And here a strace /var/ossec/bin/ossec-remoted :
...........
open("/lib/libnss_files.so.2", O_RDONLY) = 3
read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320\30\0\0004\0\0\0\250"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=38408, ...}) = 0
mmap2(NULL, 41624, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0xb7e23000
mmap2(0xb7e2c000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x8) = 0xb7e2c000
close(3) = 0
munmap(0xb7fb0000, 15738) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
fcntl64(3, F_GETFD) = 0x1 (flags FD_CLOEXEC)
_llseek(3, 0, [0], SEEK_CUR) = 0
fstat64(3, {st_mode=S_IFREG|0644, st_size=1179, ...}) = 0
mmap2(NULL, 1179, PROT_READ, MAP_SHARED, 3, 0) = 0xb7fb3000
_llseek(3, 1179, [1179], SEEK_SET) = 0
munmap(0xb7fb3000, 1179) = 0
close(3) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 3
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"...}, 110) = -1
ECONNREFUSED (Connection refused)
close(3) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 3
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"...}, 110) = -1
ECONNREFUSED (Connection refused)
close(3) = 0
open("/etc/group", O_RDONLY|O_CLOEXEC) = 3
_llseek(3, 0, [0], SEEK_CUR) = 0
fstat64(3, {st_mode=S_IFREG|0644, st_size=637, ...}) = 0
mmap2(NULL, 637, PROT_READ, MAP_SHARED, 3, 0) = 0xb7fb3000
_llseek(3, 637, [637], SEEK_SET) = 0
munmap(0xb7fb3000, 637) = 0
close(3) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0xb7e586f8) = 4426
exit_group(0) = ?
I create /var/run/nscd/socket with 777 (!) but i have the same problem
ls -l /var/run/nscd/socket
-rwxrwxrwx 1 root root 0 2010-05-20 11:01 /var/run/nscd/socket
-----Message d'origine-----
De : BOUTROUILLE PASCAL
Envoyé : jeudi 20 mai 2010 10:52
À : '[email protected]'
Objet : RE: [ossec-list] No agent available
Hello
Here the response :
ps -ef | grep /var/ossec/bin/ossec-remoted
root 4069 2450 0 23:28 pts/0 00:00:00 grep
/var/ossec/bin/ossec-remoted
-> apparently it doesn't want to start :( And i don't know why (no error) ...
debiantest:/var/ossec# /var/ossec/bin/ossec-remoted
debiantest:/var/ossec# ps -ef | grep /var/ossec/bin/ossec-remoted
root 4077 2450 0 23:29 pts/0 00:00:00 grep
/var/ossec/bin/ossec-remoted
and in the log file today (the server is not at time):
2010/05/17 00:01:47 ossec-monitord: No previous md5 checksum found:
'/logs/archives/2010/May/ossec-archive-15.log.sum'. Starting over.
2010/05/17 00:01:47 ossec-monitord: No previous sha1 checksum found:
'/logs/archives/2010/May/ossec-archive-15.log.sum'. Starting over.
2010/05/17 00:01:47 ossec-monitord: No previous md5 checksum found:
'/logs/alerts/2010/May/ossec-alerts-15.log.sum'. Starting over.
2010/05/17 00:01:47 ossec-monitord: No previous sha1 checksum found:
'/logs/alerts/2010/May/ossec-alerts-15.log.sum'. Starting over.
2010/05/17 00:01:47 ossec-monitord: No previous md5 checksum found:
'/logs/firewall/2010/May/ossec-firewall-15.log.sum'. Starting over.
2010/05/17 00:01:47 ossec-monitord: No previous sha1 checksum found:
'/logs/firewall/2010/May/ossec-firewall-15.log.sum'. Starting over.
2010/05/17 19:59:57 ossec-rootcheck: INFO: Starting rootcheck scan.
2010/05/17 20:02:36 ossec-rootcheck: INFO: Ending rootcheck scan.
2010/05/17 21:52:36 ossec-syscheckd: INFO: Starting syscheck scan.
2010/05/17 21:58:38 ossec-syscheckd: INFO: Ending syscheck scan.
2010/05/17 23:25:19 ossec-remoted: INFO: Started (pid: 4051).
2010/05/17 23:27:26 agent_control(1210): ERROR: Queue '/queue/alerts/ar' not
accessible: 'Queue not found'.
2010/05/17 23:27:41 agent_control(1301): ERROR: Unable to connect to active
response queue.
2010/05/17 23:29:15 ossec-remoted: INFO: Started (pid: 4074).
2010/05/17 23:30:58 ossec-remoted: INFO: Started (pid: 4081).
/var/ossec/bin/agent_control -lc
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: debiantest (server), IP: 127.0.0.1, Active/Local
/var/ossec/bin/agent_control -r -a
2010/05/17 23:27:26 agent_control(1210): ERROR: Queue '/queue/alerts/ar' not
accessible: 'Queue not found'.
2010/05/17 23:27:41 agent_control(1301): ERROR: Unable to connect to active
response queue.
** Unable to connect to remoted.
Thank you
-----Message d'origine-----
De : [email protected] [mailto:[email protected]] De la
part de dan (ddp)
Envoyé : mercredi 19 mai 2010 17:49
À : [email protected]
Objet : Re: [ossec-list] No agent available
On Wed, May 19, 2010 at 5:08 AM, BOUTROUILLE PASCAL
<[email protected]> wrote:
>
>
>
> Hello
>
> I go on to search, and i have installed a new server today, but always the
> same message : no agent available
> debiantest:~# /var/ossec/bin/agent_control -l
>
> OSSEC HIDS agent_control. List of available agents:
> ID: 000, Name: debiantest (server), IP: 127.0.0.1, Active/Local
> ID: 001, Name: windows1, IP: 10.113.12.23, Never connected
> ID: 002, Name: linux1, IP: 10.113.12.8, Never connected
> List of agentless devices:
>
> debiantest:~# /var/ossec/bin/list_agents -a
> ** No agent available.
>
> Thank you for your help.
>
>
>
>
Make sure ossec-remoted is running. It may help to run it in debug
mode if there are any issues.
Are there any errors in /var/ossec/logs/ossec.log on either the agents
or the server?
Are there any firewalls that could be in the way?
Can you post your ossec.conf from the server?
Is the correct server IP in the ossec.conf files on the agents?
