Hello Everyone,
I've been reading the mailing list archives trying to figure this out but I'm
stumped at this point.
I've done re-installs of both the server and agent. I've also removed and
re-added the keys. No joy. I'm hoping someone can give me some new ideas on
things to try.
PF is disabled.
Here is some info from my installation. Let me know if you need more.
Thanks,
Frankie
/etc/ossec-init.conf
DIRECTORY="/var/ossec"
VERSION="v0.9-1"
DATE="Thu Aug 17 19:55:17 YAPT 2006"
TYPE="server"
/var/ossec/etc/client.keys
001 LicenseServer 192.168.1.25 5dc050212345677777777777777777
ifconfig -a
lo0: flags=8048<LOOPBACK,RUNNING,MULTICAST> mtu 33224
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff000000
le0: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 08:00:20:05:1b:43
media: Ethernet autoselect (10baseT)
inet 192.168.1.253 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::a00:20ff:fe05:1b43%le0 prefixlen 64 scopeid 0x1
pflog0: flags=0<> mtu 33224
pfsync0: flags=0<> mtu 2020
enc0: flags=0<> mtu 1536
/var/ossec/etc/ossec.conf
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>[EMAIL PROTECTED]</email_to>
<smtp_server>192.168.1.25</smtp_server>
<email_from>[EMAIL PROTECTED]</email_from>
</global>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>web_rules.xml</include>
<include>apache_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>racoon_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>attack_rules.xml</include>
</rules>
<active-response>
<disabled>yes</disabled>
</active-response>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/authlog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/authlog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/xferlog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
</ossec_config>
/var/ossec/logs/ossec.log
ossec-maild: Started (pid: 7223).
2006/08/17 20:01:55 ossec-execd: Started (pid: 7732).
2006/08/17 20:01:56 ossec-analysisd: Reading rules file: 'rules_config.xml'
2006/08/17 20:01:56 ossec-analysisd: Reading rules file: 'pam_rules.xml'
2006/08/17 20:01:56 ossec-analysisd: Reading rules file: 'sshd_rules.xml'
2006/08/17 20:01:57 ossec-analysisd: Reading rules file: 'telnetd_rules.xml'
2006/08/17 20:01:57 ossec-analysisd: Reading rules file: 'syslog_rules.xml'
2006/08/17 20:01:57 ossec-remoted: Started (pid: 13337).
2006/08/17 20:01:58 ossec-remoted: Started (pid: 15134).
2006/08/17 20:01:58 ossec-analysisd: Reading rules file: 'arpwatch_rules.xml'
2006/08/17 20:01:58 ossec-analysisd: Reading rules file: 'pix_rules.xml'
2006/08/17 20:01:59 ossec-analysisd: Reading rules file: 'named_rules.xml'
2006/08/17 20:01:59 ossec-analysisd: Reading rules file: 'smbd_rules.xml'
2006/08/17 20:01:59 ossec-analysisd: Reading rules file: 'vsftpd_rules.xml'
2006/08/17 20:01:59 ossec-analysisd: Reading rules file: 'pure-ftpd_rules.xml'
2006/08/17 20:01:59 ossec-analysisd: Reading rules file: 'proftpd_rules.xml'
2006/08/17 20:02:00 ossec-analysisd: Reading rules file: 'hordeimp_rules.xml'
2006/08/17 20:02:00 ossec-analysisd: Reading rules file: 'web_rules.xml'
2006/08/17 20:02:00 ossec-analysisd: Reading rules file: 'apache_rules.xml'
2006/08/17 20:02:00 ossec-analysisd: Reading rules file: 'ids_rules.xml'
2006/08/17 20:02:00 ossec-analysisd: Reading rules file: 'squid_rules.xml'
2006/08/17 20:02:01 ossec-analysisd: Reading rules file: 'firewall_rules.xml'
2006/08/17 20:02:01 ossec-analysisd: Reading rules file: 'netscreenfw_rules.xml'
2006/08/17 20:02:01 ossec-analysisd: Reading rules file: 'postfix_rules.xml'
2006/08/17 20:02:01 ossec-analysisd: Reading rules file: 'sendmail_rules.xml'
2006/08/17 20:02:01 ossec-analysisd: Reading rules file: 'imapd_rules.xml'
2006/08/17 20:02:01 ossec-analysisd: Reading rules file: 'mailscanner_rules.xml'
2006/08/17 20:02:01 ossec-analysisd: Reading rules file: 'racoon_rules.xml'
2006/08/17 20:02:01 ossec-analysisd: Reading rules file: 'spamd_rules.xml'
2006/08/17 20:02:01 ossec-analysisd: Reading rules file: 'msauth_rules.xml'
2006/08/17 20:02:02 ossec-analysisd: Reading rules file: 'attack_rules.xml'
2006/08/17 20:02:02 ossec-analysisd: Total rules enabled: '382'
2006/08/17 20:02:02 ossec-analysisd: Started (pid: 18828).
2006/08/17 20:02:03 ossec-logcollector(1950): Analyzing file:
'/var/log/messages'.
2006/08/17 20:02:03 ossec-logcollector(1950): Analyzing file:
'/var/log/authlog'.
2006/08/17 20:02:03 ossec-logcollector(1950): Analyzing file: '/var/log/secure'.
2006/08/17 20:02:03 ossec-logcollector(1950): Analyzing file:
'/var/log/xferlog'.
2006/08/17 20:02:03 ossec-logcollector(1950): Analyzing file:
'/var/log/maillog'.
2006/08/17 20:02:03 ossec-logcollector: Started (pid: 24428).
2006/08/17 20:02:08 ossec-syscheckd: Started (pid: 25527).
2006/08/17 20:02:08 ossec-syscheckd: No directories to check.
2006/08/17 20:03:10 ossec-rootcheck: No rootcheck_files file configured.
2006/08/17 20:03:10 ossec-rootcheck: No rootcheck_trojans file configured.
2006/08/17 20:09:52 ossec-remoted(1403): Incorrectly formated message from
'192.168.1.25'.
2006/08/17 20:10:11 ossec-remoted(1403): Incorrectly formated message from
'192.168.1.25'.
2006/08/17 20:10:11 ossec-remoted(1403): Incorrectly formated message from
'192.168.1.25'.
2006/08/17 20:10:11 ossec-remoted(1403): Incorrectly formated message from
'192.168.1.25'.
2006/08/17 20:21:04 ossec-remoted(1406): Checksum mismatch on message from
'192.168.1.25'.
