-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Daniel
The funny thing is that have the same problem on two system one
running centos and one running ubuntu
So a see from the output that ossec is not lissning is that right ?
How can a make it start lissning on the right interface?
see command return under
// matte
the command returnds on CENTOS server
[EMAIL PROTECTED] bin]# cat /var/ossec/logs/ossec.log | grep remote
[EMAIL PROTECTED] bin]#
[EMAIL PROTECTED] bin]# /var/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...
[EMAIL PROTECTED] bin]#
[EMAIL PROTECTED] bin]# netstat -uanep |grep 1514
[EMAIL PROTECTED] bin]#
[EMAIL PROTECTED] bin]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[EMAIL PROTECTED] bin]#
On the ubuntu servers
[EMAIL PROTECTED]:/home/mat# cat /var/ossec/logs/ossec.log | grep remote
[EMAIL PROTECTED]:/home/mat#
[EMAIL PROTECTED]:/home/mat# /var/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...
[EMAIL PROTECTED]:/home/mat#
[EMAIL PROTECTED]:/home/mat# netstat -uanep |grep 1514
[EMAIL PROTECTED]:/home/mat#
[EMAIL PROTECTED]:/home/mat# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[EMAIL PROTECTED]:/home/mat#
Daniel Cid skrev:
> Hi Mattias,
>
> It doesn't look like the server is receiving the messages. Can you
> run the following commands (server side):
>
> # cat /var/ossec/logs/ossec.log | grep remote #
> /var/ossec/bin/ossec-control status # netstat -uanep |grep 1514 #
> iptables -L
>
> Also, note that tcpdump listens to the traffic before iptables, so
> it might still be blocked...
>
> Thanks,
>
> -- Daniel B. Cid dcid ( at ) ossec.net
>
>
> On Mon, Sep 29, 2008 at 8:22 AM, Mattias Hemmmingsson
> <[EMAIL PROTECTED]> wrote: Hello
>
> Have 2 systemes on running centos and en running ubuntu. Im
> receving the same error from both systems.
>
> Tha agent cant connect to the server
>
> agents logfiles
>
> 09/29 13:13:22 ossec-agentd: INFO: Trying to connect to server
> (192.168.0.1:1514). 2008/09/29 13:13:32 ossec-agentd(1218): ERROR:
> Unable to send message to server. 2008/09/29 13:13:43
> ossec-agentd(1218): ERROR: Unable to send message to server.
> 2008/09/29 13:13:43 ossec-agentd(4101): WARN: Waiting for server
> reply (not started). Tried:
>
> Server logfiles
>
> 09/29 11:46:39 ossec-logcollector(1950): INFO: Analyzing file:
> '/var/log/maillog'. 2008/09/29 11:46:39 ossec-logcollector(1950):
> INFO: Analyzing file: '/var/log/httpd/error_log'. 2008/09/29
> 11:46:39 ossec-logcollector(1950): INFO: Analyzing file:
> '/var/log/httpd/access_log'. 2008/09/29 11:46:39
> ossec-logcollector(1950): INFO: Analyzing file:
> '/etc/httpd/logs/access_log'. 2008/09/29 11:46:39
> ossec-logcollector(1950): INFO: Analyzing file:
> '/etc/httpd/logs/error_log'. 2008/09/29 11:46:39
> ossec-logcollector: INFO: Started (pid: 15424). 2008/09/29 11:51:45
> ossec-syscheckd: INFO: Starting syscheck scan (db). 2008/09/29
> 11:58:26 ossec-syscheckd: INFO: Ending syscheck scan (db).
> 2008/09/29 11:58:46 ossec-rootcheck: INFO: Starting rootcheck scan.
> 2008/09/29 12:06:00 ossec-rootcheck: INFO: Ending rootcheck scan.
>
>
> If a run an tcpdump in server a get 11:52:09.223972 IP (tos 0x0,
> ttl 64, id 44473, offset 0, flags [DF], proto: UDP (17), length:
> 101) fo-dev-svn.fareonline.net.36968 > 192.168.3.8.fujitsu-dtcns:
> UDP, length 73 0x0000: 4500 0065 adb9 4000 4011 0573 c0a8 0303
> [EMAIL PROTECTED]@..s.... 0x0010: c0a8 0308 9068 05ea 0051 db94 3acf 3621
> .....h...Q..:.6! 0x0020: df58 4b3d 6ed3 6fd2 0e8f acbc 69e3 0a9c
> .XK=n.o.....i... 0x0030: f63f 8b8f e566 118d 7f81 3194 0967 ead5
> .?...f....1..g.. 0x0040: 6c31 db16 11c7 549b ec8b 0bb5 6bc1 32f4
> l1....T.....k.2. 0x0050: 5fe8 624d 4480 6565 4e48 2e0b f4d6 6039
> _.bMD.eeNH....`9 0x0060: 16b7 a123 04
> ...#. 11:52:14.932327 IP (tos 0x0, ttl 64, id 44474, offset 0,
> flags [DF], proto: UDP (17), length: 101)
> fo-dev-svn.fareonline.net.36968 > 192.168.3.8.fujitsu-dtcns: UDP,
> length 73 0x0000: 4500 0065 adba 4000 4011 0572 c0a8 0303
> [EMAIL PROTECTED]@..r.... 0x0010: c0a8 0308 9068 05ea 0051 706a 3a1c bff0
> .....h...Qpj:... 0x0020: 2b03 602f 08a7 21cc aa84 b5ed b4e9 f70c
> +.`/..!......... 0x0030: 32ff 01d4 a8e8 82f9 49bb 4430 1af1 1a8d
> 2.......I.D0.... 0x0040: 7233 19ef 9310 edf6 456d eb5d 4cc8 3cc0
> r3......Em.]L.<. 0x0050: 8206 941e c1f4 ee68 0126 34ab 95f7 997d
> .......h.&4....} 0x0060: cb23 658d 6d
> .#e.m 11:52:24.285779 IP (tos 0x0, ttl 64, id 44475, offset 0,
> flags [DF], proto: UDP (17), length: 101)
> fo-dev-svn.fareonline.net.36968 > 192.168.3.8.fujitsu-dtcns: UDP,
> length 73 0x0000: 4500 0065 adbb 4000 4011 0571 c0a8 0303
> [EMAIL PROTECTED]@..q.... 0x0010: c0a8 0308 9068 05ea 0051 aa1e 3a13 e558
> .....h...Q..:..X 0x0020: 94a8 2e6c ec40 e421 6c9c 873a 286a a746
> [EMAIL PROTECTED]:(j.F 0x0030: 9be7 42f4 b1eb 36f2 8755 084b b57b 51af
> ..B...6..U.K.{Q. 0x0040: 67b1 e65f 7a55 ceac 6ca9 d5b0 dc10 0e09
> g.._zU..l....... 0x0050: 09ac 208f 3602 4502 5d80 4dfe de0b 9996
> ....6.E.].M..... 0x0060: 8f43 9461 b3
> .C.a.
>
>
> Whitch indikates that the agents messages gets to the server but
> the ossec server would not recive the data. Have tried to re
> install alla agents and server. And there is no firewall aor any
> other restriction between the servers.
>
> Any ides ??
>
>
> // matte
>
>
>
>
>
>>
>>
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFI4jwGNJQJ1TN4TrgRAjujAJsE894FYqiHX74BhT78iemsvnQqdwCfcA0q
NjXevFuZis9iLpa83uTL0nw=
=9+T7
-----END PGP SIGNATURE-----
