On Fri, Dec 3, 2010 at 3:41 AM, Henry <[email protected]> wrote: > I have been unable to configure agents to connect to server, the log > for the agent is as follows: > > 2010/12/03 14:34:42 ossec-logcollector(1225): INFO: SIGNAL Received. > Exit Cleaning... > 2010/12/03 14:34:42 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2010/12/03 14:34:42 ossec-agentd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2010/12/03 14:34:47 ossec-execd(1350): INFO: Active response disabled. > Exiting. > 2010/12/03 14:34:47 ossec-agentd(1410): INFO: Reading authentication > keys file. > 2010/12/03 14:34:47 ossec-agentd: INFO: Assigning sender counter: 0:2 > 2010/12/03 14:34:47 ossec-agentd: INFO: Started (pid: 28959). > 2010/12/03 14:34:47 ossec-agentd: INFO: Server IP Address: > 172.19.1.151 > 2010/12/03 14:34:47 ossec-agentd: INFO: Trying to connect to server > (172.19.1.151:1514). > 2010/12/03 14:34:51 ossec-syscheckd: INFO: Started (pid: 28967). > 2010/12/03 14:34:51 ossec-rootcheck: INFO: Started (pid: 28967). > 2010/12/03 14:34:51 ossec-syscheckd: INFO: Monitoring directory: '/ > etc'. > 2010/12/03 14:34:51 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > bin'. > 2010/12/03 14:34:51 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > sbin'. > 2010/12/03 14:34:51 ossec-syscheckd: INFO: Monitoring directory: '/ > bin'. > 2010/12/03 14:34:51 ossec-syscheckd: INFO: Monitoring directory: '/ > sbin'. > 2010/12/03 14:34:53 ossec-agentd(1210): ERROR: Queue '/queue/alerts/ > execq' not accessible: 'Queue not found'. > 2010/12/03 14:34:53 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/adm/syslog'. > 2010/12/03 14:34:53 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/adm/syslog/syslog.log'. > 2010/12/03 14:34:53 ossec-logcollector: INFO: Started (pid: 28963). > 2010/12/03 14:35:08 ossec-agentd: INFO: Unable to connect to the > active response queue (disabled). > 2010/12/03 14:35:53 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2010/12/03 14:35:53 ossec-syscheckd: WARN: Process locked. Waiting for > permission... > 2010/12/03 14:36:29 ossec-logcollector: WARN: Process locked. Waiting > for permission... > 2010/12/03 14:43:38 ossec-logcollector(1225): INFO: SIGNAL Received. > Exit Cleaning... > 2010/12/03 14:43:38 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2010/12/03 14:43:38 ossec-agentd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2010/12/03 14:43:45 ossec-execd(1350): INFO: Active response disabled. > Exiting. > 2010/12/03 14:43:45 ossec-agentd(1410): INFO: Reading authentication > keys file. > 2010/12/03 14:43:45 ossec-agentd: INFO: No previous counter available > for 'tumainb'. > 2010/12/03 14:43:45 ossec-agentd: INFO: Assigning counter for agent > tumainb: '0:0'. > 2010/12/03 14:43:45 ossec-agentd: INFO: Assigning sender counter: 0:3 > 2010/12/03 14:43:45 ossec-agentd: INFO: Started (pid: 29856). > 2010/12/03 14:43:45 ossec-agentd: INFO: Server IP Address: > 172.19.1.151 > 2010/12/03 14:43:45 ossec-agentd: INFO: Trying to connect to server > (172.19.1.151:1514). > 2010/12/03 14:43:49 ossec-syscheckd: INFO: Started (pid: 29864). > 2010/12/03 14:43:49 ossec-rootcheck: INFO: Started (pid: 29864). > 2010/12/03 14:43:49 ossec-syscheckd: INFO: Monitoring directory: '/ > etc'. > 2010/12/03 14:43:49 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > bin'. > 2010/12/03 14:43:49 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > sbin'. > 2010/12/03 14:43:49 ossec-syscheckd: INFO: Monitoring directory: '/ > bin'. > 2010/12/03 14:43:49 ossec-syscheckd: INFO: Monitoring directory: '/ > sbin'. > 2010/12/03 14:43:51 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/adm/syslog'. > 2010/12/03 14:43:51 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/adm/syslog/syslog.log'. > 2010/12/03 14:43:51 ossec-logcollector: INFO: Started (pid: 29860). > 2010/12/03 14:43:51 ossec-agentd(1210): ERROR: Queue '/queue/alerts/ > execq' not accessible: 'Queue not found'. > 2010/12/03 14:44:06 ossec-agentd: INFO: Unable to connect to the > active response queue (disabled). > 2010/12/03 14:44:51 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2010/12/03 14:44:51 ossec-syscheckd: WARN: Process locked. Waiting for > permission... > 2010/12/03 14:46:02 ossec-logcollector: WARN: Process locked. Waiting > for permission... > 2010/12/03 14:49:02 ossec-logcollector(1225): INFO: SIGNAL Received. > Exit Cleaning... > 2010/12/03 14:49:02 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2010/12/03 14:49:02 ossec-agentd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2010/12/03 14:49:07 ossec-execd(1350): INFO: Active response disabled. > Exiting. > 2010/12/03 14:49:07 ossec-agentd(1410): INFO: Reading authentication > keys file. > 2010/12/03 14:49:07 ossec-agentd: INFO: No previous counter available > for 'tumainb'. > 2010/12/03 14:49:07 ossec-agentd: INFO: Assigning counter for agent > tumainb: '0:0'. > 2010/12/03 14:49:07 ossec-agentd: INFO: Assigning sender counter: 0:4 > 2010/12/03 14:49:07 ossec-agentd: INFO: Started (pid: 451). > 2010/12/03 14:49:07 ossec-agentd: INFO: Server IP Address: > 172.19.1.151 > 