Judged from the log content: 2007/09/04 15:47:22 ossec-remoted(1501): No IP or network allowed in the access list for syslog. No reason for running it. Exiting.
And in the ossec.conf, you are duplicate <remote> section. <connection>syslog</connection> and <connection>secure</connection> is mutually exclusive. You should only try 'connection == secure' first. Best regards, Zarick On Sep 5, 4:15 am, "Hasibul Haque" <[EMAIL PROTECTED]> wrote: > Hi, > > I am trying to run 1 ossec server(solaris8 sparc) and 3 clients(solaris 10 > sparc). > I have changed ipf firewall on all 4 machines to open udp 1514 but it seems > the server is not responding to the clients. > On the client logs, I have the following: > > 2007/09/04 15:50:21 ossec-rootcheck: Started (pid: 8924). > 2007/09/04 15:50:25 ossec-logcollector(1950): Analyzing file: > '/var/log/authlog'. > 2007/09/04 15:50:25 ossec-logcollector(1950): Analyzing file: > '/var/log/syslog'. > 2007/09/04 15:50:25 ossec-logcollector(1950): Analyzing file: > '/usr/local/squid/var/logs/access.log'. > 2007/09/04 15:50:25 ossec-logcollector: Started (pid: 8920). > 2007/09/04 15:50:27 ossec-logcollector: Process locked. Waiting for > permission... > 2007/09/04 15:50:34 ossec-agentd(4101): Waiting for server reply (not > started). > 2007/09/04 15:50:50 ossec-agentd(4101): Waiting for server reply (not > started). > 2007/09/04 15:51:21 ossec-agentd(4101): Waiting for server reply (not > started). > 2007/09/04 15:52:07 ossec-agentd(4101): Waiting for server reply (not > started). > 2007/09/04 15:53:08 ossec-agentd(4101): Waiting for server reply (not > started). > 2007/09/04 15:54:24 ossec-agentd(4101): Waiting for server reply (not > started). > 2007/09/04 15:54:37 ossec-syscheckd: Process locked. Waiting for > permission... > 2007/09/04 15:55:56 ossec-agentd(4101): Waiting for server reply (not > started). > 2007/09/04 15:57:42 ossec-agentd(4101): Waiting for server reply (not > started). > 2007/09/04 15:59:43 ossec-agentd(4101): Waiting for server reply (not > started). > 2007/09/04 16:01:59 ossec-agentd(4101): Waiting for server reply (not > started). > > On the server: > > 2007/09/04 15:47:22 ossec-maild: Started (pid: 14404). > 2007/09/04 15:47:22 ossec-execd: Started (pid: 14408). > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'rules_config.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'pam_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'sshd_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'telnetd_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'syslog_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'arpwatch_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'symantec-av_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'symantec-ws_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'pix_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'named_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'smbd_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'vsftpd_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'pure-ftpd_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'proftpd_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'ms_ftpd_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'hordeimp_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'vpopmail_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'courier_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'web_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'apache_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'ids_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'squid_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'firewall_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'cisco-ios_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'netscreenfw_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'postfix_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'sendmail_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'imapd_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'mailscanner_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'ms-exchange_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'racoon_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'vpn_concentrator_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'spamd_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'msauth_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'attack_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'zeus_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'ossec_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'local_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Total rules enabled: '616' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/mtab' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/mnttab' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/hosts.deny' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/mail/statistics' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/random-seed' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/adjtime' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/httpd/logs' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/utmpx' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/wtmpx' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/cups/certs' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: > 'C:\WINDOWS/System32/LogFiles' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Debug' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: > 'C:\WINDOWS/WindowsUpdate.log' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: 'C:\WINDOWS/iis6.log' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: > 'C:\WINDOWS/system32/wbem/Logs' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: > 'C:\WINDOWS/system32/wbem/Repository' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Prefetch' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: > 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: > 'C:\WINDOWS/SoftwareDistribution' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Temp' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: > 'C:\WINDOWS/system32/config' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: > 'C:\WINDOWS/system32/spool' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: > 'C:\WINDOWS/system32/CatRoot' > 2007/09/04 15:47:22 ossec-analysisd: Started (pid: 14412). > 2007/09/04 15:47:22 ossec-remoted: Started (pid: 14424). > 2007/09/04 15:47:22 ossec-monitord: Started (pid: 14429). > 2007/09/04 15:47:22 ossec-remoted(1501): No IP or network allowed in the > access list for syslog. No > reason for running it. Exiting. > 2007/09/04 15:47:22 ossec-remoted: Started (pid: 14431). > 2007/09/04 15:47:23 ossec-remoted: Assigning counter for agent web: '0:588'. > 2007/09/04 15:47:23 ossec-remoted: Assigning counter for agent mail: > '0:484'. > 2007/09/04 15:47:23 ossec-remoted: No previous counter available for > 'media'. > 2007/09/04 15:47:23 ossec-remoted: Assigning counter for agent media: '0:0'. > 2007/09/04 15:47:23 ossec-remoted: Assigning sender counter: 0:2055 > 2007/09/04 15:47:24 ossec-syscheckd: Started (pid: 14423). > 2007/09/04 15:47:24 ossec-rootcheck: Started (pid: 14423). > 2007/09/04 15:47:28 ossec-logcollector(1950): Analyzing file: > '/var/log/authlog'. > 2007/09/04 15:47:28 ossec-logcollector(1950): Analyzing file: > '/var/log/syslog'. > 2007/09/04 15:47:28 ossec-logcollector(1950): Analyzing file: > '/var/log/maillog'. > 2007/09/04 15:47:28 ossec-logcollector(1950): Analyzing file: > '/usr/local/squid/var/logs/access.log' > . > 2007/09/04 15:47:28 ossec-logcollector: Started (pid: 14416). > > more /etc/ossec-init.conf > DIRECTORY="/var/ossec" > VERSION="v1.3" > DATE="Tue Aug 28 12:27:24 EDT 2007" > TYPE="server" > > ossec-analysisd -V > > OSSEC HIDS v1.3 - Daniel B. Cid > > uname -a > SunOS dev 5.8 Generic_117350-46 sun4u sparc SUNW,UltraAX-i2 Solaris > > more /var/ossec/etc/ossec.conf > <ossec_config> > <global> > <email_notification>yes</email_notification> > <email_to>root</email_to> > <smtp_server>mail.abc.com</smtp_server> > <email_from>[EMAIL PROTECTED]</email_from> > </global> > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 6 hours --> > <frequency>21600</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin</directories> > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > > <!-- Windows files to ignore --> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > <ignore>C:\WINDOWS/Debug</ignore> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > <ignore>C:\WINDOWS/iis6.log</ignore> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > <ignore>C:\WINDOWS/Prefetch</ignore> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > <ignore>C:\WINDOWS/Temp</ignore> > <ignore>C:\WINDOWS/system32/config</ignore> > <ignore>C:\WINDOWS/system32/spool</ignore> > <ignore>C:\WINDOWS/system32/CatRoot</ignore> > </syscheck> > > <rootcheck> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> > </rootcheck> > > <active-response> > <disabled>yes</disabled> > </active-response> > > <remote> > <connection>syslog</connection> > </remote> > > <remote> > <connection>secure</connection> > </remote> > > <alerts> > <log_alert_level>1</log_alert_level> > <email_alert_level>7</email_alert_level> > </alerts> > <!-- Files to monitor (localfiles) --> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/authlog</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/syslog</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/maillog</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/usr/local/squid/var/logs/access.log</location> > </localfile> > </ossec_config> > > <ossec_config> <!-- rules global entry --> > <rules> > <include>rules_config.xml</include> > <include>pam_rules.xml</include> > <include>sshd_rules.xml</include> > <include>telnetd_rules.xml</include> > <include>syslog_rules.xml</include> > <include>arpwatch_rules.xml</include> > <include>symantec-av_rules.xml</include> > <include>symantec-ws_rules.xml</include> > <include>pix_rules.xml</include> > <include>named_rules.xml</include> > <include>smbd_rules.xml</include> > <include>vsftpd_rules.xml</include> > <include>pure-ftpd_rules.xml</include> > <include>proftpd_rules.xml</include> > <include>ms_ftpd_rules.xml</include> > <include>hordeimp_rules.xml</include> > <include>vpopmail_rules.xml</include> > <include>courier_rules.xml</include> > <include>web_rules.xml</include> > <include>apache_rules.xml</include> > <include>ids_rules.xml</include> > <include>squid_rules.xml</include> > <include>firewall_rules.xml</include> > <include>cisco-ios_rules.xml</include> > <include>netscreenfw_rules.xml</include> > <include>postfix_rules.xml</include> > <include>sendmail_rules.xml</include> > <include>imapd_rules.xml</include> > <include>mailscanner_rules.xml</include> > <include>ms-exchange_rules.xml</include> > <include>racoon_rules.xml</include> > <include>vpn_concentrator_rules.xml</include> > <include>spamd_rules.xml</include> > <include>msauth_rules.xml</include> > <!-- <include>policy_rules.xml</include> --> > <include>attack_rules.xml</include> > <include>zeus_rules.xml</include> > <include>ossec_rules.xml</include> > <include>local_rules.xml</include> > </rules> > </ossec_config> <!-- rules global entry --> > > <http://www.ossec.net/en/licensing.html>
