Hi Martin,
By looking at your config, I see that the client.keys from the server and from the agent are different: server: 001 dev6 111.111.229.29 agent: 001 dev6 111.111.111.29 They need to be the same. In addition to that, can you do the following: -run tcpdump -ni eth0 udp port 1514 in the server and in the agent at the same time. -With tcpdump running on both systems, can you restart the agent ( /var/ossec/bin/ossec-control restart )? You should see a lot of traffic on both sides (also, make sure the server is running with /var/ossec/bin/ossec-control status ) . If you can see the data on the agent, but not on the server (via tcpdump) it is because there is a firewall between them blocking it... Let me know how it goes.. -- Daniel B. Cid dcid ( at ) ossec.net On 8/7/06, Martin Gottlieb <[EMAIL PROTECTED]> wrote:
Sorry for the confusion, no it is not working, it's just not logging any errors. There are no files in the /var/ossec/queue/agent-info/ directory on my server. Martin Daniel Cid wrote: Do you mean it is working now? If you look on the server at /var/ossec/queue/agent-info/ you should see a file for each agent that you have. If the file is there it is because they are able to communicate correctly. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/4/06, Martin Gottlieb <[EMAIL PROTECTED]> wrote: Hi Daniel, Thanks for the reply. I double-checked the agent keys and they are all correct and cleared out the iptables rule sets on both machines before testing. Still no luck. Attached are the files and output you requested. (slightly sanitized ). I tried a new install and restarted everything. This time through, the logs aren't showing any errors at all, so I'm really not sure what to make of it. Thanks for your help in tracking this down. Martin . Daniel Cid wrote: Hi Martin, I had this problem before when I misconfigured the keys for the agents. Can you make sure that the first agent, really has the right key on it ( that matches his ip address)? Also, make sure that iptables is not blocking port 1514... *I don't think that the zlib version is the problem... *do an ifconfig on the agent and look at /var/ossec/etc/client.keys to make sure that the IP address is correct in there. If that does not fix the problem, can you show us the following files: *for both server and agents: /var/ossec/etc/ossec.conf /var/ossec/logs/ossec.log /var/ossec/etc/client.keys (change the secret key before posting) ifconfig -a iptables -vL Hope it helps.. -- Daniel B. Cid dcid ( at ) ossec.net On 8/3/06, Martin Gottlieb <[EMAIL PROTECTED]> wrote: Hello, I am trying to set up a new install of OSSEC and am having difficulty getting the agents to communicate with the server. All machines have port 1514 open and I have added the agent machines' ip addresses to the server config (using <allowed-ips> ) and generated and imported new authentication keys on each Agent. In the server log, I am seeing lots of messages like this: 2006/08/03 13:57:54 ossec-remoted(2202): Error uncompressing string. Are there any dependencies on the versions of zlib ? My Server is running Fedora Core release 4 (Stentz), which has zlib version zlib-1.2.2.2-5.fc4 One Agent is running RH7.3 with zlib 1.1.4-8.7x and another is running RH ES 3 with zlib 1.1.4-8.1 The first agent is logging errors like: 2006/08/03 13:13:23 ossec-agentd(1218): Unable to send message to server. while the other agent is not logging any errors at all. Any ideas ? Sorry if I've omitted any pertinent info, I'll be happy to provide additional config info if it would be helpful. Thanks. Martin