2010/12/03 14:49:07 ossec-agentd: INFO: Trying to connect to server > (172.19.1.151:1514). > 2010/12/03 14:49:11 ossec-syscheckd: INFO: Started (pid: 459). > 2010/12/03 14:49:11 ossec-rootcheck: INFO: Started (pid: 459). > 2010/12/03 14:49:11 ossec-syscheckd: INFO: Monitoring directory: '/ > etc'. > 2010/12/03 14:49:11 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > bin'. > 2010/12/03 14:49:11 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > sbin'. > 2010/12/03 14:49:11 ossec-syscheckd: INFO: Monitoring directory: '/ > bin'. > 2010/12/03 14:49:11 ossec-syscheckd: INFO: Monitoring directory: '/ > sbin'. > 2010/12/03 14:49:13 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/adm/syslog'. > 2010/12/03 14:49:13 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/adm/syslog/syslog.log'. > 2010/12/03 14:49:13 ossec-logcollector: INFO: Started (pid: 455). > 2010/12/03 14:49:13 ossec-agentd(1210): ERROR: Queue '/queue/alerts/ > execq' not accessible: 'Queue not found'. > 2010/12/03 14:49:28 ossec-agentd: INFO: Unable to connect to the > active response queue (disabled). > 2010/12/03 14:49:29 ossec-logcollector(1225): INFO: SIGNAL Received. > Exit Cleaning... > 2010/12/03 14:49:29 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2010/12/03 14:49:29 ossec-agentd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2010/12/03 14:49:36 ossec-execd(1350): INFO: Active response disabled. > Exiting. > 2010/12/03 14:49:36 ossec-agentd(1410): INFO: Reading authentication > keys file. > 2010/12/03 14:49:36 ossec-agentd: INFO: No previous counter available > for 'tumainb'. > 2010/12/03 14:49:36 ossec-agentd: INFO: Assigning counter for agent > tumainb: '0:0'. > 2010/12/03 14:49:36 ossec-agentd: INFO: Assigning sender counter: 0:5 > 2010/12/03 14:49:36 ossec-agentd: INFO: Started (pid: 516). > 2010/12/03 14:49:36 ossec-agentd: INFO: Server IP Address: > 172.19.1.151 > 2010/12/03 14:49:36 ossec-agentd: INFO: Trying to connect to server > (172.19.1.151:1514). > 2010/12/03 14:49:40 ossec-syscheckd: INFO: Started (pid: 524). > 2010/12/03 14:49:40 ossec-rootcheck: INFO: Started (pid: 524). > 2010/12/03 14:49:40 ossec-syscheckd: INFO: Monitoring directory: '/ > etc'. > 2010/12/03 14:49:40 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > bin'. > 2010/12/03 14:49:40 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > sbin'. > 2010/12/03 14:49:40 ossec-syscheckd: INFO: Monitoring directory: '/ > bin'. > 2010/12/03 14:49:40 ossec-syscheckd: INFO: Monitoring directory: '/ > sbin'. > 2010/12/03 14:49:42 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/adm/syslog'. > 2010/12/03 14:49:42 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/adm/syslog/syslog.log'. > 2010/12/03 14:49:42 ossec-logcollector: INFO: Started (pid: 520). > 2010/12/03 14:49:42 ossec-agentd(1210): ERROR: Queue '/queue/alerts/ > execq' not accessible: 'Queue not found'. > 2010/12/03 14:49:54 ossec-logcollector: WARN: Process locked. Waiting > for permission... > 2010/12/03 14:49:57 ossec-agentd: INFO: Unable to connect to the > active response queue (disabled). > 2010/12/03 14:50:42 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2010/12/03 14:50:42 ossec-syscheckd: WARN: Process locked. Waiting for > permission... > 2010/12/03 14:52:29 ossec-logcollector(1225): INFO: SIGNAL Received. > Exit Cleaning... > 2010/12/03 14:52:29 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2010/12/03 14:52:29 ossec-agentd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2010/12/03 14:52:34 ossec-execd(1350): INFO: Active response disabled. > Exiting. > 2010/12/03 14:52:34 ossec-agentd(1410): INFO: Reading authentication > keys file. > 2010/12/03 14:52:34 ossec-agentd: INFO: No previous counter available > for 'tumainb'. > 2010/12/03 14:52:34 ossec-agentd: INFO: Assigning counter for agent > tumainb: '0:0'. > 2010/12/03 14:52:34 ossec-agentd: INFO: Assigning sender counter: 0:6 > 2010/12/03 14:52:34 ossec-agentd: INFO: Started (pid: 977). > 2010/12/03 14:52:34 ossec-agentd: INFO: Server IP Address: > 172.19.1.151 > 2010/12/03 14:52:34 ossec-agentd: INFO: Trying to connect to server > (172.19.1.151:1514). > 2010/12/03 14:52:38 ossec-syscheckd: INFO: Started (pid: 985). > 2010/12/03 14:52:38 ossec-rootcheck: INFO: Started (pid: 985). > 2010/12/03 14:52:38 ossec-syscheckd: INFO: Monitoring directory: '/ > etc'. > 2010/12/03 14:52:38 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > bin'. > 2010/12/03 14:52:38 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > sbin'. > 2010/12/03 14:52:38 ossec-syscheckd: INFO: Monitoring directory: '/ > bin'. > 2010/12/03 14:52:38 ossec-syscheckd: INFO: Monitoring directory: '/ > sbin'. > 2010/12/03 14:52:40 ossec-agentd(1210): ERROR: Queue '/queue/alerts/ > execq' not accessible: 'Queue not found'. > 2010/12/03 14:52:40 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/adm/syslog'. > 2010/12/03 14:52:40 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/adm/syslog/syslog.log'. > 2010/12/03 14:52:40 ossec-logcollector: INFO: Started (pid: 981). > 2010/12/03 14:52:54 ossec-logcollector: WARN: Process locked. Waiting > for