Hi Nicolas,
Since your agent is using a public IP (outside network) and your server is in the inside, you need to: -Allow UDP port 1514 in the external firewall (looks like you did that already). -Allow UDP port 1514 in any personal firewall on the ossec server (tcpdump reads before iptables). -Make sure your agent firewall allows UDP 1514 outbound connections to the server (using proper stateful filtering to allow replies back). -Do the proper port forwarding/natting in the external firewall to the ossec server. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 1/25/07, Nicolas Arias <[EMAIL PROTECTED]> wrote:
Hello guys!! im having some troubles with an agent. I dont recieve any event. Agent is installed in a server with a public ip. Server is in a lan server. Port 1514 udp is forwarded from my corp firewall to my ossec server Ossec agent logfile: 2007/01/25 11:09:07 ossec-agentd(4101): Waiting for server reply (not started). nc from server to agent works: [EMAIL PROTECTED] ~]# nc -u xx.xx.xx.xx 1514 this is a test and is driving me crazy [EMAIL PROTECTED] [/var/ossec/logs]# nc -u -l -p 1514 this is a test and is driving me crazy nc from agent to server doesnt works. tcpdump: from agent: 10:49:10.711042 IP agent.ip.51127 > server.ip.ossec: UDP, length 73 from server: 13:50:32.366943 IP agent.ip.51127 > server.ip.1514: UDP, length 73 netstat -nlu from the agent: udp 0 0 0.0.0.0:514 0.0.0.0:* udp 0 0 xx.xx.xxx.xxx:53 0.0.0.0:* udp 0 0 127.0.0.1:53 0.0.0.0:* udp 0 0 127.0.0.1:48214 0.0.0.0:* udp 0 0 127.0.0.1:48215 0.0.0.0:* udp 0 0 127.0.0.1:48216 0.0.0.0:* udp 0 0 127.0.0.1:48217 0.0.0.0:* udp 0 0 127.0.0.1:48218 0.0.0.0:* udp 0 0 127.0.0.1:48220 0.0.0.0:* udp 0 0 0.0.0.0:34786 0.0.0.0:* udp 0 0 :::1162 :::* udp 0 0 :::49694 :::* udp 0 0 :::34787 :::* lsof -i udp from agent: ossec-age 7195 ossec 7u IPv4 1294991 UDP agent.ip:51127->server.ip:ossec Any clue??? thanks guys!
