Hi Hasib, Thanks for giving all the necessary details, it makes much easier to us. Your configuration seems fine (so does your setup), so the only thing that might be wrong is the firewall rule. Did you open udp 1514 keeping the state? The server needs to reply back to the agents, so you need to keep the state of the connection.
On ipf it would be something like: pass in quick proto udp from X to X port = 1514 keep state Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 9/4/07, Hasibul Haque <[EMAIL PROTECTED]> wrote: > Hi, > > I am trying to run 1 ossec server(solaris8 sparc) and 3 clients(solaris 10 > sparc). > I have changed ipf firewall on all 4 machines to open udp 1514 but it seems > the server is not responding to the clients. > On the client logs, I have the following: > > > 2007/09/04 15:50:21 ossec-rootcheck: Started (pid: 8924). > 2007/09/04 15:50:25 ossec-logcollector(1950): Analyzing file: > '/var/log/authlog'. > 2007/09/04 15:50:25 ossec-logcollector(1950): Analyzing file: > '/var/log/syslog'. > 2007/09/04 15:50:25 ossec-logcollector(1950): Analyzing file: > '/usr/local/squid/var/logs/access.log'. > 2007/09/04 15:50:25 ossec-logcollector: Started (pid: 8920). > 2007/09/04 15:50:27 ossec-logcollector: Process locked. Waiting for > permission... > 2007/09/04 15:50:34 ossec-agentd(4101): Waiting for server reply (not > started). > 2007/09/04 15:50:50 ossec-agentd(4101): Waiting for server reply (not > started). > 2007/09/04 15:51:21 ossec-agentd(4101): Waiting for server reply (not > started). > 2007/09/04 15:52:07 ossec-agentd(4101): Waiting for server reply (not > started). > 2007/09/04 15:53:08 ossec-agentd(4101): Waiting for server reply (not > started). > 2007/09/04 15:54:24 ossec-agentd(4101): Waiting for server reply (not > started). > 2007/09/04 15:54:37 ossec-syscheckd: Process locked. Waiting for > permission... > 2007/09/04 15:55:56 ossec-agentd(4101): Waiting for server reply (not > started). > 2007/09/04 15:57:42 ossec-agentd(4101): Waiting for server reply (not > started). > 2007/09/04 15:59:43 ossec-agentd(4101): Waiting for server reply (not > started). > 2007/09/04 16:01:59 ossec-agentd(4101): Waiting for server reply (not > started). > > > > > On the server: > > 2007/09/04 15:47:22 ossec-maild: Started (pid: 14404). > 2007/09/04 15:47:22 ossec-execd: Started (pid: 14408). > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'rules_config.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'pam_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'sshd_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'telnetd_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'syslog_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'arpwatch_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'symantec-av_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'symantec-ws_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'pix_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'named_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'smbd_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'vsftpd_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'pure-ftpd_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'proftpd_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'ms_ftpd_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'hordeimp_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'vpopmail_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'courier_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'web_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'apache_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'ids_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'squid_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'firewall_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'cisco-ios_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'netscreenfw_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'postfix_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'sendmail_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'imapd_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'mailscanner_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'ms-exchange_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'racoon_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: > 'vpn_concentrator_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'spamd_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'msauth_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'attack_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'zeus_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'ossec_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'local_rules.xml' > 2007/09/04 15:47:22 ossec-analysisd: Total rules enabled: '616' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/mtab' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/mnttab' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/hosts.deny' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/mail/statistics' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/random-seed' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/adjtime' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/httpd/logs' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/utmpx' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/wtmpx' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/cups/certs' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: > 'C:\WINDOWS/System32/LogFiles' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Debug' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: > 'C:\WINDOWS/WindowsUpdate.log' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: 