[ossec-list] no firewall - still have agent server communication issues

Josh Albright Wed, 11 Jun 2008 18:06:08 -0700

Hi All,
 
I'm still having the server/agent communication issue despite there not
being a firewall between the server and agent hosts. I've tried
re-creating and adding the authentication keys and still no luck. 
 
I've included my agent configuration and logs below in case anyone has
any input.  I also tried enabling debug in internal_options.conf by
turning on agent debug, but I don't see additional information in the
logs after restarting the agent. 
 
# Unix agentd
agent.debug=2
 
Any help you can provide will be greatly appreciated. Thanks! 
 
 
Client configuration below
____________________________________________
 
The client in question is Solaris 8:
 
SunOS stom1 5.8 Generic_117350-46 sun4u sparc
 
/etc/ossec-init.conf:
 
stom1.sj3# cat /etc/ossec-init.conf 
DIRECTORY="/var/ossec"
VERSION="v1.4"
DATE="Mon Jun  2 02:56:37 PDT 2008"
TYPE="agent"
 
/var/ossec/etc/ossec.conf 
 
<ossec_config>
  <client>
    <server-ip>10.136.1.45</server-ip>
  </client>
 
  <syscheck>
    <!-- Frequency that syscheck is executed - default to every 6 hours
-->
    <frequency>21600</frequency>
    
    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin</directories>
 
    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/mnttab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>
 
    <!-- Windows files to ignore -->
    <ignore>C:\WINDOWS/System32/LogFiles</ignore>
    <ignore>C:\WINDOWS/Debug</ignore>
    <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
    <ignore>C:\WINDOWS/iis6.log</ignore>
    <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
    <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
    <ignore>C:\WINDOWS/Prefetch</ignore>
    <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
    <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
    <ignore>C:\WINDOWS/Temp</ignore>
    <ignore>C:\WINDOWS/system32/config</ignore>
    <ignore>C:\WINDOWS/system32/spool</ignore>
    <ignore>C:\WINDOWS/system32/CatRoot</ignore>
  </syscheck>
 
  <rootcheck>
 
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
 
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_troj
ans>
  </rootcheck>
  <!-- Files to monitor (localfiles) -->
 
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/authlog</location>
  </localfile>
 
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/syslog</location>
  </localfile>
 
<localfile>
    <log_format>syslog</log_format>
    <location>/var/adm/messages</location>
  </localfile>


</ossec_config>
 
/var/ossec/logs/ossec.log:
 
2008/06/11 13:22:00 ossec-execd: Started (pid: 25532).
2008/06/11 13:22:00 ossec-agentd(1410): Reading authentication keys
file.
2008/06/11 13:22:00 ossec-agentd: No previous counter available for
'stom1.sj3.esca
late.com'.
2008/06/11 13:22:00 ossec-agentd: Assigning counter for agent
stom1.sj3.escalate.co
m: '0:0'.
2008/06/11 13:22:00 ossec-agentd: Assigning sender counter: 0:1162
2008/06/11 13:22:00 ossec-agentd: Started (pid: 25543).
2008/06/11 13:22:00 ossec-agentd: Connecting to server
(10.136.1.45:1514).
2008/06/11 13:22:00 ossec-rootcheck: System audit file not configured.
2008/06/11 13:22:03 ossec-syscheckd: Started (pid: 25552).
2008/06/11 13:22:03 ossec-rootcheck: Started (pid: 25552).
2008/06/11 13:22:06 ossec-logcollector(1950): Analyzing file:
'/var/log/authlog'.
2008/06/11 13:22:06 ossec-logcollector(1950): Analyzing file:
'/var/log/syslog'.
2008/06/11 13:22:06 ossec-logcollector(1950): Analyzing file:
'/var/adm/messages'.
2008/06/11 13:22:06 ossec-logcollector: Started (pid: 25549).
2008/06/11 13:22:15 ossec-agentd(4101): Waiting for server reply (not
started).
2008/06/11 13:22:31 ossec-agentd(4101): Waiting for server reply (not
started).
2008/06/11 13:23:02 ossec-agentd(4101): Waiting for server reply (not
started).
2008/06/11 13:23:48 ossec-agentd(4101): Waiting for server reply (not
started).
2008/06/11 13:24:17 ossec-logcollector: Process locked. Waiting for
permission...
2008/06/11 13:24:49 ossec-agentd(4101): Waiting for server reply (not
started).
2008/06/11 13:25:40 ossec-syscheckd: Process locked. Waiting for
permission...
2008/06/11 13:26:05 ossec-agentd(4101): Waiting for server reply (not
started).
2008/06/11 13:27:36 ossec-agentd(4101): Waiting for server reply (not
started).
2008/06/11 13:29:22 ossec-agentd(4101): Waiting for server reply (not
started).
2008/06/11 13:31:24 ossec-agentd(4101): Waiting for server reply (not
started).

[ossec-list] no firewall - still have agent server communication issues

Reply via email to