Hello,
I believe I'm having an issue with ossec-remoted binding to port 1514/udp.
** Basic Configuration/OS Information **
OS: Linux <server_name> 2.6.32-27-server #49-Ubuntu SMP Thu Dec 2
02:05:21 UTC 2010 x86_64 GNU/Linux
ossec: 2.5.1
make setmaxagents
Specify maximum number of agents: 4096
./install.sh
/etc/security/limits.conf have the following entries (and server was
restarted afterwards):
* soft nofile 4096
* hard nofile 4096
** Issue Description **
As stated, it appears that while ossec-remoted is running, it is not
binding to 1514/udp. I've been troubleshooting this and have not been
able to get any helpful information out of the logs, debug mode, or
stracing the process.
When I run a tcpdump, I see the agents trying to connect to the server
on 1514/udp, but the server responds back with the following:
ICMP <server_ip> udp port 1514 unreachable, length 109
Which indicates there's no process listening on the port. netstat does
not show 1514 in use.
I verified 1514/udp connectivity by utilizing netcat (nc) and
successfully connected to the server on 1514/udp.
strace show's the following for ossec-remoted:
recvfrom(4,
I have the following in ossec.conf with relation to remoted:
<remote>
<connection>syslog</connection>
</remote>
<remote>
<connection>secure</connection>
<allowed-ips>192.168.0.0/16</allowed-ips>
<port>1514</port>
<local_ip>(server_ip_address)</local_ip>
</remote>
If there's any addtional information that might be helpful, please let me know.
I've been researching using google but have found no resolutions to
this specific problem. Any ideas?
Thanks in advance,
Patrick
