I am having exactly same problem and going nuts. I have centos 4.3 SELinux 64 AMD as server and 6 windows agents. When I run tcpdump I see commucation between server and agents but on server I have no alerts from clients also /var/ossec/queue/agent-info/ is empty. While they can communicate how /var/ossec/queue/agent-info/ comes empty and no alerts from agents ? Need urgent help.
------------------------------------------------------
Hi Charles,
When you say you are not getting alerts, you mean e-mail alerts? Can you look
under /var/ossec/logs/alerts/ to see if there is anything in the alert
files? In addition
to that, if you look at /var/ossec/queue/agent-info/, check if there
is a file named
after the ip of your agent... If the file is there, it means that the
server is receiving
messages from the agent correctly.
*also, for syscheck, it may take more then 2 hours (the default time). Because
after the initial scan of the files (which may take a few minutes), it
waits 2 hours to
check them again and it scan the files slowly (to avoid using too much
cpu/mem)...
Let us know if it helps or not.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/20/06, Charles E. Jennings <[EMAIL PROTECTED]> wrote:
> I have configured a Server and an Agent and the Agent doesn't seem to be sending alerts to the server. I have followed the procedure to create a key on the Server with ./manage_agents and imported the key on the Agent. I have also opened up the firewall on each box for UDP 1514 and have verified that there is communications happening over this port. �C Interestingly, I see traffic (watching the connections on each firewall) between the agent and the server but do not see any alerts. I know that I have "reason" to see some alert because I have changed some files on the agent (specifically some .conf files in the /etc folder) but have not seen any alert to the changes of the files �C I have waited for over 2 hours (which is the default polling period for the syscheck) but have seen nothing. Also, the logs on each box lead me nowhere.
>
> Any help would be greatly appreciated.
>
> Charles E. Jennings V
> Senior Network Engineer
> Imaging and Data Capture Solutions
>
> Zona Franca America ● Edificio E-25
> 600 Metros Norte Mall Real Cariari ● Heredia, Costa Rica
> Office: 011-(506)-293-4127 ext. 411 ● Cell: 011-(506)-846-0296 ● Fax: 011-(506)-293-4335
> YIM: [EMAIL PROTECTED]
> www.emdeon.com
>
> This message is confidential, intended only for the named recipient(s) and may contain information that is privileged or exempt from disclosure under applicable law. If you are not the intended recipient(s), you are notified that the dissemination, distribution, or copying of this message is strictly prohibited. If you receive this message in error or are not the named recipient(s), please notify the sender at either the fax address or telephone number above and delete this message. Thank you.
>
>
> >
>
When you say you are not getting alerts, you mean e-mail alerts? Can you look
under /var/ossec/logs/alerts/ to see if there is anything in the alert
files? In addition
to that, if you look at /var/ossec/queue/agent-info/, check if there
is a file named
after the ip of your agent... If the file is there, it means that the
server is receiving
messages from the agent correctly.
*also, for syscheck, it may take more then 2 hours (the default time). Because
after the initial scan of the files (which may take a few minutes), it
waits 2 hours to
check them again and it scan the files slowly (to avoid using too much
cpu/mem)...
Let us know if it helps or not.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/20/06, Charles E. Jennings <[EMAIL PROTECTED]> wrote:
> I have configured a Server and an Agent and the Agent doesn't seem to be sending alerts to the server. I have followed the procedure to create a key on the Server with ./manage_agents and imported the key on the Agent. I have also opened up the firewall on each box for UDP 1514 and have verified that there is communications happening over this port. �C Interestingly, I see traffic (watching the connections on each firewall) between the agent and the server but do not see any alerts. I know that I have "reason" to see some alert because I have changed some files on the agent (specifically some .conf files in the /etc folder) but have not seen any alert to the changes of the files �C I have waited for over 2 hours (which is the default polling period for the syscheck) but have seen nothing. Also, the logs on each box lead me nowhere.
>
> Any help would be greatly appreciated.
>
> Charles E. Jennings V
> Senior Network Engineer
> Imaging and Data Capture Solutions
>
> Zona Franca America ● Edificio E-25
> 600 Metros Norte Mall Real Cariari ● Heredia, Costa Rica
> Office: 011-(506)-293-4127 ext. 411 ● Cell: 011-(506)-846-0296 ● Fax: 011-(506)-293-4335
> YIM: [EMAIL PROTECTED]
> www.emdeon.com
>
> This message is confidential, intended only for the named recipient(s) and may contain information that is privileged or exempt from disclosure under applicable law. If you are not the intended recipient(s), you are notified that the dissemination, distribution, or copying of this message is strictly prohibited. If you receive this message in error or are not the named recipient(s), please notify the sender at either the fax address or telephone number above and delete this message. Thank you.
>
>
> >
>
- [ossec-list] Re: Agent (apparently) not communicating wit... strcat
- [ossec-list] Re: Agent (apparently) not communicatin... Daniel Cid
- [ossec-list] Re: Agent (apparently) not communicatin... marc bayerkohler
