Hi Daniel,
Ok, I'll fix my iptables rules. Sorry, but I don't know use netcat for test
communication. How can I make this?
About ar.conf permissions:
dr-xr-x--- 2 root ossec 4.0K 2006-09-14 14:31 shared/
-r--r----- 1 root root 76 2006-09-14 16:20 ar.conf
The correct is root.ossec? If yes, need to correct the process that create
it, because if I delete this file, is create automatically with the
permission show above.
Very thanks again,
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
Amauri Tiago Marx
Coordenadoria de Tecnologia da Informação e Comunicação, Ctic
Universidade do Oeste de Santa Catarina, Unoesc
Campus de São Miguel do Oeste
www.unoescsmo.edu.br
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
----- Original Message -----
From: "Daniel Cid" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Thursday, September 14, 2006 10:20 PM
Subject: [ossec-list] Re: Other problems
Hi Amauri,
First off, for your iptables rule, do not open it for everyone. Just
for the specific
IPs that you need. Second, make sure that the agent firewall allows
outbound
traffic to port 1514 and them to come back. To test it, just run a
netcat from the
agent to the server on port 1514 and see if it can get to it (you should
see on
the server a message about unable to decrypt or invalid format)..
Now, for your second problem, since ossec runs on chroot, when it says
"/etc/shared/ar.conf", it is actually looking at
/var/ossec/etc/shared.ar.conf...
Can you show us the permissions of /var/ossec/etc and
/var/ossec/etc/shared ?
Looks like remoted does not have permission to access it...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
2006/09/14 15:54:58 ossec-remoted: Error accessing file
'/etc/shared/ar.conf'
On 9/14/06, Amauri Tiago Marx <[EMAIL PROTECTED]> wrote:
Hi Daniel,
Yes, I install the latest snapshot in the server before the agents.
In the server ossec, I have this rule on firewall:
iptables -A INPUT -p udp --dport 1514 --sport 1024:65535 -j ACCEPT
Need anymore?
For the problem related to ar.conf, i'm confused. See errors logs:
2006/09/14 14:53:30 ossec-syscheckd: Started (pid: 24459).
2006/09/14 14:53:30 ossec-analysisd: Connected to '/queue/alerts/ar'
(active-response queue)
2006/09/14 14:53:30 ossec-analysisd: Connected to '/queue/alerts/execq'
(exec queue)
2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file:
'/var/log/messages'.
2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file:
'/var/log/secure'.
2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file:
'/var/log/syslog'.
2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file:
'/var/log/maillog'.
2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file:
'/usr/local/squid/var/logs/access.log'.
2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file:
'/var/log/apache/error_log'.
2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file:
'/var/log/apache/access_log'.
2006/09/14 14:53:33 ossec-logcollector: Started (pid: 24445).
2006/09/14 15:54:58 ossec-remoted: Error accessing file
'/etc/shared/ar.conf'
I think that have the same problems that's my last question.. the file
/etc/shared/ar.conf doesn't exists, only exists
/var/ossec/etc/shared/ar.conf (this file is created automatically when I
start the ossec server).
Very thanks, best regards,
Amauri Tiago Marx
