On Wed, Sep 7, 2011 at 4:27 AM, PJG <[email protected]> wrote: > Folks > > I'm sure I've posted something about this in the past, but couldn't > find it so I'll go again. > > We are continually have to restart the OSSEC Service on server as all > agents are going offline. > > The only errors appearing the logs are: > > 2011/09/06 12:03:29 ossec-remoted(1501): ERROR: No IP or network > allowed in the access list for syslog. No reason for running it. > Exiting. > 2011/09/07 03:00:02 ossec-remoted(1501): ERROR: No IP or network > allowed in the access list for syslog. No reason for running it. > Exiting.
Do you have syslog as the connection type in <remote> (in the ossec.conf on the manager)? Is that what you want to use for agents to send logs to the manager? If so, you need to add allowed IPs. > 2011/09/07 03:00:02 ossec-remoted(1206): ERROR: Unable to Bind port > '1514' This is a major error. OSSEC, by default, uses port 1514. It appears that something is using it. If you're using Linux, run (as root): "netstat -pan | grep 1514" That should tell you what's using port 1514. Providing the ossec.conf from your manager might be helpful in tracking this down. Remember to remove sensitive info (DB passwords, etc.). > 2011/09/07 03:08:41 ossec-rootcheck(1224): ERROR: Error sending > message to queue. > 2011/09/07 08:53:38 ossec-remoted(1501): ERROR: No IP or network > allowed in the access list for syslog. No reason for running it. > Exiting. > > Can anyone shed some light on: > > 1 - How to monitor this? I have raised the Agent offline alert to a > higher level, but I would like some automated monitoring of this > state. I use nagios. > 2 - Whether anyone has any idea of how to troubleshoot this issue? > The logs you posted offer some clues. Follow them, or post more information. Checking firewalls, routing, and active response might all give you clues. Make sure all agents have unique IDs. When they stop working see which ossec processes are running (ossec-control status), and which are stopped. > I'm running v2.6 on the server. > > I've increased Max agents to 2048 as I have about 260 agents. > > Thanks > > Pip >