'C:\WINDOWS/iis6.log' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: > 'C:\WINDOWS/system32/wbem/Logs' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: > 'C:\WINDOWS/system32/wbem/Repository' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Prefetch' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: > 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: > 'C:\WINDOWS/SoftwareDistribution' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Temp' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: > 'C:\WINDOWS/system32/config' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: > 'C:\WINDOWS/system32/spool' > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: > 'C:\WINDOWS/system32/CatRoot' > 2007/09/04 15:47:22 ossec-analysisd: Started (pid: 14412). > 2007/09/04 15:47:22 ossec-remoted: Started (pid: 14424). > 2007/09/04 15:47:22 ossec-monitord: Started (pid: 14429). > 2007/09/04 15:47:22 ossec-remoted(1501): No IP or network allowed in the > access list for syslog. No > reason for running it. Exiting. > 2007/09/04 15:47:22 ossec-remoted: Started (pid: 14431). > 2007/09/04 15:47:23 ossec-remoted: Assigning counter for agent web: '0:588'. > 2007/09/04 15:47:23 ossec-remoted: Assigning counter for agent mail: > '0:484'. > 2007/09/04 15:47:23 ossec-remoted: No previous counter available for > 'media'. > 2007/09/04 15:47:23 ossec-remoted: Assigning counter for agent media: '0:0'. > 2007/09/04 15:47:23 ossec-remoted: Assigning sender counter: 0:2055 > 2007/09/04 15:47:24 ossec-syscheckd: Started (pid: 14423). > 2007/09/04 15:47:24 ossec-rootcheck: Started (pid: 14423). > 2007/09/04 15:47:28 ossec-logcollector(1950): Analyzing file: > '/var/log/authlog'. > 2007/09/04 15:47:28 ossec-logcollector(1950): Analyzing file: > '/var/log/syslog'. > 2007/09/04 15:47:28 ossec-logcollector(1950): Analyzing file: > '/var/log/maillog'. > 2007/09/04 15:47:28 ossec-logcollector(1950): Analyzing file: > '/usr/local/squid/var/logs/access.log' > . > 2007/09/04 15:47:28 ossec-logcollector: Started (pid: 14416). > > > more /etc/ossec-init.conf > DIRECTORY="/var/ossec" > VERSION="v1.3" > DATE="Tue Aug 28 12:27:24 EDT 2007" > TYPE="server" > > > > ossec-analysisd -V > > OSSEC HIDS v1.3 - Daniel B. Cid > > uname -a > SunOS dev 5.8 Generic_117350-46 sun4u sparc SUNW,UltraAX-i2 Solaris > > more /var/ossec/etc/ossec.conf > <ossec_config> > <global> > <email_notification>yes</email_notification> > <email_to>root</email_to> > <smtp_server>mail.abc.com</smtp_server> > <email_from>[EMAIL PROTECTED]</email_from> > </global> > > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 6 hours --> > <frequency>21600</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin</directories> > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > > <!-- Windows files to ignore --> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > <ignore>C:\WINDOWS/Debug</ignore> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > <ignore>C:\WINDOWS/iis6.log</ignore> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > <ignore>C:\WINDOWS/Prefetch</ignore> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > <ignore>C:\WINDOWS/Temp</ignore> > <ignore>C:\WINDOWS/system32/config</ignore> > <ignore>C:\WINDOWS/system32/spool</ignore> > <ignore>C:\WINDOWS/system32/CatRoot</ignore> > </syscheck> > > <rootcheck> > > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> > </rootcheck> > > <active-response> > <disabled>yes</disabled> > </active-response> > > > <remote> > <connection>syslog</connection> > </remote> > > <remote> > <connection>secure</connection> > </remote> > > <alerts> > <log_alert_level>1</log_alert_level> > <email_alert_level>7</email_alert_level> > </alerts> > <!-- Files to monitor (localfiles) --> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/authlog</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/syslog</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/maillog</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > > <location>/usr/local/squid/var/logs/access.log</location> > </localfile> > </ossec_config> > > <ossec_config> <!-- rules global entry --> > <rules> > <include>rules_config.xml</include> > <include>pam_rules.xml</include> > <include>sshd_rules.xml</include> > <include>telnetd_rules.xml</include> > <include>syslog_rules.xml</include> > <include>arpwatch_rules.xml</include> > <include>symantec-av_rules.xml</include> > <include>symantec-ws_rules.xml</include> > <include>pix_rules.xml</include> > <include>named_rules.xml</include> > <include>smbd_rules.xml</include> > <include>vsftpd_rules.xml</include> > <include>pure-ftpd_rules.xml</include> > <include>proftpd_rules.xml</include> > <include>ms_ftpd_rules.xml</include> > <include>hordeimp_rules.xml</include> > <include>vpopmail_rules.xml</include> > <include>courier_rules.xml</include> > <include>web_rules.xml</include> > <include>apache_rules.xml</include> > <include>ids_rules.xml</include> > <include>squid_rules.xml</include> > <include>firewall_rules.xml</include> > <include>cisco-ios_rules.xml</include> > <include>netscreenfw_rules.xml</include> > <include>postfix_rules.xml</include> > <include>sendmail_rules.xml</include> > <include>imapd_rules.xml</include> > <include>mailscanner_rules.xml</include> > <include>ms-exchange_rules.xml</include> > <include>racoon_rules.xml</include> > <include>vpn_concentrator_rules.xml</include> > <include>spamd_rules.xml</include> > <include>msauth_rules.xml</include> > <!-- <include>policy_rules.xml</include> --> > <include>attack_rules.xml</include> > <include>zeus_rules.xml</include> > <include>ossec_rules.xml</include> > <include>local_rules.xml</include> > </rules> > </ossec_config> <!-- rules global entry --> > > > > > > > > >
