Hi Amauri,
Did you install the latest snapshot in the server? Whenever there is a new version you should always update the server first and then the agents. For your first agent, looks like there is a firewall blocking the connections to the server. Did you open port 1514 udp in the firewall? The second problem is also related to a connection issue. The server is the one who sends the active responses to the client (file ar.conf), so if they are not communicating correctly, this file is not going to be there... Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 9/14/06, Amauri Tiago Marx <[EMAIL PROTECTED]> wrote:
Hello all (sorry for my english again), I download the file http://www.ossec.net/files/snapshots/ossec-hids-060912.tar.gz and install, but now I've more any problems. I install the server in the one machine that have two interfaces (internal and external). When I install the agent in a external machine, always show the message "Waiting for server reply (not started)." like logs below: 2006/09/14 09:49:29 ossec-agentd: Connecting to server (200.xxx.xxx.13:1514). 2006/09/14 09:49:29 ossec-execd: Started (pid: 14194). 2006/09/14 09:49:31 ossec-syscheckd: Started (pid: 14203). 2006/09/14 09:49:35 ossec-logcollector(1950): Analyzing file: '/var/log/messages'. 2006/09/14 09:49:35 ossec-logcollector(1950): Analyzing file: '/var/log/secure'. 2006/09/14 09:49:35 ossec-logcollector(1950): Analyzing file: '/var/log/syslog'. 2006/09/14 09:49:35 ossec-logcollector(1950): Analyzing file: '/var/log/xferlog'. 2006/09/14 09:49:35 ossec-logcollector(1950): Analyzing file: '/var/log/proftpd.log'. 2006/09/14 09:49:35 ossec-logcollector(1950): Analyzing file: '/var/log/radius.log'. 2006/09/14 09:49:35 ossec-logcollector(1950): Analyzing file: '/var/log/maillog'. 2006/09/14 09:49:35 ossec-logcollector(1950): Analyzing file: '/var/log/apache/error_log'. 2006/09/14 09:49:35 ossec-logcollector(1950): Analyzing file: '/var/log/apache/access_log'. 2006/09/14 09:49:35 ossec-logcollector: Started (pid: 14199). 2006/09/14 09:49:45 ossec-agentd(4101): Waiting for server reply (not started). 2006/09/14 09:50:01 ossec-agentd(4101): Waiting for server reply (not started). 2006/09/14 09:50:32 ossec-agentd(4101): Waiting for server reply (not started). 2006/09/14 09:51:18 ossec-agentd(4101): Waiting for server reply (not started). 2006/09/14 09:52:19 ossec-agentd(4101): Waiting for server reply (not started). 2006/09/14 09:53:35 ossec-agentd(4101): Waiting for server reply (not started). 2006/09/14 09:55:06 ossec-agentd(4101): Waiting for server reply (not started). 2006/09/14 09:56:52 ossec-agentd(4101): Waiting for server reply (not started). 2006/09/14 09:58:53 ossec-agentd(4101): Waiting for server reply (not started). When I install the agent in a internal machine, the server respond, but I simulate a brute force ssh attack and doesn't work fine... the errors are described bellow (invalid command and unable to open file (no exists in this folder))... 2006/09/14 09:51:54 ossec-agentd: Connecting to server (192.168.1.1:1514). 2006/09/14 09:51:56 ossec-syscheckd: Started (pid: 11609). 2006/09/14 09:52:00 ossec-logcollector(1950): Analyzing file: '/var/log/messages'. 2006/09/14 09:52:00 ossec-logcollector(1950): Analyzing file: '/var/log/secure'. 2006/09/14 09:52:00 ossec-logcollector(1950): Analyzing file: '/var/log/syslog'. 2006/09/14 09:52:00 ossec-logcollector(1950): Analyzing file: '/var/log/xferlog'. 2006/09/14 09:52:00 ossec-logcollector(1950): Analyzing file: '/var/log/proftpd.log'. 2006/09/14 09:52:00 ossec-logcollector(1950): Analyzing file: '/var/log/maillog'. 2006/09/14 09:52:00 ossec-logcollector: Started (pid: 11608). 2006/09/14 09:52:09 ossec-agentd(4101): Waiting for server reply (not started). 2006/09/14 09:52:25 ossec-agentd(4101): Waiting for server reply (not started). 2006/09/14 09:52:42 ossec-agentd(4102): Connected to the server. 2006/09/14 09:52:42 ossec-agentd: Server unavailable. Setting lock. 2006/09/14 09:52:45 ossec-agentd: Server responded. Releasing lock. 2006/09/14 09:53:35 ossec-execd(1103): Unable to open file '/var/ossec/etc/shared/ar.conf'. 2006/09/14 09:53:35 ossec-execd(1311): Invalid command name 'host-deny600' provided. 2006/09/14 09:53:35 ossec-execd(1103): Unable to open file '/var/ossec/etc/shared/ar.conf'. 2006/09/14 09:53:35 ossec-execd(1311): Invalid command name 'firewall-drop600' provided. Any suggestion? Very thanks, -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- Amauri Tiago Marx Coordenadoria de Tecnologia da Informação e Comunicação, Ctic Universidade do Oeste de Santa Catarina, Unoesc Campus de São Miguel do Oeste www.unoescsmo.edu.br -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
