Hi Patrick, On Tue, Jan 04, 2011 at 03:01:30PM -0600, Patrick Melvin wrote: > Hello, > > I believe I'm having an issue with ossec-remoted binding to port 1514/udp. > > > ** Basic Configuration/OS Information ** > > OS: Linux <server_name> 2.6.32-27-server #49-Ubuntu SMP Thu Dec 2 > 02:05:21 UTC 2010 x86_64 GNU/Linux > ossec: 2.5.1 > > make setmaxagents > Specify maximum number of agents: 4096 > ./install.sh > > /etc/security/limits.conf have the following entries (and server was > restarted afterwards): > * soft nofile 4096 > * hard nofile 4096 > > > ** Issue Description ** > > As stated, it appears that while ossec-remoted is running, it is not > binding to 1514/udp. I've been troubleshooting this and have not been > able to get any helpful information out of the logs, debug mode, or > stracing the process. > > > When I run a tcpdump, I see the agents trying to connect to the server > on 1514/udp, but the server responds back with the following: > > ICMP <server_ip> udp port 1514 unreachable, length 109 > > Which indicates there's no process listening on the port. netstat does > not show 1514 in use. > > > I verified 1514/udp connectivity by utilizing netcat (nc) and > successfully connected to the server on 1514/udp. > > > strace show's the following for ossec-remoted: > recvfrom(4, > > > I have the following in ossec.conf with relation to remoted: > <remote> > <connection>syslog</connection> > </remote> >
Are you using OSSEC to collect syslog messages? If not, you don't need this. If you are using it, put it after the secure connection type, and add allowed-ips. > <remote> > <connection>secure</connection> > <allowed-ips>192.168.0.0/16</allowed-ips> > <port>1514</port> > <local_ip>(server_ip_address)</local_ip> > </remote> > You shouldn't need the allowed-ips in the secure section, I think it's only for syslog. You also don't need to put the port in there if you're using the default. > > If there's any addtional information that might be helpful, please let me > know. > > I've been researching using google but have found no resolutions to > this specific problem. Any ideas? > > Thanks in advance, > Patrick Look for entries for ossec-remoted in /var/ossec/logs/ossec.log. You may need to enable debugging for that daemon (run it with the -d flag) to get something more useful. I'm currently using both syslog and secure on one of my servers, so it is possible. I haven't tried it with so many clients though. dan
