On Wed, Dec 15, 2010 at 2:14 PM, carlopmart <[email protected]> wrote: > On 12/15/2010 07:38 PM, carlopmart wrote: > >> >> Thanks Dan. >> >> I have installed ossec as a server disabling rootchek, syscheck and active >> response. >> But when I launch ossec init script syscheckd is started. How can I >> prevent to start >> syscheckd?? >> >> Thanks. > > Ok, It appears that the agent and the server installed on the same machine > does not work. > > For example, > > [r...@lorien alerts]# /data/services/siem/ossec/bin/agent_control -l > > OSSEC HIDS agent_control. List of available agents: > ID: 000, Name: lorien.hpulabs.org (server), IP: 127.0.0.1, Active/Local > ID: 001, Name: lorien, IP: 172.25.70.19, Never connected > > Maybe presents a problem 000 ID agent connected to localhost??. > > Agent doesn't connects. > > On the client side: > > 2010/12/15 19:55:15 ossec-execd(1350): INFO: Active response disabled. > Exiting. > 2010/12/15 19:55:19 ossec-syscheckd: INFO: Started (pid: 9241). > 2010/12/15 19:55:19 ossec-rootcheck: INFO: Started (pid: 9241). > 2010/12/15 19:55:19 ossec-syscheckd: INFO: Monitoring directory: '/etc'. > 2010/12/15 19:55:19 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'. > 2010/12/15 19:55:19 ossec-syscheckd: INFO: Monitoring directory: > '/usr/sbin'. > 2010/12/15 19:55:19 ossec-syscheckd: INFO: Monitoring directory: '/bin'. > 2010/12/15 19:55:19 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. > 2010/12/15 19:55:21 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/messages'. > 2010/12/15 19:55:21 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/secure'. > 2010/12/15 19:55:21 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/maillog'. > 2010/12/15 19:55:21 ossec-logcollector: INFO: Started (pid: 9237). > 2010/12/15 19:56:21 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2010/12/15 19:56:21 ossec-syscheckd: WARN: Process locked. Waiting for > permission... > 2010/12/15 19:56:38 ossec-logcollector: WARN: Process locked. Waiting for > permission... > > At this point I have two questions: > > a) Is it possible to assign hostname parameter to ALL server process?? > b) Is it possible to bind ALL serve process to a specific IP? I know > local_ip param to use under ossec.conf, but it is only for listen, not to > bind. > > Thanks. > > > -- > CL Martinez > carlopmart {at} gmail {d0t} com >
Try using 'any' instead of a specific IP address for the agent installation. Since the source and destination are on the same system, it might be trying to use loopback for the communications.
