Re: [ossec-list] Agents can't communicate with server

Thu, 02 Dec 2010 19:00:50 -0800 

Has ossec on the server been restarted since adding the agents to it?

On Thu, Dec 2, 2010 at 20:38,  <[email protected]> wrote:
>> I was looking to see if anything was trying to connect to it.  You could
>> run on the server:
>>
>> tcpdump -ni eth0 port 1514
>>
>> To see if you see the other systems trying to talk to the server.
>
> Okay, well, eth0 doesn't exist, but eth2 does.  Nothing happened until I
> restarted the windows agent, then I got this:
>
> [r...@ackbar logs]# tcpdump -ni eth2 port 1514
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
> 20:33:55.826751 IP 10.21.4.112.53355 > 10.21.4.24.fujitsu-dtcns: UDP, length
> 73
> 20:34:01.861538 IP 10.21.4.112.53355 > 10.21.4.24.fujitsu-dtcns: UDP, length
> 73
> 20:34:05.870624 IP 10.21.4.112.53355 > 10.21.4.24.fujitsu-dtcns: UDP, length
> 73
> 20:34:10.880076 IP 10.21.4.112.53355 > 10.21.4.24.fujitsu-dtcns: UDP, length
> 73
> 20:34:16.885011 IP 10.21.4.112.53355 > 10.21.4.24.fujitsu-dtcns: UDP, length
> 73
> 20:34:23.905515 IP 10.21.4.112.53356 > 10.21.4.24.fujitsu-dtcns: UDP, length
> 73
> ^C
> 16 packets captured
> 24 packets received by filter
> 0 packets dropped by kernel
>
>
> The agent logs showed this after the restart:
>
> 2010/12/02 20:33:55 ossec-agent: Received exit signal.
> 2010/12/02 20:33:55 ossec-agent: Exiting...
> 2010/12/02 20:33:55 ossec-execd(1350): INFO: Active response disabled.
> Exiting.
> 2010/12/02 20:33:55 ossec-agent(1410): INFO: Reading authentication keys
> file.
> 2010/12/02 20:33:55 ossec-agent: INFO: No previous counter available for
> 'wombat.netwitness.local'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Assigning counter for agent
> wombat.netwitness.local: '0:0'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Assigning sender counter: 0:7247
> 2010/12/02 20:33:55 ossec-agent: INFO: Trying to connect to server
> (ackbar/10.21.4.24:1514).
> 2010/12/02 20:33:55 ossec-agent: Starting syscheckd thread.
> 2010/12/02 20:33:55 ossec-rootcheck: INFO: Started (pid: 1240).
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Policies'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Security'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session
> Manager\KnownDLLs'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/win.ini'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/system.ini'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\autoexec.bat'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\config.sys'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory: 'C:\boot.ini'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/CONFIG.NT'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/AUTOEXEC.NT'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/at.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/attrib.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/cacls.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/debug.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/drwatson.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/drwtsn32.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/edlin.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/eventcreate.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/eventtriggers.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/ftp.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/net.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/net1.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/netsh.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/rcp.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/reg.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/regedit.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/regedt32.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/regsvr32.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/rexec.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/rsh.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/runas.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/sc.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/subst.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/telnet.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/tftp.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/tlntsvr.exe'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory:
> 'C:\Windows/System32/drivers/etc'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Monitoring directory: 'C:\Documents
> and Settings/All Users/Start Menu/Programs/Startup'.
> 2010/12/02 20:33:55 ossec-agent: INFO: Started (pid: 1240).
> 2010/12/02 20:34:05 ossec-agent: WARN: Process locked. Waiting for
> permission...
>
>
>
> Once I killed tcpdump, this started happening:
>
> 2010/12/02 20:34:05 ossec-agent: WARN: Process locked. Waiting for
> permission...
> 2010/12/02 20:34:16 ossec-agent(4101): WARN: Waiting for server reply (not
> started). Tried: 'ackbar/10.21.4.24'.
> 2010/12/02 20:34:16 ossec-agent: INFO: Trying next server ip in the line:
> '10.21.4.24'.
> 2010/12/02 20:34:17 ossec-agent: INFO: Closing connection to server
> (10.21.4.24:1514).
> 2010/12/02 20:34:17 ossec-agent: INFO: Trying to connect to server
> (10.21.4.24:1514).
> 2010/12/02 20:34:44 ossec-agent(4101): WARN: Waiting for server reply (not
> started). Tried: '10.21.4.24'.
> 2010/12/02 20:34:44 ossec-agent: INFO: Trying next server ip in the line:
> 'ackbar/10.21.4.24'.
> 2010/12/02 20:34:45 ossec-agent: INFO: Closing connection to server
> (ackbar/10.21.4.24:1514).
> 2010/12/02 20:34:45 ossec-agent: INFO: Trying to connect to server
> (ackbar/10.21.4.24:1514).
> 2010/12/02 20:35:17 ossec-agent(4101): WARN: Waiting for server reply (not
> started). Tried: 'ackbar/10.21.4.24'.
> 2010/12/02 20:35:17 ossec-agent: INFO: Trying next server ip in the line:
> '10.21.4.24'.
> 2010/12/02 20:35:18 ossec-agent: INFO: Closing connection to server
> (10.21.4.24:1514).
> 2010/12/02 20:35:18 ossec-agent: INFO: Trying to connect to server
> (10.21.4.24:1514).
> 2010/12/02 20:35:56 ossec-agent(4101): WARN: Waiting for server reply (not
> started). Tried: '10.21.4.24'.
> 2010/12/02 20:35:56 ossec-agent: INFO: Trying next server ip in the line:
> 'ackbar/10.21.4.24'.
>



-- 
Registered Linux User # 379282

Reply via email to