On Mon, Apr 4, 2011 at 10:43 AM, Valentin Avram <[email protected]> wrote: > I ran the tcpdump on the broken agent, a good agent and the server. > > On the broken agent, i saw only packets from the agent to server, as the > ESTABLISHED connection would explain them. > > On the server, i saw no packets whatsoever towards the client. >
Does this mean you ran tcpdump on the server and saw no packets going to the agent? Or did you only run tcpdump on the agent? Either way, if packets are going from the server to the agent there's a problem. Find out where those packets are going. > On the good agent, on agent restart i saw some packets from the server to > the agent. On the broken agent, even on agent restart i saw no packets from > the server. > > The weirdest thing is that i see no errors on either the server log or the > agent log. I also tried to set agentd in debug mode (agentd.debug=2 in > /var/ossec/etc/internal_options.conf, but nothing gets logged. Is debugging > support a compiling stage option or it gets built in by default? If the > latter, then wjy > > I also noticed something: > On every agent except the broken one, when the agentd starts, it logs > something like (this is taken from a working agent): > 2011/03/20 17:27:07 ossec-agentd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2011/03/20 17:27:07 ossec-agentd(1410): INFO: Reading authentication keys > file. > 2011/03/20 17:27:07 ossec-agentd: INFO: Assigning counter for agent > xxx_yyy8: '1:6385'. > 2011/03/20 17:27:07 ossec-agentd: INFO: Assigning sender counter: 113:9733 > 2011/03/20 17:27:07 ossec-agentd: INFO: Started (pid: 16472). > 2011/03/20 17:27:07 ossec-agentd: INFO: Server IP Address: 10.5.x.y > 2011/03/20 17:27:07 ossec-agentd: INFO: Trying to connect to server > (10.5.x.y:1514). > 2011/04/04 16:40:56 ossec-agentd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2011/04/04 16:40:56 ossec-agentd(1410): INFO: Reading authentication keys > file. > 2011/04/04 16:40:56 ossec-agentd: INFO: Assigning counter for agent > xxx_yyy8: '4:2300'. > 2011/04/04 16:40:56 ossec-agentd: INFO: Assigning sender counter: 209:9551 > 2011/04/04 16:40:56 ossec-agentd: INFO: Started (pid: 5184). > 2011/04/04 16:40:56 ossec-agentd: INFO: Server IP Address: 10.5.x.y > 2011/04/04 16:40:56 ossec-agentd: INFO: Trying to connect to server > (10.5.x.y:1514). > > On the broken agent i see something like this: > 2011/03/29 18:17:40 ossec-agentd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2011/03/29 18:17:40 ossec-agentd(1410): INFO: Reading authentication keys > file. > 2011/03/29 18:17:40 ossec-agentd: INFO: Assigning counter for agent > xxx_yyy1: '2:4459'. > 2011/03/29 18:17:40 ossec-agentd: INFO: Assigning sender counter: 123:5187 > 2011/03/29 18:17:40 ossec-agentd: INFO: Started (pid: 24504). > 2011/03/29 18:17:40 ossec-agentd: INFO: Server IP Address: 10.5.x.y > 2011/03/29 18:17:40 ossec-agentd: INFO: Trying to connect to server > (10.5.x.y:1514). > 2011/04/04 16:39:12 ossec-agentd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2011/04/04 16:39:12 ossec-agentd(1410): INFO: Reading authentication keys > file. > 2011/04/04 16:39:12 ossec-agentd: INFO: Assigning counter for agent > xxx_yyy1: '2:4459'. > 2011/04/04 16:39:12 ossec-agentd: INFO: Assigning sender counter: 155:5125 > 2011/04/04 16:39:12 ossec-agentd: INFO: Started (pid: 16775). > 2011/04/04 16:39:12 ossec-agentd: INFO: Server IP Address: 10.5.x.y > 2011/04/04 16:39:12 ossec-agentd: INFO: Trying to connect to server > (10.5.x.y:1514). > > So as far as i can tell, on different day restarts, a good agent will change > both reported counters, however the broken agent changes just one. Does > anybody have any idea what those counters mean? > I believe those are the counters to help prevent replay attacks. If the agent isn't communicating properly with the server, the counter won't get updated. > > On Wed, Mar 30, 2011 at 10:13 PM, dan (ddp) <[email protected]> wrote: >> >> Run the tcpdump. If the agent isn't using the IP address that was >> assigned to it when it was created (with manage_agents), you may have >> to delete the agent and try again. You can use 'any' (without the >> quotes) for the IP if it seems to pick IPs arbitrarily. >> >> On Wed, Mar 30, 2011 at 12:25 PM, Valentin Avram <[email protected]> wrote: >> > Thank you for the info, it worked perfectly, now the server no longer >> > complains about being unable to send messages to the clients. >> > >> > Only one problem remains now, the agent on the VPN client (which does >> > all >> > the routing) on the remote side, is reported as inactive. >> > Same behaviour: >> > - the agent does not complain about anything in the logs >> > - i can see an established udp connection from the agent to the server >> > (udp/1514) >> > - the server does not complain about anything in the logs >> > ... but the agent is reported by the list_agents utility and by the WUI >> > as >> > inactive. >> > >> > The funny path is that in the WUI i can see events sent by that agent. >> > >> > Short description: >> > - agent is on a machine with 192.168.a.b + 172.16.t.w IPs >> > - server is on a machine with 10.x.y.z + 172.16.r.t IPs >> > - the agent has been installed using the key generated by the server for >> > IP >> > 172.16.t.w >> > - the agent on the machine for any connection towards 10.x.y.z would use >> > source IP 172.16.t.w (as indicated by "ip route get 10.x.y.z") >> > - the server listens only on the 10.x.y.z interface >> > >> > For now i'm running out of ideas, i guess i'll need to run some tcpdumps >> > to >> > figure out any cause. >> > >> > On Tue, Mar 29, 2011 at 5:00 PM, dan (ddp) <[email protected]> wrote: >> >> >> >> local_ip >> >> http://www.ossec.net/doc/syntax/head_ossec_config.remote.html >> >> >> >> On Tue, Mar 29, 2011 at 9:56 AM, Valentin Avram <[email protected]> >> >> wrote: >> >> > Do you know what the option to specify the IP or network interface to >> >> > use >> >> > is? Cause on the manual on the ossec site i can't find anything. >> >> > >> >> > On Mon, Mar 28, 2011 at 9:58 PM, dan (ddp) <[email protected]> wrote: >> >> >> >> >> >> Wow, that seems pretty complicated. >> >> >> >> >> >> You can specify the IP address the OSSEC manager will use its >> >> >> ossec.conf. >> >> >> >> >> >> You chould use tcpdump to see which IP address the OSSEC manager is >> >> >> attempting to use when communicating with the agents. I'm guessing >> >> >> the >> >> >> error message you see is because the manager is using the wrong IP. >> >> >> >> >> >> On Sun, Mar 27, 2011 at 5:13 PM, Valentin Avram <[email protected]> >> >> >> wrote: >> >> >> >> >> > >> >> > >> > >> > > >
