Rafael Capovilla wrote: > Did you check /data/ossec/ossec.log for errors?
Yep. No errors for anything on the server. For the no communication issue, on the agent system, I get: 2006/08/11 11:45:18 ossec-agentd(2201): Error compressing string: '<long string>:1878:1:/var/log/secure:Aug 11 11:45:18 agentbox xinetd[20991]: START: nrpe pid=21239 from=192.168.45.2'. 2006/08/11 11:45:18 ossec-agentd(1217): Error creating encrypted message. > > Make sure that you have the port 1514 listening: > netstat -an | grep 1514 > > You should see something like this: > > [EMAIL PROTECTED] admin]$ netstat -an | grep 1514 > udp 0 0 *.1514 *.* Yep. It's definitely listening. Confirmed with nmap on a remote host as well. > Could you send us your log with the ssh connections? maybe we can change > some rules to avoid this Here's the section from the alert I get: OSSEC HIDS Notification. 2006 Aug 11 01:25:13 Received From: ossechost->/var/log/secure Rule: 1801 fired (level 10) -> "Network scan from same source ip." Portion of the log(s): sshd[26498]: Accepted publickey for user from ::ffff:192.168.45.35 port 44749 ssh2 sshd[26478]: Accepted publickey for user from ::ffff:192.168.45.35 port 44748 ssh2 sshd[26458]: Accepted publickey for user from ::ffff:192.168.45.35 port 44747 ssh2 sshd[26438]: Accepted publickey for user from ::ffff:192.168.45.35 port 44746 ssh2 sshd[26418]: Accepted publickey for user from ::ffff:192.168.45.35 port 44745 ssh2 sshd[26398]: Accepted publickey for user from ::ffff:192.168.45.35 port 44744 ssh2 sshd[26378]: Accepted publickey for user from ::ffff:192.168.45.35 port 44743 ssh2 sshd[26358]: Accepted publickey for user from ::ffff:192.168.45.35 port 44742 ssh2 sshd[26338]: Accepted publickey for user from ::ffff:192.168.45.35 port 44741 ssh2 sshd[26318]: Accepted publickey for user from ::ffff:192.168.45.35 port 44740 ssh2 --END OF NOTIFICATION Thanks, Hugh
