[ossec-list] lazy osssec-remoted

[Jose Luis Vázquez González]

Hi, The agents can't connect to my ossec server and I learned that it is because it is NOT even listening to them!! When I do:  #netstat -uanep |grep 1514 I get nothing back. Then, when I try to restart the ossec it tries to start the remoted server: $ sudo /etc/init.d/ossec  restart Killing ossec-monitord .. Killing ossec-logcollector .. ossec-remoted not running .. Killing ossec-syscheckd .. Killing ossec-analysisd .. Killing ossec-maild .. Killing ossec-execd .. But the process dies inmediately: $ ps -aef |grep ossec ossecm    4019     1  0 09:02 ?        00:00:00 /var/ossec/bin/ossec-maild root      4023     1  0 09:02 ?        00:00:00 /var/ossec/bin/ossec-execd ossec     4027     1  1 09:02 ?        00:00:00 /var/ossec/bin/ossec-analysisd root      4031     1  0 09:02 ?        00:00:00 /var/ossec/bin/ossec-logcollector root      4044     1  0 09:02 ?        00:00:00 /var/ossec/bin/ossec-syscheckd ossec     4048     1  0 09:02 ?        00:00:00 /var/ossec/bin/ossec-monitord admin     4052  2712  0 09:02 pts/0    00:00:00 grep ossec Checking the logs, it seems that the server decides it has no work to do (lazy bastard!) and exists: $ cat /var/ossec/logs/ossec.log |grep remote 2009/03/25 09:02:07 ossec-remoted: INFO: Started (pid: 4035). 2009/03/25 09:02:07 ossec-remoted(1501): ERROR: No IP or network allowed in the access list for syslog. No reason for running it. Exiting. 2009/03/25 09:02:07 ossec-remoted: INFO: Started (pid: 4037). 2009/03/25 09:02:07 ossec-remoted(4111): INFO: Maximum number of agents allowed: '256'. 2009/03/25 09:02:07 ossec-remoted(1410): INFO: Reading authentication keys file. It seems there is something left to configure or to fix to force the ossec-remoted to stay at work. What is it? Where do I have to "set the IP or network allowed in the access list for syslog"? Thanks in advance! Jose