Sergio,
I made a mistake under remote add the address under <connection>syslog</connection> not secure. When you restart ossec you should see in your log file that the address in question is now allowed. Thanks Dennis Carter Business Technology Services 727-464-4527 ________________________________ From: Carter, Dennis A Sent: Tuesday, December 22, 2009 9:33 AM To: '[email protected]' Cc: '[email protected]' Subject: RE: [ossec-list] OSSEC on Xen host Sergio, Try adding the IP address in your ossec.conf file to the remote tab. <remote> <connection>secure</connection> <allowed-ips>xxx.xxx.xxx.xxx</allowed-ips> </remote> The xxx.xxx.xxx.xxx. is the IP of your Dom0. I had the same problem were I have two interfaces on a single server the ossec agent bind to one of the addresses but not to the other. I added the second address under the remote tab in the ossec.conf file and restarted the ossec. The message I get now is the address is allowed. I hope this helps. Dennis Carter Business Technology Services 727-464-4527 ________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of Sergio Charpinel Jr. Sent: Tuesday, December 22, 2009 5:36 AM To: [email protected] Subject: Re: [ossec-list] OSSEC on Xen host Yes. But the client has an diffente IP. And when I start OSSEC in the client, I receive it in the client side: ossec-agentd: INFO: Trying to connect to server yyy.yyy.yyy.yyy ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'yyy.yyy.yyy.yyy'. And in the server side that message: ossec-remoted(1213): WARN: Message from xxx.xxxx.xxx.xxx not allowed. Where xxx.xxx.xxx.xxx is not the IP of my client. Is the IP of my Dom0. 2009/12/21 Wim Remes <[email protected]> Hi, I doubt that this has anything to do with your server running on a Xen host. The message generally appears if the key on your client does not correspond with the key on your server. Have you imported the key on the client ? Cheers, Wim On 21 Dec 2009, at 15:13, Sergio Charpinel Jr wrote: > Hi, > > I'm running OSSEC server on Xen host, and When I add a client to it, a > receive a lot of messages: > > ossec-remoted(1213): WARN: Message from xxx.xxxx.xxx.xxx not allowed. > > Where xxx.xxx.xxx.xxx is the IP of my Dom0 . > > Any ideas? > > Thanks in advance. -- Sergio Roberto Charpinel Jr.
