[ossec-list] OSSEC server won't bind to 1514/UDP...

Fri, 18 Mar 2011 07:30:59 -0700 

First, I'd like to say that I've been doing a lot of Goggling around and
tried a lot of things to no avail.

Error:

2011/03/18 09:46:34 ossec-logcollector: INFO: Started (pid: 5415).
2011/03/18 09:46:38 ossec-agentd(1218): ERROR: Unable to send message to
server.
2011/03/18 09:46:44 ossec-syscheckd: Setting SCHED_BATCH returned: 0
2011/03/18 09:46:50 ossec-agentd(1218): ERROR: Unable to send message to
server.
2011/03/18 09:46:51 ossec-agentd(4101): WARN: Waiting for server reply (not
started). Tried: '192.168.1.103'.

uname -a
Linux s4u 2.6.37-ARCH #1 SMP PREEMPT Fri Feb 18 16:58:42 UTC 2011 i686 AMD
Sempron(tm) Processor 3100+ AuthenticAMD GNU/Linux

My flavor I'm running on both is Arch Linux.

I've uninstalled iptables on both the server and agent (wanted to see if
this was causing any issues).  I've also edited /etc/hosts.deny to comment
out the ALL: ALL line, and add the ALL: ALL line to hosts.allow.  I've done
this for both agent and server, as well as opened up UDP port 1514 on my
router/firewall to point to the server.

Here's my <remote> section in ossec.conf for the server:

  <remote>
    <connection>secure</connection>
<!--    <port>1514</port>
    <allowed-ips>19.168.1.101</allowed-ips>
    <local_ip>192.168.1.103</local_ip> -->
  </remote>

(I've also tried it with the lines not commented out and it still doesn't
make a difference.

ossec-init.conf (server):
DIRECTORY="/var/ossec"
VERSION="v2.5.1"
DATE="Thu Mar 10 12:36:34 EST 2011"
TYPE="server"

-- The agent one specifies "agent" for type. --

In internal_options.conf, all the daemons have level 2 debugging and I set
up ossec-control bash script to run each daemon with the -d flag for
debugging.

When running cat /var/ossec/logs/ossec.log | grep remoted here's what I get:

2011/03/18 09:27:25 ossec-remoted: DEBUG: Starting ...
2011/03/18 09:27:25 ossec-remoted: INFO: Started (pid: 22933).
2011/03/18 09:27:25 ossec-remoted: DEBUG: Forking remoted: '0'.
2011/03/18 09:27:25 ossec-remoted: INFO: Started (pid: 22934).
2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file:
'/etc/shared/merged.mg'.
2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file:
'/etc/shared/merged.mg'.
2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file:
'/etc/shared/merged.mg'.
2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file:
'/etc/shared/merged.mg'.
2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file:
'/etc/shared/merged.mg'.
2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file:
'/etc/shared/merged.mg'.
2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file:
'/etc/shared/merged.mg'.
2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file:
'/etc/shared/merged.mg'.
2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file:
'/etc/shared/merged.mg'.
2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file:
'/etc/shared/merged.mg'.
2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file:
'/etc/shared/merged.mg'.
2011/03/18 09:27:25 ossec-remoted: DEBUG: Running manager_init
2011/03/18 09:27:26 ossec-remoted: INFO: (unix_domain) Maximum send buffer
set to: '114688'.
2011/03/18 09:27:26 ossec-remoted(4111): INFO: Maximum number of agents
allowed: '256'.
2011/03/18 09:27:26 ossec-remoted(1410): INFO: Reading authentication keys
file.
2011/03/18 09:27:26 ossec-remoted: DEBUG: OS_StartCounter.
2011/03/18 09:27:26 ossec-remoted: OS_StartCounter: keysize: 1

Here's the output for netstat:

netstat -np
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
    PID/Program name
tcp        0      0 192.168.1.103:80        69.14.233.178:61774
FIN_WAIT2   -
tcp        0      0 192.168.1.103:80        69.14.233.178:61769
FIN_WAIT2   -
tcp        0      0 192.168.1.103:8018      69.14.233.178:42808
ESTABLISHED 22630/sshd: love [p
udp        0      0 192.168.1.103:2011      194.97.114.3:2010
ESTABLISHED 1005/ts3server_linu
udp        0      0 192.168.1.103:38894     194.97.114.3:2010
ESTABLISHED 1005/ts3server_linu
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node PID/Program name
 Path
unix  7      [ ]         DGRAM                    3851   921/syslog-ng
/dev/log
unix  6      [ ]         DGRAM                    2231128
16682/ossec-analysi /queue/ossec/queue
unix  2      [ ]         DGRAM                    2107   416/udevd
@/org/kernel/udev/udevd
unix  3      [ ]         DGRAM                    2231117 16677/ossec-execd
  /var/ossec/queue/alerts/execq
unix  2      [ ]         DGRAM                    2375980 22635/su

unix  2      [ ]         DGRAM                    2375966 22634/sudo

unix  3      [ ]         STREAM     CONNECTED     2375942 22630/sshd: love
[p
unix  3      [ ]         STREAM     CONNECTED     2375941 22632/0

unix  2      [ ]         DGRAM                    2231155
16700/ossec-monitor
unix  2      [ ]         DGRAM                    2231154
16682/ossec-analysi
unix  2      [ ]         DGRAM                    2231153
16682/ossec-analysi
unix  2      [ ]         DGRAM                    2231152
16686/ossec-logcoll
unix  2      [ ]         DGRAM                    2231151
16696/ossec-syschec
unix  2      [ ]         DGRAM                    2231150
16682/ossec-analysi
unix  2      [ ]         DGRAM                    2231149
16682/ossec-analysi
unix  2      [ ]         DGRAM                    2231129
16696/ossec-syschec
unix  2      [ ]         DGRAM                    2231124
16696/ossec-syschec
unix  2      [ ]         DGRAM                    31439  22660/nagios

unix  2      [ ]         DGRAM                    4579   1379/nmbd

unix  2      [ ]         DGRAM                    4499   1371/smbd

unix  2      [ ]         DGRAM                    4033   991/crond

unix  3      [ ]         DGRAM                    2120   416/udevd

unix  3      [ ]         DGRAM                    2119   416/udevd

When running ps, I get this:

ps aux | grep ossec
ossecm   22916  0.0  0.0   2056   440 ?        S    09:27   0:00
/var/ossec/bin/ossec-maild -d
root     22920  0.0  0.0   1844   424 ?        S    09:27   0:00
/var/ossec/bin/ossec-execd -d
ossec    22924  0.1  0.2   2820  1524 ?        S    09:27   0:01
/var/ossec/bin/ossec-analysisd -d
root     22928  0.0  0.0   1920   432 ?        S    09:27   0:00
/var/ossec/bin/ossec-logcollector -d
root     22939  1.1  0.1   2404  1216 ?        S    09:27   0:12
/var/ossec/bin/ossec-syscheckd -d
ossec    22943  0.0  0.0   2048   456 ?        S    09:27   0:00
/var/ossec/bin/ossec-monitord -d
root     23800  0.0  0.1   3972   824 pts/0    S+   09:44   0:00 grep ossec

What I don't get is when I run /var/ossec/bin/ossec-control status, I get
this: (service is a wrapper for init.d scripts in my bashrc)
# service ossec status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted: Process 22934 not used by ossec, removing ..
ossec-remoted not running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...

I'm put up the logs on my server so it'll be easier to see:
http://yli.no-ip.info/server.log & http://yli.no-ip.info/agent.log

Reply via email to