Hi Philippe, Did you choose the "server" type when installing OSSEC? Also, make sure that you added your agent to the server (using manage_agents). If you have no agent added, remoted will not run...
If you did it all, do a cat on the /var/ossec/logs/ossec.log and look for any error from remoted: # cat /var/ossec/logs/ossec.log | grep remoted Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Feb 1, 2008 12:56 PM, Philippe Bechamp <[EMAIL PROTECTED]> wrote: > > Hi Steve, > > Thank you very much for your response. I should have mentioned that the > server works fine and that I receive alerts for other events such as stopping > and starting the OSSEC services. > > I might also mention that I put the firewall down before testing. > > Any pother ideas ? > > [EMAIL PROTECTED] MyName]# ps ax | grep ossec > 12315 ? S 0:00 /var/ossec/bin/ossec-maild > 12319 ? S 0:00 /var/ossec/bin/ossec-execd > 12323 ? S 0:37 /var/ossec/bin/ossec-analysisd > 12327 ? S 0:00 /var/ossec/bin/ossec-logcollector > 12331 ? S 10:07 /var/ossec/bin/ossec-syscheckd > 12335 ? S 0:00 /var/ossec/bin/ossec-monitord > 2934 pts/3 S+ 0:00 grep ossec > > Thanks ! > > -----Original Message----- > From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of > Steve McMaster > Sent: Thursday, January 31, 2008 3:59 PM > To: [email protected] > > Subject: [ossec-list] Re: Second try: Help with logging from win client to > server please. > > > Your server doesn't seem to be running. Can you run > # ps ax | grep ossec > on your server? > > Philippe Bechamp wrote: > > > > > > Anyone have a few minutes? I tried here and the IRC channel and no one > > responds L.. I would much appreciate the help. Philippe. > > > > > > > > ------------------------------------------------------------------------ > > > > *From:* Philippe Bechamp > > *Sent:* Monday, January 28, 2008 2:47 PM > > *To:* '[email protected]' > > *Subject:* Help with logging from win client to server please. > > > > > > > > Can I kindly request help in troubleshooting an issue I am having with a > > win client connecting to a server. > > > > > > > > My win client is configured as such: > > > > > > > > <client> > > > > <!-- IP address of the Ossec HIDS server. --> > > > > <server-ip>10.17.X.X</server-ip> > > > > </client> > > > > > > > > My server is as such: > > > > > > > > <remote> > > > > <connection>secure</connection> > > > > <port>1514</port> > > > > <allowed-ips>10.16.X.X</allowed-ips> > > > > <local-ip>10.17.X.X</local-ip> > > > > </remote> > > > > > > > > Everything seems like it's running fine. I have a test trigger in > > performance monitor to generate a log entry every few seconds for testing. > > > > > > > > If I start tethereal on the server I get: > > > > > > > > [EMAIL PROTECTED] myname]# /usr/sbin/tethereal -f src host 10.16.X.X or > > dst host 10.16.X.X > > > > Capturing on eth0 > > > > 0.000000 10.16.X.X -> 10.17.X.X UDP Source port: 1634 Destination > > port: 1514 > > > > 0.001290 10.17.X.X -> 10.16.X.X ICMP Destination unreachable (Port > > unreachable) > > > > > > > > 104.001045 10.16.X.X -> 10.17.X.X UDP Source port: 1634 Destination > > port: 1514 > > > > 104.001082 10.17.X.X -> 10.16.X.X ICMP Destination unreachable (Port > > unreachable) > > > > > > > > And if I check if there's anything running on 1514 I get: > > > > > > > > [EMAIL PROTECTED] myname]# netstat -l -p | grep 1514 > > > > [EMAIL PROTECTED] myname]# > > > > > > > > > > > > Any ideas what I should check ? > > > > > > > > Thanks ! > > > > > > > > Philippe. > > > > > > > > -- > > > > Philippe Béchamp > > > > Senior Security Analyst > > > > Openwave Systems > > > > +1-819-334-3434 (@bell.ca for sms) > > > > > > > > > > > > > > >
