Hi,
I am trying to run 1 ossec server(solaris8 sparc) and 3 clients(solaris 10
sparc).
I have changed ipf firewall on all 4 machines to open udp 1514 but it seems
the server is not responding to the clients.
On the client logs, I have the following:
2007/09/04 15:50:21 ossec-rootcheck: Started (pid: 8924).
2007/09/04 15:50:25 ossec-logcollector(1950): Analyzing file:
'/var/log/authlog'.
2007/09/04 15:50:25 ossec-logcollector(1950): Analyzing file:
'/var/log/syslog'.
2007/09/04 15:50:25 ossec-logcollector(1950): Analyzing file:
'/usr/local/squid/var/logs/access.log'.
2007/09/04 15:50:25 ossec-logcollector: Started (pid: 8920).
2007/09/04 15:50:27 ossec-logcollector: Process locked. Waiting for
permission...
2007/09/04 15:50:34 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/04 15:50:50 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/04 15:51:21 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/04 15:52:07 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/04 15:53:08 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/04 15:54:24 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/04 15:54:37 ossec-syscheckd: Process locked. Waiting for
permission...
2007/09/04 15:55:56 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/04 15:57:42 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/04 15:59:43 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/04 16:01:59 ossec-agentd(4101): Waiting for server reply (not
started).
On the server:
2007/09/04 15:47:22 ossec-maild: Started (pid: 14404).
2007/09/04 15:47:22 ossec-execd: Started (pid: 14408).
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'rules_config.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'pam_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'sshd_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'telnetd_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'syslog_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
'arpwatch_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
'symantec-av_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
'symantec-ws_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'pix_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'named_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'smbd_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'vsftpd_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
'pure-ftpd_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'proftpd_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'ms_ftpd_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
'hordeimp_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
'vpopmail_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'courier_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'web_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'apache_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'ids_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'squid_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
'firewall_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
'cisco-ios_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
'netscreenfw_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'postfix_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
'sendmail_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'imapd_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
'mailscanner_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
'ms-exchange_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'racoon_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
'vpn_concentrator_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'spamd_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'msauth_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'attack_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'zeus_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'ossec_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'local_rules.xml'
2007/09/04 15:47:22 ossec-analysisd: Total rules enabled: '616'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/mtab'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/mnttab'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/hosts.deny'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/mail/statistics'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/random-seed'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/adjtime'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/httpd/logs'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/utmpx'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/wtmpx'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/cups/certs'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file:
'C:\WINDOWS/System32/LogFiles'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Debug'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file:
'C:\WINDOWS/WindowsUpdate.log'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file: 'C:\WINDOWS/iis6.log'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file:
'C:\WINDOWS/system32/wbem/Logs'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file:
'C:\WINDOWS/system32/wbem/Repository'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Prefetch'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file:
'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file:
'C:\WINDOWS/SoftwareDistribution'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Temp'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file:
'C:\WINDOWS/system32/config'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file:
'C:\WINDOWS/system32/spool'
2007/09/04 15:47:22 ossec-analysisd: Ignoring file:
'C:\WINDOWS/system32/CatRoot'
2007/09/04 15:47:22 ossec-analysisd: Started (pid: 14412).
2007/09/04 15:47:22 ossec-remoted: Started (pid: 14424).
2007/09/04 15:47:22 ossec-monitord: Started (pid: 14429).
2007/09/04 15:47:22 ossec-remoted(1501): No IP or network allowed in the
access list for syslog. No
reason for running it. Exiting.
2007/09/04 15:47:22 ossec-remoted: Started (pid: 14431).
2007/09/04 15:47:23 ossec-remoted: Assigning counter for agent web: '0:588'.
2007/09/04 15:47:23 ossec-remoted: Assigning counter for agent mail:
'0:484'.
2007/09/04 15:47:23 ossec-remoted: No previous counter available for
'media'.
2007/09/04 15:47:23 ossec-remoted: Assigning counter for agent media: '0:0'.
2007/09/04 15:47:23 ossec-remoted: Assigning sender counter: 0:2055
2007/09/04 15:47:24 ossec-syscheckd: Started (pid: 14423).
2007/09/04 15:47:24 ossec-rootcheck: Started (pid: 14423).
2007/09/04 15:47:28 ossec-logcollector(1950): Analyzing file:
'/var/log/authlog'.
2007/09/04 15:47:28 ossec-logcollector(1950): Analyzing file:
'/var/log/syslog'.
2007/09/04 15:47:28 ossec-logcollector(1950): Analyzing file:
'/var/log/maillog'.
2007/09/04 15:47:28 ossec-logcollector(1950): Analyzing file:
'/usr/local/squid/var/logs/access.log'
.
2007/09/04 15:47:28 ossec-logcollector: Started (pid: 14416).
more /etc/ossec-init.conf
DIRECTORY="/var/ossec"
VERSION="v1.3"
DATE="Tue Aug 28 12:27:24 EDT 2007"
TYPE="server"
ossec-analysisd -V
OSSEC HIDS v1.3 - Daniel B. Cid
uname -a
SunOS dev 5.8 Generic_117350-46 sun4u sparc SUNW,UltraAX-i2 Solaris
more /var/ossec/etc/ossec.conf
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>root</email_to>
<smtp_server>mail.abc.com</smtp_server>
<email_from>[EMAIL PROTECTED]</email_from>
</global>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 6 hours -->
<frequency>21600</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>
<active-response>
<disabled>yes</disabled>
</active-response>
<remote>
<connection>syslog</connection>
</remote>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/authlog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/usr/local/squid/var/logs/access.log</location>
</localfile>
</ossec_config>
<ossec_config> <!-- rules global entry -->
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
<include>apache_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>cisco-ios_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>attack_rules.xml</include>
<include>zeus_rules.xml</include>
<include>ossec_rules.xml</include>
<include>local_rules.xml</include>
</rules>
</ossec_config> <!-- rules global entry -->
<http://www.ossec.net/en/licensing.html>
