Hi Jose, Most of the times these errors are related to the authentication keys, but since you are not getting any error on the manager's ossec.log, I suspect it is related to the network communication.
-First, make sure that the server is listening on port 1514: # netstat -uanep |grep 1514 -Second, look at the manager's ossec.log. You should see the following: # cat /var/ossec/logs/ossec.log | grep remoted ossec-remoted: INFO: Reading authentication keys file ossec-remoted: INFO: Assigning counter for agent testxx: '0:0'. -If you don't see, look for errors: # cat /var/ossec/logs/ossec.log | grep remoted (or grep WARN or grep ERROR) -If none of this works, try running tcpdump on the manager and agent (tcpdump -nn udp port 1514) to see if they are seeing the same traffic. *Note that if you add your first agent after you start OSSEC it will not work. You need to restart it. Try these and let us know... If you still get stuck, send us the output of them, plus the version of ossec (and os info) to help us understand the issue. *Kartik Chadha: what rootkit do you have installed? How do you know it? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Wed, Mar 18, 2009 at 7:00 PM, Kartik Chadha <[email protected]> wrote: > > I have the same problem.. > > Agents not communicating with the server. > > Checked everything (firewall, ports) but still no communication. > > Also, rootkits are not being detected by agents. > > Need help...thanks > > Charlotteix9 > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Jose Luis Vázquez González > Sent: March-18-09 4:53 AM > To: ossec-list > Subject: [ossec-list] Ossec agents not communcating with the server > > > The ossec agents are NOT communicating with the server... > > 1) IT IS NOT a firewall issue, FIRST I added the 1514/udp rule to the > server firewall, THEN I even tried to take down iptables completely in > both agents AND the server. > > 2) I reinstalled the keys (as explained here > http://www.ossec.net/wiki/index.php/Errors:AgentCommunication) on one > agent and it didn't work either. > > Synthoms: > > One agent complains that: > "Process locked..." > "Trying to connect to server..." > "Error: Unable to connect to server" > > The other (the one with renewed keys) complains that: > "Process locked..." (and stays like taht for ever) > > The server DOES NOT produce any output WHEN thet clients complain. But > I have checked some previous complains in wich ossec-remoted sais: > "Error: No IP or network allowed in the access file list for > syslog..." > > Has this any solution or should I just give up and "throw ossec to the > bin"? > > (I am a developer most of my time more than a sysadmin, so I don't > have much time to spare on things like this) > > Thanks in adavance for any responses! > >
