Hi Jose, Check your logs. Try restarting OSSEC and looking for ossec-remoted in the logs:
# cat /var/ossec/logs/ossec.log |grep remoted To see the list of remote managed agents, run: # /var/ossec/bin/agent-control -l Thanks, -- Daniel B. Cid dcid ( at ) ossec.net 2009/4/14 Jose Luis Vázquez González <[email protected]>: > Yes, I did it, I followed the instructions to add the agents and pass the > SSL keys generated in the server to the clients. I still don't know why > remoted doesn't feel like working on my system. > > What else should I check? > Where does ossec keep the list of remotely managed agents? > > Thanks for your help, > > Jose > > Daniel Cid escribió: > > Hi Jose, > > Did you add your agents using the manage_agents tool? If you don't > have any agent configured, > remoted will exit. > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Wed, Mar 25, 2009 at 10:32 AM, Jose Luis Vázquez González > <[email protected]> wrote: > > > Thanks, > > Just added some allowed-ips and now remoted is running... but it is still > not listening and the agents "don't get permission". > > There must be something more to fix. > > Jose > > ddp escribió: > > Do you have options like either of the following in ossec.conf > (/var/ossec/etc/ossec.conf): > > <remote> > <connection>syslog</connection> > <allowed-ips>192.168.1.0/24</allowed-ips> > </remote> > > <remote> > <connection>secure</connection> > </remote> > > I believe with the first option (syslog) you'll need to setup syslog > to listen for network connections. > dan > > 2009/3/25 Jose Luis Vázquez González <[email protected]>: > > > Hi, > > The agents can't connect to my ossec server and I learned that it is because > it is NOT even listening to them!! > > When I do: > #netstat -uanep |grep 1514 > I get nothing back. > > Then, when I try to restart the ossec it tries to start the remoted server: > $ sudo /etc/init.d/ossec restart > Killing ossec-monitord .. > Killing ossec-logcollector .. > ossec-remoted not running .. > Killing ossec-syscheckd .. > Killing ossec-analysisd .. > Killing ossec-maild .. > Killing ossec-execd .. > > But the process dies inmediately: > $ ps -aef |grep ossec > ossecm 4019 1 0 09:02 ? 00:00:00 /var/ossec/bin/ossec-maild > root 4023 1 0 09:02 ? 00:00:00 /var/ossec/bin/ossec-execd > ossec 4027 1 1 09:02 ? 00:00:00 > /var/ossec/bin/ossec-analysisd > root 4031 1 0 09:02 ? 00:00:00 > /var/ossec/bin/ossec-logcollector > root 4044 1 0 09:02 ? 00:00:00 > /var/ossec/bin/ossec-syscheckd > ossec 4048 1 0 09:02 ? 00:00:00 > /var/ossec/bin/ossec-monitord > admin 4052 2712 0 09:02 pts/0 00:00:00 grep ossec > > Checking the logs, it seems that the server decides it has no work to do > (lazy bastard!) and exists: > $ cat /var/ossec/logs/ossec.log |grep remote > 2009/03/25 09:02:07 ossec-remoted: INFO: Started (pid: 4035). > 2009/03/25 09:02:07 ossec-remoted(1501): ERROR: No IP or network allowed in > the access list for syslog. No reason for running it. Exiting. > 2009/03/25 09:02:07 ossec-remoted: INFO: Started (pid: 4037). > 2009/03/25 09:02:07 ossec-remoted(4111): INFO: Maximum number of agents > allowed: '256'. > 2009/03/25 09:02:07 ossec-remoted(1410): INFO: Reading authentication keys > file. > > It seems there is something left to configure or to fix to force the > ossec-remoted to stay at work. > What is it? > Where do I have to "set the IP or network allowed in the access list for > syslog"? > > Thanks in advance! > > Jose > > > > > > > > >
