent startup where it waits for a response from the manager before continuing to start; otherwise, they behave exactly like normal agents. Also, no, the manager

Re: [ossec-list] Re: Manager doesn't see agent

tcpdump will pick up packets even if they're blocked by the firewall. Are the messages coming from the correct IP? Did the manager's IP change at all? You could also try deleting the agent from the manager, creating a new one, and installing that key on the agent. On Tue, Mar 27, 2012 at 4:50 PM,

[ossec-list] Re: Problems with ossec-maild

Not long by max length standards 15 characters or so. Are there any other of those type of things I could check data corruption somewhere that I might need to look for that isnt obvious to me. I dont think it is with ossec-maild but something with the extra 60 or so agent keys I