Hi Daniel, I am using Debian sarge as a server with no special configurations. The server acts as a firewall, but not on the internal interface. The agent can connect to the box. The log on the agent states:
2006/10/19 07:32:15 ossec-agentd: Connecting to server (192.168.0.1:514). After which the log fills up with: 2006/10/19 07:32:30 ossec-agentd(4101): Waiting for server reply (not started). The agent is using firestarter but I have allowed connection on 514 (and 1514 but I want to get basic connectivity working first) for the server. On the server side, everything is basic debian, the server has no gui, and runs everything vanilla from the debain repositries (except ossec). The only thing that goes on that box are security updates. I'm at a loss on this one. I've checked all the logs on both systems, and the only errors I get are the ones above. No further information. If I've overlooked anything, let me know, and I'll post it. I appreciate your help. Steve Daniel Cid wrote: > Hi Steve, > > Which operating system are you using? I tried to reproduce it on > multiple systems > (including solaris 10, Fedora, Ubuntu, OpenBSD and Windows) without > success. Do you > have something like SELinux that can do restrict system access? I remember > in the past that someone had SELinux enabled and it was blocking some > socket connections from ossec... > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On 10/18/06, Steve <[EMAIL PROTECTED]> wrote: > > > > Hi all, > > > > Sorry to drag this up from the depths, but I am having the same > > problem, and was wondering what the workaround is? > > > > I am running the latest snap (061017), and definitely have an agent > > (which obviously cannot connect). I have setup all the permissions as > > per the wiki. Stopped restarted, and I still get: > > > > 2006/10/18 22:20:20 ossec-analysisd(1210): Queue '/queue/alerts/ar' not > > accessible. > > 2006/10/18 22:20:35 ossec-analysisd(1301): Unable to connect to active > > response queue. > > 2006/10/18 22:20:35 ossec-analysisd: Connected to '/queue/alerts/execq' > > (exec queue) > > > > Any help would be greatly appreciated. > > > > Steve > > > > Richard Hopkins wrote: > > > Hi, > > > > > > Sorry to have to report that the new version has exactly the same > > > problems > > > as previous versions (and the same workaround still works). > > > > > > Richard > > > > > > --On 27 September 2006 13:57 +0100 Richard Hopkins > > > <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > Hi Daniel, > > > > > > > > Sorry, but I've been off for a couple of weeks and have only just got > > > > around to catching up on the list email. I've not had a chance to check > > > > out the new (0.9-2) release yet but will hopefully do so tomorrow. I'll > > > > report back. > > > > > > > > Cheers, > > > > > > > > Richard > > > > > > > > --On 10 September 2006 11:21 -0300 Daniel Cid <[EMAIL PROTECTED]> > > > > wrote: > > > > > > > >> > > > >> Hi Colby and Richard, > > > >> > > > >> Can you try the latest snapshot? It should have fixed this problem > > > >> (permission > > > >> issues)... > > > >> > > > >> http://www.ossec.net/files/snapshots/ossec-hids-060910.tar.gz > > > >> > > > >> *just choose the update option during the install. No need to > > > >> reinstall everything. > > > >> > > > >> Thanks, > > > >> > > > >> -- > > > >> Daniel B. Cid > > > >> dcid ( at ) ossec.net > > > >> > > > >> > > > >> > > > >> On 9/10/06, Colby W <[EMAIL PROTECTED]> wrote: > > > >>> > > > >>> Richard, > > > >>> > > > >>> Did you ever get this resolved? > > > >>> > > > >>> I am experiencing the same problem with my install of ossec except I > > > >>> am > > > >>> using Debian Linux, not Solaris. > > > >>> > > > >>> I tried strace [-f] /usr/local/ossec/bin/ossec-remoted but it was not > > > >>> successful at starting remoted. > > > >>> > > > >>> Richard Hopkins wrote: > > > >>> > > > >>> > Restarted: > > > >>> > > > > >>> > shark# ./ossec-control start > > > >>> > Starting OSSEC HIDS v0.9-1 (by Daniel B. Cid)... > > > >>> > Started ossec-maild... > > > >>> > Started ossec-execd... > > > >>> > Started ossec-analysisd... > > > >>> > Started ossec-logcollector... > > > >>> > Started ossec-remoted... > > > >>> > Started ossec-syscheckd... > > > >>> > Completed. > > > >>> > > > > >>> > Checked its status: > > > >>> > > > > >>> > shark# ./ossec-control status > > > >>> > ossec-logcollector is running... > > > >>> > ossec-remoted not running... > > > >>> > ossec-syscheckd is running... > > > >>> > ossec-analysisd is running... > > > >>> > ossec-maild is running... > > > >>> > ossec-execd is running... > > > >>> > > > > >>> > Checked that ossec-remoted really wasn't running: > > > >>> > > > > >>> > shark# ps -ef | grep remoted > > > >>> > root 7586 626 0 15:41:26 pts/4 0:00 grep remoted > > > >>> > > > > >>> > > > > >>> > Same error logged: > > > >>> > > > > >>> > 2006/08/25 15:40:50 ossec-remoted: Started (pid: 7553). > > > >>> > 2006/08/25 15:40:50 ossec-remoted: Started (pid: 7555). > > > >>> > 2006/08/25 15:40:50 ossec-remoted(1210): Queue '/queue/alerts/ar' > > > >>> > not > > > >>> > accessible. > > > >>> > > > > >>> > I just tried (with it stopped) removing and recreating the > > > >>> > queue/alerts directory but with the same startup problem. > > > >>> > > > > >>> > (truss -f to the rescue) > > > >>> > > > > >>> > Is there anyone out there running a server installation under > > > >>> > Solaris > > > >>> > 9 who isn't having this problem (is there anyone out there....having > > > >>> > this same problem)? > > > >>> > > > > >>> > Cheers, > > > >>> > > > > >>> > Richard > > > >>> > > > >>> > > > >> > > > >> > > > > > > > > > > > > > > > > > > > > Richard Hopkins, > > > Information Services, > > > Computer Centre, > > > University of Bristol, > > > Bristol, BS8 1UD, UK > > > > > > Tel +44 117 928 7859 > > > Fax +44 117 929 1576 > > > >
