Hi Steve, Thank you very much for your response. I should have mentioned that the server works fine and that I receive alerts for other events such as stopping and starting the OSSEC services.
I might also mention that I put the firewall down before testing. Any pother ideas ? [EMAIL PROTECTED] MyName]# ps ax | grep ossec 12315 ? S 0:00 /var/ossec/bin/ossec-maild 12319 ? S 0:00 /var/ossec/bin/ossec-execd 12323 ? S 0:37 /var/ossec/bin/ossec-analysisd 12327 ? S 0:00 /var/ossec/bin/ossec-logcollector 12331 ? S 10:07 /var/ossec/bin/ossec-syscheckd 12335 ? S 0:00 /var/ossec/bin/ossec-monitord 2934 pts/3 S+ 0:00 grep ossec Thanks ! -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Steve McMaster Sent: Thursday, January 31, 2008 3:59 PM To: [email protected] Subject: [ossec-list] Re: Second try: Help with logging from win client to server please. Your server doesn't seem to be running. Can you run # ps ax | grep ossec on your server? Philippe Bechamp wrote: > > > Anyone have a few minutes? I tried here and the IRC channel and no one > responds L.. I would much appreciate the help. Philippe. > > > > ------------------------------------------------------------------------ > > *From:* Philippe Bechamp > *Sent:* Monday, January 28, 2008 2:47 PM > *To:* '[email protected]' > *Subject:* Help with logging from win client to server please. > > > > Can I kindly request help in troubleshooting an issue I am having with a > win client connecting to a server. > > > > My win client is configured as such: > > > > <client> > > <!-- IP address of the Ossec HIDS server. --> > > <server-ip>10.17.X.X</server-ip> > > </client> > > > > My server is as such: > > > > <remote> > > <connection>secure</connection> > > <port>1514</port> > > <allowed-ips>10.16.X.X</allowed-ips> > > <local-ip>10.17.X.X</local-ip> > > </remote> > > > > Everything seems like it's running fine. I have a test trigger in > performance monitor to generate a log entry every few seconds for testing. > > > > If I start tethereal on the server I get: > > > > [EMAIL PROTECTED] myname]# /usr/sbin/tethereal -f src host 10.16.X.X or > dst host 10.16.X.X > > Capturing on eth0 > > 0.000000 10.16.X.X -> 10.17.X.X UDP Source port: 1634 Destination > port: 1514 > > 0.001290 10.17.X.X -> 10.16.X.X ICMP Destination unreachable (Port > unreachable) > > > > 104.001045 10.16.X.X -> 10.17.X.X UDP Source port: 1634 Destination > port: 1514 > > 104.001082 10.17.X.X -> 10.16.X.X ICMP Destination unreachable (Port > unreachable) > > > > And if I check if there's anything running on 1514 I get: > > > > [EMAIL PROTECTED] myname]# netstat -l -p | grep 1514 > > [EMAIL PROTECTED] myname]# > > > > > > Any ideas what I should check ? > > > > Thanks ! > > > > Philippe. > > > > -- > > Philippe Béchamp > > Senior Security Analyst > > Openwave Systems > > +1-819-334-3434 (@bell.ca for sms) > > > > > > >