permission... > 2010/12/03 14:52:55 ossec-agentd: INFO: Unable to connect to the > active response queue (disabled). > 2010/12/03 14:53:35 ossec-logcollector(1225): INFO: SIGNAL Received. > Exit Cleaning... > 2010/12/03 14:53:35 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2010/12/03 14:53:35 ossec-agentd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2010/12/03 14:53:41 ossec-execd(1350): INFO: Active response disabled. > Exiting. > 2010/12/03 14:53:41 ossec-agentd(1410): INFO: Reading authentication > keys file. > 2010/12/03 14:53:41 ossec-agentd: INFO: No previous counter available > for 'tumainb'. > 2010/12/03 14:53:41 ossec-agentd: INFO: Assigning counter for agent > tumainb: '0:0'. > 2010/12/03 14:53:41 ossec-agentd: INFO: Assigning sender counter: 0:7 > 2010/12/03 14:53:41 ossec-agentd: INFO: Started (pid: 1067). > 2010/12/03 14:53:41 ossec-agentd: INFO: Server IP Address: > 172.19.1.151 > 2010/12/03 14:53:41 ossec-agentd: INFO: Trying to connect to server > (172.19.1.151:1514). > 2010/12/03 14:53:45 ossec-syscheckd: INFO: Started (pid: 1075). > 2010/12/03 14:53:45 ossec-rootcheck: INFO: Started (pid: 1075). > 2010/12/03 14:53:45 ossec-syscheckd: INFO: Monitoring directory: '/ > etc'. > 2010/12/03 14:53:45 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > bin'. > 2010/12/03 14:53:45 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > sbin'. > 2010/12/03 14:53:45 ossec-syscheckd: INFO: Monitoring directory: '/ > bin'. > 2010/12/03 14:53:45 ossec-syscheckd: INFO: Monitoring directory: '/ > sbin'. > 2010/12/03 14:53:47 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/adm/syslog'. > 2010/12/03 14:53:47 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/adm/syslog/syslog.log'. > 2010/12/03 14:53:47 ossec-logcollector: INFO: Started (pid: 1071). > 2010/12/03 14:53:47 ossec-agentd(1210): ERROR: Queue '/queue/alerts/ > execq' not accessible: 'Queue not found'. > 2010/12/03 14:54:02 ossec-agentd: INFO: Unable to connect to the > active response queue (disabled). > 2010/12/03 14:54:47 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2010/12/03 14:54:47 ossec-syscheckd: WARN: Process locked. Waiting for > permission... > 2010/12/03 14:55:53 ossec-logcollector: WARN: Process locked. Waiting > for permission... > 2010/12/03 16:09:06 ossec-logcollector(1225): INFO: SIGNAL Received. > Exit Cleaning... > 2010/12/03 16:09:06 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2010/12/03 16:09:06 ossec-agentd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2010/12/03 16:09:11 ossec-execd(1350): INFO: Active response disabled. > Exiting. > 2010/12/03 16:09:11 ossec-agentd(1410): INFO: Reading authentication > keys file. > 2010/12/03 16:09:11 ossec-agentd: INFO: No previous counter available > for 'tumainb'. > 2010/12/03 16:09:11 ossec-agentd: INFO: Assigning counter for agent > tumainb: '0:0'. > 2010/12/03 16:09:11 ossec-agentd: INFO: Assigning sender counter: 0:8 > 2010/12/03 16:09:11 ossec-agentd: INFO: Started (pid: 7627). > 2010/12/03 16:09:11 ossec-agentd: INFO: Server IP Address: > 172.19.1.151 > 2010/12/03 16:09:11 ossec-agentd: INFO: Trying to connect to server > (172.19.1.151:1514). > 2010/12/03 16:09:15 ossec-syscheckd: INFO: Started (pid: 7635). > 2010/12/03 16:09:15 ossec-rootcheck: INFO: Started (pid: 7635). > 2010/12/03 16:09:15 ossec-syscheckd: INFO: Monitoring directory: '/ > etc'. > 2010/12/03 16:09:15 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > bin'. > 2010/12/03 16:09:15 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > sbin'. > 2010/12/03 16:09:15 ossec-syscheckd: INFO: Monitoring directory: '/ > bin'. > 2010/12/03 16:09:15 ossec-syscheckd: INFO: Monitoring directory: '/ > sbin'. > 2010/12/03 16:09:17 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/adm/syslog'. > 2010/12/03 16:09:17 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/adm/syslog/syslog.log'. > 2010/12/03 16:09:17 ossec-logcollector: INFO: Started (pid: 7631). > 2010/12/03 16:09:17 ossec-agentd(1210): ERROR: Queue '/queue/alerts/ > execq' not accessible: 'Queue not found'. > 2010/12/03 16:09:32 ossec-agentd: INFO: Unable to connect to the > active response queue (disabled). > 2010/12/03 16:10:17 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2010/12/03 16:10:17 ossec-syscheckd: WARN: Process locked. Waiting for > permission... > 2010/12/03 16:11:28 ossec-logcollector: WARN: Process locked. Waiting > for permission... > > > And the log for the server is > > 2010/12/03 14:42:09 ossec-testrule: INFO: Reading local decoder file. > 2010/12/03 14:42:09 ossec-maild: INFO: Started (pid: 25090). > 2010/12/03 14:42:09 ossec-execd(1350): INFO: Active response disabled. > Exiting. > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading local decoder file. > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'rules_config.