[ossec-list] Re: agent server problems

Tue, 30 Sep 2008 07:11:02 -0700 

Hi Mattias,

It doesn't look like the server is receiving the messages. Can you run
the following commands (server side):

# cat /var/ossec/logs/ossec.log | grep remote
# /var/ossec/bin/ossec-control status
# netstat -uanep |grep 1514
# iptables -L

Also, note that tcpdump listens to the traffic before iptables, so it
might still be blocked...

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net


On Mon, Sep 29, 2008 at 8:22 AM, Mattias Hemmmingsson
<[EMAIL PROTECTED]> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello
>
> Have 2 systemes on running centos and en running ubuntu.
> Im receving the same error from both systems.
>
> Tha agent cant connect to the server
>
> agents logfiles
>
> 09/29 13:13:22 ossec-agentd: INFO: Trying to connect to server
> (192.168.0.1:1514).
> 2008/09/29 13:13:32 ossec-agentd(1218): ERROR: Unable to send message
> to server.
> 2008/09/29 13:13:43 ossec-agentd(1218): ERROR: Unable to send message
> to server.
> 2008/09/29 13:13:43 ossec-agentd(4101): WARN: Waiting for server reply
> (not started). Tried:
>
> Server logfiles
>
> 09/29 11:46:39 ossec-logcollector(1950): INFO: Analyzing file:
> '/var/log/maillog'.
> 2008/09/29 11:46:39 ossec-logcollector(1950): INFO: Analyzing file:
> '/var/log/httpd/error_log'.
> 2008/09/29 11:46:39 ossec-logcollector(1950): INFO: Analyzing file:
> '/var/log/httpd/access_log'.
> 2008/09/29 11:46:39 ossec-logcollector(1950): INFO: Analyzing file:
> '/etc/httpd/logs/access_log'.
> 2008/09/29 11:46:39 ossec-logcollector(1950): INFO: Analyzing file:
> '/etc/httpd/logs/error_log'.
> 2008/09/29 11:46:39 ossec-logcollector: INFO: Started (pid: 15424).
> 2008/09/29 11:51:45 ossec-syscheckd: INFO: Starting syscheck scan (db).
> 2008/09/29 11:58:26 ossec-syscheckd: INFO: Ending syscheck scan (db).
> 2008/09/29 11:58:46 ossec-rootcheck: INFO: Starting rootcheck scan.
> 2008/09/29 12:06:00 ossec-rootcheck: INFO: Ending rootcheck scan.
>
>
> If a run an tcpdump in server a get
> 11:52:09.223972 IP (tos 0x0, ttl  64, id 44473, offset 0, flags [DF],
> proto: UDP (17), length: 101) fo-dev-svn.fareonline.net.36968 >
> 192.168.3.8.fujitsu-dtcns: UDP, length 73
>    0x0000:  4500 0065 adb9 4000 4011 0573 c0a8 0303  [EMAIL PROTECTED]@..s....
>    0x0010:  c0a8 0308 9068 05ea 0051 db94 3acf 3621  .....h...Q..:.6!
>    0x0020:  df58 4b3d 6ed3 6fd2 0e8f acbc 69e3 0a9c  .XK=n.o.....i...
>    0x0030:  f63f 8b8f e566 118d 7f81 3194 0967 ead5  .?...f....1..g..
>    0x0040:  6c31 db16 11c7 549b ec8b 0bb5 6bc1 32f4  l1....T.....k.2.
>    0x0050:  5fe8 624d 4480 6565 4e48 2e0b f4d6 6039  _.bMD.eeNH....`9
>    0x0060:  16b7 a123 04                             ...#.
> 11:52:14.932327 IP (tos 0x0, ttl  64, id 44474, offset 0, flags [DF],
> proto: UDP (17), length: 101) fo-dev-svn.fareonline.net.36968 >
> 192.168.3.8.fujitsu-dtcns: UDP, length 73
>    0x0000:  4500 0065 adba 4000 4011 0572 c0a8 0303  [EMAIL PROTECTED]@..r....
>    0x0010:  c0a8 0308 9068 05ea 0051 706a 3a1c bff0  .....h...Qpj:...
>    0x0020:  2b03 602f 08a7 21cc aa84 b5ed b4e9 f70c  +.`/..!.........
>    0x0030:  32ff 01d4 a8e8 82f9 49bb 4430 1af1 1a8d  2.......I.D0....
>    0x0040:  7233 19ef 9310 edf6 456d eb5d 4cc8 3cc0  r3......Em.]L.<.
>    0x0050:  8206 941e c1f4 ee68 0126 34ab 95f7 997d  .......h.&4....}
>    0x0060:  cb23 658d 6d                             .#e.m
> 11:52:24.285779 IP (tos 0x0, ttl  64, id 44475, offset 0, flags [DF],
> proto: UDP (17), length: 101) fo-dev-svn.fareonline.net.36968 >
> 192.168.3.8.fujitsu-dtcns: UDP, length 73
>    0x0000:  4500 0065 adbb 4000 4011 0571 c0a8 0303  [EMAIL PROTECTED]@..q....
>    0x0010:  c0a8 0308 9068 05ea 0051 aa1e 3a13 e558  .....h...Q..:..X
>    0x0020:  94a8 2e6c ec40 e421 6c9c 873a 286a a746  [EMAIL PROTECTED]:(j.F
>    0x0030:  9be7 42f4 b1eb 36f2 8755 084b b57b 51af  ..B...6..U.K.{Q.
>    0x0040:  67b1 e65f 7a55 ceac 6ca9 d5b0 dc10 0e09  g.._zU..l.......
>    0x0050:  09ac 208f 3602 4502 5d80 4dfe de0b 9996  ....6.E.].M.....
>    0x0060:  8f43 9461 b3                             .C.a.
>
>
> Whitch indikates that the agents messages gets to the server but the
> ossec server would not recive the data.
> Have tried to re install alla agents and server. And there is no
> firewall aor any other restriction between the servers.
>
> Any ides ??
>
>
> // matte
>
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFI4LpZNJQJ1TN4TrgRAtMmAKCa80/Q1iDza2zt94yFHYtzHTlXGgCfbLAc
> yynOycR4PAu02RItU5D+JIE=
> =UYAE
> -----END PGP SIGNATURE-----
>
>
>

Reply via email to