Hi S, I'm sorry I let these messages through. You seem a bit confused. If you have a question about OSSEC, but not this thread, please start a new thread. dan
On Tue, Jan 04, 2011 at 05:08:29PM -0500, S.SEWAK wrote: > Hi Patrick, > > Thank you for your fast respond. I am not sure how to read the following > message. Can you please explain what the messages below meant? Also can you > tell me what IP address ( 198.168.0.0./16 ) is? How do I know the IP > address my computer is using? > > thanks > S Ling. > > On Tue, Jan 4, 2011 at 4:01 PM, Patrick Melvin > <[email protected]>wrote: > > > Hello, > > > > I believe I'm having an issue with ossec-remoted binding to port 1514/udp. > > > > > > ** Basic Configuration/OS Information ** > > > > OS: Linux <server_name> 2.6.32-27-server #49-Ubuntu SMP Thu Dec 2 > > 02:05:21 UTC 2010 x86_64 GNU/Linux > > ossec: 2.5.1 > > > > make setmaxagents > > Specify maximum number of agents: 4096 > > ./install.sh > > > > /etc/security/limits.conf have the following entries (and server was > > restarted afterwards): > > * soft nofile 4096 > > * hard nofile 4096 > > > > > > ** Issue Description ** > > > > As stated, it appears that while ossec-remoted is running, it is not > > binding to 1514/udp. I've been troubleshooting this and have not been > > able to get any helpful information out of the logs, debug mode, or > > stracing the process. > > > > > > When I run a tcpdump, I see the agents trying to connect to the server > > on 1514/udp, but the server responds back with the following: > > > > ICMP <server_ip> udp port 1514 unreachable, length 109 > > > > Which indicates there's no process listening on the port. netstat does > > not show 1514 in use. > > > > > > I verified 1514/udp connectivity by utilizing netcat (nc) and > > successfully connected to the server on 1514/udp. > > > > > > strace show's the following for ossec-remoted: > > recvfrom(4, > > > > > > I have the following in ossec.conf with relation to remoted: > > <remote> > > <connection>syslog</connection> > > </remote> > > > > <remote> > > <connection>secure</connection> > > <allowed-ips>192.168.0.0/16</allowed-ips> > > <port>1514</port> > > <local_ip>(server_ip_address)</local_ip> > > </remote> > > > > > > If there's any addtional information that might be helpful, please let me > > know. > > > > I've been researching using google but have found no resolutions to > > this specific problem. Any ideas? > > > > Thanks in advance, > > Patrick > >
