Yes, I did it, I followed the instructions to add the agents and pass
the SSL keys generated in the server to the clients. I still don't know
why remoted doesn't feel like working on my system.
What else should I check?
Where does ossec keep the list of remotely managed agents?
Thanks for your help,
Jose
Daniel Cid escribió:
Hi Jose,
Did you add your agents using the manage_agents tool? If you don't
have any agent configured,
remoted will exit.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, Mar 25, 2009 at 10:32 AM, Jose Luis Vázquez González
<[email protected]> wrote:
Thanks,
Just added some allowed-ips and now remoted is running... but it is still
not listening and the agents "don't get permission".
There must be something more to fix.
Jose
ddp escribió:
Do you have options like either of the following in ossec.conf
(/var/ossec/etc/ossec.conf):
<remote>
<connection>syslog</connection>
<allowed-ips>192.168.1.0/24</allowed-ips>
</remote>
<remote>
<connection>secure</connection>
</remote>
I believe with the first option (syslog) you'll need to setup syslog
to listen for network connections.
dan
2009/3/25 Jose Luis Vázquez González <[email protected]>:
Hi,
The agents can't connect to my ossec server and I learned that it is because
it is NOT even listening to them!!
When I do:
#netstat -uanep |grep 1514
I get nothing back.
Then, when I try to restart the ossec it tries to start the remoted server:
$ sudo /etc/init.d/ossec restart
Killing ossec-monitord ..
Killing ossec-logcollector ..
ossec-remoted not running ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
Killing ossec-execd ..
But the process dies inmediately:
$ ps -aef |grep ossec
ossecm 4019 1 0 09:02 ? 00:00:00 /var/ossec/bin/ossec-maild
root 4023 1 0 09:02 ? 00:00:00 /var/ossec/bin/ossec-execd
ossec 4027 1 1 09:02 ? 00:00:00
/var/ossec/bin/ossec-analysisd
root 4031 1 0 09:02 ? 00:00:00
/var/ossec/bin/ossec-logcollector
root 4044 1 0 09:02 ? 00:00:00
/var/ossec/bin/ossec-syscheckd
ossec 4048 1 0 09:02 ? 00:00:00
/var/ossec/bin/ossec-monitord
admin 4052 2712 0 09:02 pts/0 00:00:00 grep ossec
Checking the logs, it seems that the server decides it has no work to do
(lazy bastard!) and exists:
$ cat /var/ossec/logs/ossec.log |grep remote
2009/03/25 09:02:07 ossec-remoted: INFO: Started (pid: 4035).
2009/03/25 09:02:07 ossec-remoted(1501): ERROR: No IP or network allowed in
the access list for syslog. No reason for running it. Exiting.
2009/03/25 09:02:07 ossec-remoted: INFO: Started (pid: 4037).
2009/03/25 09:02:07 ossec-remoted(4111): INFO: Maximum number of agents
allowed: '256'.
2009/03/25 09:02:07 ossec-remoted(1410): INFO: Reading authentication keys
file.
It seems there is something left to configure or to fix to force the
ossec-remoted to stay at work.
What is it?
Where do I have to "set the IP or network allowed in the access list for
syslog"?
Thanks in advance!
Jose
|
