[ossec-list] Re: Agent unable to communicate with server/ssh session logging/whitelisting

[Hugh Riley]

Well, now I'm experiencing a different problem. When I do a fresh
install (wiping out the ossec dir) with the above mentioned build and I
try and start the daemons, I get the following:

Agent
-------
Starting OSSEC HIDS v0.9-1 (by Daniel B. Cid)...
ossec-execd already running...
Started ossec-agentd...
Started ossec-logcollector...
2006/08/18 14:42:15 /data/ossec/bin/ossec-control: line 118: 23535
Segmentation fault      ${DIR}/bin/${i}


Server
---------

Starting OSSEC HIDS v0.9-1 (by Daniel B. Cid)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
2006/08/18 14:35:40 H=(1210): Queue '' not accessible.
2006/08/18 14:35:55 H=(1210): Queue '' not accessible.
2006/08/18 14:36:06 H=(1210): Queue '' not accessible.
2006/08/18 14:36:21 H=(1210): Queue '' not accessible.
2006/08/18 14:36:37 H=(1210): Queue '' not accessible.
2006/08/18 14:36:52 H=(1211): Unable to access queue: ''. Giving up..


I reverted back to 0.9-1 (again, a fresh install) and don't get any
errors on the agent, but get the same error on the server when it's
starting ossec-remoted. There is traffic going back and forth between
the servers according to tcpdump.

ossec.log on agent:

2006/08/18 15:18:09 ossec-execd: Started (pid: 26755).
2006/08/18 15:18:09 ossec-agentd: Started (pid: 26759).
2006/08/18 15:18:12 ossec-syscheckd: Started (pid: 26770).
2006/08/18 15:18:15 ossec-logcollector(1950): Analyzing file:
'/var/log/messages'.
2006/08/18 15:18:15 ossec-logcollector(1950): Analyzing file:
'/var/log/secure'.
2006/08/18 15:18:15 ossec-logcollector(1950): Analyzing file:
'/var/log/maillog'.
2006/08/18 15:18:15 ossec-logcollector(1950): Analyzing file:
'/var/log/httpd/error_log'.
2006/08/18 15:18:15 ossec-logcollector(1950): Analyzing file:
'/var/log/httpd/access_log'.
2006/08/18 15:18:15 ossec-logcollector(1950): Analyzing file:
'/etc/httpd/logs/access_log'.
2006/08/18 15:18:15 ossec-logcollector(1950): Analyzing file:
'/etc/httpd/logs/error_log'.
2006/08/18 15:18:15 ossec-logcollector: Started (pid: 26766).
2006/08/18 15:18:25 ossec-agentd(1218): Unable to send message to
server.

<last line repeated over and over>

On the server, we have the following ossec.log:

2006/08/18 15:11:25 ossec-maild: Started (pid: 26745).
2006/08/18 15:11:25 ossec-execd: Started (pid: 26749).
2006/08/18 15:11:25 ossec-analysisd: Reading rules file:
'rules_config.xml'
2006/08/18 15:11:25 ossec-analysisd: Reading rules file:
'pam_rules.xml'
2006/08/18 15:11:25 ossec-analysisd: Reading rules file:
'sshd_rules.xml'
2006/08/18 15:11:25 ossec-remoted: Started (pid: 26761).
2006/08/18 15:11:25 ossec-remoted(1206): Unable to Bind port '514'
2006/08/18 15:11:25 ossec-remoted: Started (pid: 26763).
2006/08/18 15:11:31 ossec-remoted(1210): Queue '/queue/ossec/queue' not
accessible.
2006/08/18 15:11:31 ossec-syscheckd(1210): Queue
'/data/ossec/queue/ossec/queue' not accessible.
2006/08/18 15:11:37 ossec-logcollector(1210): Queue
'/data/ossec/queue/ossec/queue' not accessible.
2006/08/18 15:11:46 ossec-remoted(1211): Unable to access queue:
'/queue/ossec/queue'. Giving up..
2006/08/18 15:11:46 ossec-rootcheck(1210): Queue
'/data/ossec/queue/ossec/queue' not accessible.
2006/08/18 15:11:52 ossec-logcollector(1211): Unable to access queue:
'/data/ossec/queue/ossec/queue'. Giving up..
2006/08/18 15:11:57 ossec-syscheckd(1210): Queue
'/data/ossec/queue/ossec/queue' not accessible.
2006/08/18 15:12:12 ossec-rootcheck(1210): Queue
'/data/ossec/queue/ossec/queue' not accessible.
2006/08/18 15:12:28 ossec-syscheckd(1210): Queue
'/data/ossec/queue/ossec/queue' not accessible.
2006/08/18 15:12:43 ossec-rootcheck(1211): Unable to access queue:
'/data/ossec/queue/ossec/queue'. Giving up..

The ossec.conf files are the same as the ones I previously uploaded.

The /var/log/messages shows the following:

Aug 18 15:24:11 server kernel: ossec-analysisd[28337]: segfault at
0000000000000031 rip 000000321356feb0 rsp 0000007fbffff608 error 4



For the active response stuff, Here's the kind of entry that's in the
previous ossec-hids-responses.log file:

Tue Aug  8 21:30:04 CDT 2006
/data/ossec/active-response/bin/host-deny.sh add logger 192.168.45.35
Tue Aug  8 21:30:04 CDT 2006
/data/ossec/active-response/bin/firewall-drop.sh add logger
192.168.45.35

Thanks,

Hugh