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'pam_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'sshd_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'telnetd_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'syslog_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'arpwatch_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'symantec-av_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'symantec-ws_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'pix_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'named_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'smbd_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'vsftpd_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: 'pure- > ftpd_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'proftpd_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'ms_ftpd_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'ftpd_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'hordeimp_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'roundcube_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'wordpress_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'cimserver_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'vpopmail_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'vmpop3d_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'courier_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'web_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'apache_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'nginx_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'php_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'mysql_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'postgresql_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'ids_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'squid_rules.xml' > 2010/12/03 14:42:09 ossec-remoted: INFO: Started (pid: 25106). > 2010/12/03 14:42:09 ossec-remoted(1501): ERROR: No IP or network > allowed in the access list for syslog. No reason for running it. > Exiting. > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'firewall_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: 'cisco- > ios_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'netscreenfw_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'sonicwall_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'postfix_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'sendmail_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'imapd_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'mailscanner_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'dovecot_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: 'ms- > exchange_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'racoon_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'vpn_concentrator_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'spamd_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'msauth_rules.xml' > 2010/12/03 14:42:09 ossec-remoted: INFO: Started (pid: 25108). > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'mcafee_av_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: 'trend- > osce_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: 'ms- > se_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'zeus_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'solaris_bsm_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'vmware_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'ms_dhcp_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'asterisk_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'ossec_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'attack_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Reading rules file: > 'local_rules.xml' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Total rules enabled: '1115' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: '/etc/ > mnttab' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: '/etc/ > hosts.deny' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: '/etc/mail/ > statistics' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: '/etc/random- > seed' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: '/etc/ > adjtime' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/ > logs' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: '/etc/cups/ > certs' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: '/etc/ > dumpdates' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: '/etc/svc/ > volatile' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > System32/LogFiles' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > Debug' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > WindowsUpdate.log' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > iis6.log' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > system32/wbem/Logs' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > system32/wbem/Repository' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > Prefetch' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > PCHEALTH/HELPCTR/DataColl' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > SoftwareDistribution' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > Temp' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > system32/config' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > system32/spool' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > system32/CatRoot' > 