Philippe - Your problem is that ossec-remoted isn't running -- this is the daemon that will accept connections from the clients. The server can generate alerts itself just fine, but none of the clients will be able to send data in.
This is the output on my OSSEC server: [EMAIL PROTECTED] ~]$ ps ax | grep ossec 8875 ? S 0:00 /var/ossec/bin/ossec-maild 8879 ? S 0:00 /var/ossec/bin/ossec-execd 8883 ? S 7:21 /var/ossec/bin/ossec-analysisd 8887 ? S 0:00 /var/ossec/bin/ossec-logcollector 8893 ? Sl 18:39 /var/ossec/bin/ossec-remoted 8898 ? S 5:02 /var/ossec/bin/ossec-syscheckd 8902 ? S 0:00 /var/ossec/bin/ossec-monitord 860 pts/0 S+ 0:00 grep ossec Can you maybe send your ossec.log file (probably /var/ossec/logs/ossec.log)? It should give some useful output. Either way, the first thing I would check is the permissions on /var/ossec and its assorted subdirectories. I have read, write and execute for owner and group, and have everything owned by the ossec user and the ossec group. Try that on for size, and let us know how it works out. Philippe Bechamp wrote: > Hi Steve, > > Thank you very much for your response. I should have mentioned that the > server works fine and that I receive alerts for other events such as stopping > and starting the OSSEC services. > > I might also mention that I put the firewall down before testing. > > Any pother ideas ? > > [EMAIL PROTECTED] MyName]# ps ax | grep ossec > 12315 ? S 0:00 /var/ossec/bin/ossec-maild > 12319 ? S 0:00 /var/ossec/bin/ossec-execd > 12323 ? S 0:37 /var/ossec/bin/ossec-analysisd > 12327 ? S 0:00 /var/ossec/bin/ossec-logcollector > 12331 ? S 10:07 /var/ossec/bin/ossec-syscheckd > 12335 ? S 0:00 /var/ossec/bin/ossec-monitord > 2934 pts/3 S+ 0:00 grep ossec > > Thanks ! > > -----Original Message----- > From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of > Steve McMaster > Sent: Thursday, January 31, 2008 3:59 PM > To: [email protected] > Subject: [ossec-list] Re: Second try: Help with logging from win client to > server please. > > > Your server doesn't seem to be running. Can you run > # ps ax | grep ossec > on your server? > > Philippe Bechamp wrote: >> >> >> Anyone have a few minutes? I tried here and the IRC channel and no one >> responds L.. I would much appreciate the help. Philippe. >> >> >> >> ------------------------------------------------------------------------ >> >> *From:* Philippe Bechamp >> *Sent:* Monday, January 28, 2008 2:47 PM >> *To:* '[email protected]' >> *Subject:* Help with logging from win client to server please. >> >> >> >> Can I kindly request help in troubleshooting an issue I am having with a >> win client connecting to a server. >> >> >> >> My win client is configured as such: >> >> >> >> <client> >> >> <!-- IP address of the Ossec HIDS server. --> >> >> <server-ip>10.17.X.X</server-ip> >> >> </client> >> >> >> >> My server is as such: >> >> >> >> <remote> >> >> <connection>secure</connection> >> >> <port>1514</port> >> >> <allowed-ips>10.16.X.X</allowed-ips> >> >> <local-ip>10.17.X.X</local-ip> >> >> </remote> >> >> >> >> Everything seems like it's running fine. I have a test trigger in >> performance monitor to generate a log entry every few seconds for testing. >> >> >> >> If I start tethereal on the server I get: >> >> >> >> [EMAIL PROTECTED] myname]# /usr/sbin/tethereal -f src host 10.16.X.X or >> dst host 10.16.X.X >> >> Capturing on eth0 >> >> 0.000000 10.16.X.X -> 10.17.X.X UDP Source port: 1634 Destination >> port: 1514 >> >> 0.001290 10.17.X.X -> 10.16.X.X ICMP Destination unreachable (Port >> unreachable) >> >> >> >> 104.001045 10.16.X.X -> 10.17.X.X UDP Source port: 1634 Destination >> port: 1514 >> >> 104.001082 10.17.X.X -> 10.16.X.X ICMP Destination unreachable (Port >> unreachable) >> >> >> >> And if I check if there's anything running on 1514 I get: >> >> >> >> [EMAIL PROTECTED] myname]# netstat -l -p | grep 1514 >> >> [EMAIL PROTECTED] myname]# >> >> >> >> >> >> Any ideas what I should check ? >> >> >> >> Thanks ! >> >> >> >> Philippe. >> >> >> >> -- >> >> Philippe Béchamp >> >> Senior Security Analyst >> >> Openwave Systems >> >> +1-819-334-3434 (@bell.ca for sms) >> >> >> >> >> >> >>
