Hi Dan,
Sorry for the extremely delayed reponse. Like most things if other
priorities come along your focus gets placed somewhere else.
I've got nothing else listed on 1514. Netstat -pan | grep 1514 gives
the following output:
udp 0 0 0.0.0.0:1514
0.0.0.0:* 483/ossec-remoted
The remote config in ossec.conf is as such:
<remote>
<connection>syslog</connection>
</remote>
<remote>
<connection>secure</connection>
</remote>
You asked : Is that what you want to use for agents to send logs to
the manager?
A: Isn't the above the default?
Then You asked: If so, you need to add allowed IPs.
A: Where do I do this? I've never needed to add allowed IP's before?
Thanks in advance for you help...
Pip
On Sep 8, 7:29 pm, "dan (ddp)" <[email protected]> wrote:
> On Wed, Sep 7, 2011 at 4:27 AM, PJG <[email protected]> wrote:
> > Folks
>
> > I'm sure I've posted something about this in the past, but couldn't
> > find it so I'll go again.
>
> > We are continually have to restart the OSSEC Service on server asall
> >agentsare goingoffline.
>
> > The only errors appearing the logs are:
>
> > 2011/09/06 12:03:29 ossec-remoted(1501): ERROR: No IP or network
> > allowed in the access list for syslog. No reason for running it.
> > Exiting.
> > 2011/09/07 03:00:02 ossec-remoted(1501): ERROR: No IP or network
> > allowed in the access list for syslog. No reason for running it.
> > Exiting.
>
> Do you have syslog as the connection type in <remote> (in the
> ossec.conf on the manager)?
> Is that what you want to use foragentsto send logs to the manager?
> If so, you need to add allowed IPs.
>
> > 2011/09/07 03:00:02 ossec-remoted(1206): ERROR: Unable to Bind port
> > '1514'
>
> This is a major error. OSSEC, by default, uses port 1514. It appears
> that something is using it.
> If you're using Linux, run (as root): "netstat -pan | grep 1514"
> That should tell you what's using port 1514.
>
> Providing the ossec.conf from your manager might be helpful in
> tracking this down.
> Remember to remove sensitive info (DB passwords, etc.).
>
> > 2011/09/07 03:08:41 ossec-rootcheck(1224): ERROR: Error sending
> > message to queue.
> > 2011/09/07 08:53:38 ossec-remoted(1501): ERROR: No IP or network
> > allowed in the access list for syslog. No reason for running it.
> > Exiting.
>
> > Can anyone shed some light on:
>
> > 1 - How to monitor this? I have raised the Agentofflinealert to a
> > higher level, but I would like some automated monitoring of this
> > state.
>
> I use nagios.
>
> > 2 - Whether anyone has any idea of how to troubleshoot this issue?
>
> The logs you posted offer some clues. Follow them, or post more information.
>
> Checking firewalls, routing, and active response mightallgive you clues.
> Make sureallagentshave unique IDs.
> When they stop working see which ossec processes are running
> (ossec-control status), and which are stopped.
>
>
>
> > I'm running v2.6 on the server.
>
> > I've increased Maxagentsto 2048 as I have about 260agents.
>
> > Thanks
>
> > Pip- Hide quoted text -
>
> - Show quoted text -- Hide quoted text -
>
> - Show quoted text -
