Hi Amauri,
First off, for your iptables rule, do not open it for everyone. Just for the specific IPs that you need. Second, make sure that the agent firewall allows outbound traffic to port 1514 and them to come back. To test it, just run a netcat from the agent to the server on port 1514 and see if it can get to it (you should see on the server a message about unable to decrypt or invalid format).. Now, for your second problem, since ossec runs on chroot, when it says "/etc/shared/ar.conf", it is actually looking at /var/ossec/etc/shared.ar.conf... Can you show us the permissions of /var/ossec/etc and /var/ossec/etc/shared ? Looks like remoted does not have permission to access it... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net
2006/09/14 15:54:58 ossec-remoted: Error accessing file '/etc/shared/ar.conf'
On 9/14/06, Amauri Tiago Marx <[EMAIL PROTECTED]> wrote:
Hi Daniel, Yes, I install the latest snapshot in the server before the agents. In the server ossec, I have this rule on firewall: iptables -A INPUT -p udp --dport 1514 --sport 1024:65535 -j ACCEPT Need anymore? For the problem related to ar.conf, i'm confused. See errors logs: 2006/09/14 14:53:30 ossec-syscheckd: Started (pid: 24459). 2006/09/14 14:53:30 ossec-analysisd: Connected to '/queue/alerts/ar' (active-response queue) 2006/09/14 14:53:30 ossec-analysisd: Connected to '/queue/alerts/execq' (exec queue) 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file: '/var/log/messages'. 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file: '/var/log/secure'. 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file: '/var/log/syslog'. 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file: '/var/log/maillog'. 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file: '/usr/local/squid/var/logs/access.log'. 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file: '/var/log/apache/error_log'. 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file: '/var/log/apache/access_log'. 2006/09/14 14:53:33 ossec-logcollector: Started (pid: 24445). 2006/09/14 15:54:58 ossec-remoted: Error accessing file '/etc/shared/ar.conf' I think that have the same problems that's my last question.. the file /etc/shared/ar.conf doesn't exists, only exists /var/ossec/etc/shared/ar.conf (this file is created automatically when I start the ossec server). Very thanks, best regards, Amauri Tiago Marx
