[ossec-list] Re: lazy osssec-remoted

Wed, 25 Mar 2009 06:56:27 -0700

Thanks,

Just added some allowed-ips and now remoted is running... but it is still not listening and the agents "don't get permission".

There must be something more to fix.

Jose

ddp escribió: 
Do you have options like either of the following in ossec.conf
(/var/ossec/etc/ossec.conf):

  <remote>
    <connection>syslog</connection>
    <allowed-ips>192.168.1.0/24</allowed-ips>
  </remote>

  <remote>
    <connection>secure</connection>
  </remote>

I believe with the first option (syslog) you'll need to setup syslog
to listen for network connections.
dan

2009/3/25 Jose Luis Vázquez González <[email protected]>:
  
Hi,

The agents can't connect to my ossec server and I learned that it is because
it is NOT even listening to them!!

When I do:
#netstat -uanep |grep 1514
I get nothing back.

Then, when I try to restart the ossec it tries to start the remoted server:
$ sudo /etc/init.d/ossec  restart
Killing ossec-monitord ..
Killing ossec-logcollector ..
ossec-remoted not running ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
Killing ossec-execd ..

But the process dies inmediately:
$ ps -aef |grep ossec
ossecm    4019     1  0 09:02 ?        00:00:00 /var/ossec/bin/ossec-maild
root      4023     1  0 09:02 ?        00:00:00 /var/ossec/bin/ossec-execd
ossec     4027     1  1 09:02 ?        00:00:00
/var/ossec/bin/ossec-analysisd
root      4031     1  0 09:02 ?        00:00:00
/var/ossec/bin/ossec-logcollector
root      4044     1  0 09:02 ?        00:00:00
/var/ossec/bin/ossec-syscheckd
ossec     4048     1  0 09:02 ?        00:00:00
/var/ossec/bin/ossec-monitord
admin     4052  2712  0 09:02 pts/0    00:00:00 grep ossec

Checking the logs, it seems that the server decides it has no work to do
(lazy bastard!) and exists:
$ cat /var/ossec/logs/ossec.log |grep remote
2009/03/25 09:02:07 ossec-remoted: INFO: Started (pid: 4035).
2009/03/25 09:02:07 ossec-remoted(1501): ERROR: No IP or network allowed in
the access list for syslog. No reason for running it. Exiting.
2009/03/25 09:02:07 ossec-remoted: INFO: Started (pid: 4037).
2009/03/25 09:02:07 ossec-remoted(4111): INFO: Maximum number of agents
allowed: '256'.
2009/03/25 09:02:07 ossec-remoted(1410): INFO: Reading authentication keys
file.

It seems there is something left to configure or to fix to force the
ossec-remoted to stay at work.
What is it?
Where do I have to "set the IP or network allowed in the access list for
syslog"?

Thanks in advance!

Jose

Reply via email to