2010/12/03 14:42:09 ossec-analysisd: INFO: Started (pid: 25098). > 2010/12/03 14:42:10 ossec-remoted(4111): INFO: Maximum number of > agents allowed: '256'. > 2010/12/03 14:42:10 ossec-remoted(1410): INFO: Reading authentication > keys file. > 2010/12/03 14:42:10 ossec-monitord: INFO: Started (pid: 25119). > 2010/12/03 14:42:14 ossec-syscheckd: INFO: Started (pid: 25114). > 2010/12/03 14:42:14 ossec-rootcheck: INFO: Started (pid: 25114). > 2010/12/03 14:42:14 ossec-syscheckd: INFO: Monitoring directory: '/ > etc'. > 2010/12/03 14:42:14 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > bin'. > 2010/12/03 14:42:14 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > sbin'. > 2010/12/03 14:42:14 ossec-syscheckd: INFO: Monitoring directory: '/ > bin'. > 2010/12/03 14:42:14 ossec-syscheckd: INFO: Monitoring directory: '/ > sbin'. > 2010/12/03 14:42:15 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/messages'. > 2010/12/03 14:42:15 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/secure'. > 2010/12/03 14:42:15 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/maillog'. > 2010/12/03 14:42:15 ossec-logcollector: INFO: Started (pid: 25102). > 2010/12/03 14:42:34 ossec-maild(1223): ERROR: Error Sending email to > 172.16.128.143 (smtp server) > 2010/12/03 14:43:16 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2010/12/03 14:43:16 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2010/12/03 14:50:54 ossec-maild(1223): ERROR: Error Sending email to > 172.16.128.143 (smtp server) > 2010/12/03 14:53:54 ossec-monitord(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2010/12/03 14:53:54 ossec-logcollector(1225): INFO: SIGNAL Received. > Exit Cleaning... > 2010/12/03 14:53:54 ossec-remoted(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2010/12/03 14:53:54 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2010/12/03 14:53:55 ossec-analysisd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2010/12/03 14:53:55 ossec-maild(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2010/12/03 14:54:00 ossec-testrule: INFO: Reading local decoder file. > 2010/12/03 14:54:01 ossec-maild: INFO: Started (pid: 27800). > 2010/12/03 14:54:01 ossec-execd(1350): INFO: Active response disabled. > Exiting. > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading local decoder file. > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'rules_config.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'pam_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'sshd_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'telnetd_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'syslog_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'arpwatch_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'symantec-av_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'symantec-ws_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'pix_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'named_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'smbd_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'vsftpd_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: 'pure- > ftpd_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'proftpd_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'ms_ftpd_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'ftpd_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'hordeimp_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'roundcube_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'wordpress_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'cimserver_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'vpopmail_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'vmpop3d_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'courier_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'web_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'apache_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'nginx_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'php_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'mysql_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'postgresql_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'ids_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'squid_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'firewall_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: 'cisco- > ios_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'netscreenfw_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'sonicwall_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'postfix_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'sendmail_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'imapd_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'mailscanner_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'dovecot_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: 'ms- > exchange_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'racoon_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'vpn_concentrator_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'spamd_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'msauth_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'mcafee_av_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: 'trend- > osce_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: 'ms- > se_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'zeus_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'solaris_bsm_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'vmware_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'ms_dhcp_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'asterisk_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'ossec_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'attack_rules.xml' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Reading rules file: > 'local_rules.xml' > 2010/12/03 14:54:01 ossec-remoted: INFO: Started (pid: 27816). > 2010/12/03 14:54:01 ossec-analysisd: INFO: Total rules enabled: '1115' > 2010/12/03 14:54:01 ossec-remoted(1501): ERROR: No IP or network > allowed in the access list for syslog. No reason for running it. > Exiting. > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: '/etc/ > mnttab' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: '/etc/ > hosts.deny' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: '/etc/mail/ > statistics' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: '/etc/random- > seed' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: '/etc/ > adjtime' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/ > logs' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: '/etc/cups/ > certs' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: '/etc/ > dumpdates' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: '/etc/svc/ > volatile' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > System32/LogFiles' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > Debug' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > WindowsUpdate.log' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > iis6.log' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > system32/wbem/Logs' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > system32/wbem/Repository' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > Prefetch' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > PCHEALTH/HELPCTR/DataColl' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > SoftwareDistribution' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > Temp' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > system32/config' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > system32/spool' > 2010/12/03 14:54:01 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > system32/CatRoot' > 2010/12/03 14:54:01 ossec-remoted: INFO: Started (pid: 27818). > 2010/12/03 14:54:01 ossec-analysisd: INFO: Started (pid: 27808). > 2010/12/03 14:54:01 ossec-remoted(4111): INFO: Maximum number of > agents allowed: '256'. > 2010/12/03 14:54:01 ossec-remoted(1410): INFO: Reading authentication > keys file. > 2010/12/03 14:54:01 ossec-remoted: INFO: No previous counter available > for 'tumainb'. > 2010/12/03 14:54:01 ossec-remoted: INFO: Assigning counter for agent > tumainb: '0:0'. > 2010/12/03 14:54:01 ossec-remoted: INFO: No previous sender counter. > 2010/12/03 14:54:01 ossec-remoted: INFO: Assigning sender counter: 0:0 > 2010/12/03 14:54:01 ossec-monitord: INFO: Started (pid: 27828). > 2010/12/03 14:54:05 ossec-syscheckd: INFO: Started (pid: 27824). > 2010/12/03 14:54:05 ossec-rootcheck: INFO: Started (pid: 27824). > 2010/12/03 14:54:05 ossec-syscheckd: INFO: Monitoring directory: '/ > etc'. > 2010/12/03 14:54:05 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > bin'. > 2010/12/03 14:54:05 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > sbin'. > 2010/12/03 14:54:05 ossec-syscheckd: INFO: Monitoring directory: '/ > bin'. > 2010/12/03 14:54:05 ossec-syscheckd: INFO: Monitoring directory: '/ > sbin'. > 2010/12/03 14:54:07 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/messages'. > 2010/12/03 14:54:07 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/secure'. > 2010/12/03 14:54:07 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/maillog'. > 2010/12/03 14:54:07 ossec-logcollector: INFO: Started (pid: 27812). > 2010/12/03 14:54:26 ossec-maild(1223): ERROR: Error Sending email to > 172.16.128.143 (smtp server) > 2010/12/03 14:55:07 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2010/12/03 14:55:07 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2010/12/03 15:08:27 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2010/12/03 15:08:39 ossec-syscheckd: INFO: Ending syscheck scan > (forwarding database). > 2010/12/03 15:08:59 ossec-rootcheck: INFO: Starting rootcheck scan. > 2010/12/03 15:10:21 ossec-maild(1223): ERROR: Error Sending email to > 172.16.128.143 (smtp server) > 2010/12/03 15:49:13 ossec-rootcheck: INFO: Ending rootcheck scan.
Is there a firewall between the agents and manager? Does the manager run iptables or some other host firewall? If you run tcpdump on the manager, do the packets from an agent make it to the server? Are the agents given unique IPs, or a CIDR range on the manager?
