On Fri, Sep 30, 2011 at 6:59 AM, PJG <[email protected]> wrote: > Hi Dan, > > Sorry for the extremely delayed reponse. Like most things if other > priorities come along your focus gets placed somewhere else. > > I've got nothing else listed on 1514. Netstat -pan | grep 1514 gives > the following output: > > udp 0 0 0.0.0.0:1514 > 0.0.0.0:* 483/ossec-remoted > > The remote config in ossec.conf is as such: > > <remote> > <connection>syslog</connection> > </remote> > > <remote> > <connection>secure</connection> > </remote> > > > You asked : Is that what you want to use for agents to send logs to > the manager? > A: Isn't the above the default? > > Then You asked: If so, you need to add allowed IPs. > A: Where do I do this? I've never needed to add allowed IP's before? >
The allowed ips are just for the syslog method. If you want to use the secure log transfer method you don't have to worry about it. There's definitely something strange going on with your setup. You shouldn't be getting the bind errors if nothing's listening to 1514 when ossec-remoted isn't running. Are there any error messages on the agents? > Thanks in advance for you help... > > Pip > > > > > > > > On Sep 8, 7:29 pm, "dan (ddp)" <[email protected]> wrote: >> On Wed, Sep 7, 2011 at 4:27 AM, PJG <[email protected]> wrote: >> > Folks >> >> > I'm sure I've posted something about this in the past, but couldn't >> > find it so I'll go again. >> >> > We are continually have to restart the OSSEC Service on server asall >> >agentsare goingoffline. >> >> > The only errors appearing the logs are: >> >> > 2011/09/06 12:03:29 ossec-remoted(1501): ERROR: No IP or network >> > allowed in the access list for syslog. No reason for running it. >> > Exiting. >> > 2011/09/07 03:00:02 ossec-remoted(1501): ERROR: No IP or network >> > allowed in the access list for syslog. No reason for running it. >> > Exiting. >> >> Do you have syslog as the connection type in <remote> (in the >> ossec.conf on the manager)? >> Is that what you want to use foragentsto send logs to the manager? >> If so, you need to add allowed IPs. >> >> > 2011/09/07 03:00:02 ossec-remoted(1206): ERROR: Unable to Bind port >> > '1514' >> >> This is a major error. OSSEC, by default, uses port 1514. It appears >> that something is using it. >> If you're using Linux, run (as root): "netstat -pan | grep 1514" >> That should tell you what's using port 1514. >> >> Providing the ossec.conf from your manager might be helpful in >> tracking this down. >> Remember to remove sensitive info (DB passwords, etc.). >> >> > 2011/09/07 03:08:41 ossec-rootcheck(1224): ERROR: Error sending >> > message to queue. >> > 2011/09/07 08:53:38 ossec-remoted(1501): ERROR: No IP or network >> > allowed in the access list for syslog. No reason for running it. >> > Exiting. >> >> > Can anyone shed some light on: >> >> > 1 - How to monitor this? I have raised the Agentofflinealert to a >> > higher level, but I would like some automated monitoring of this >> > state. >> >> I use nagios. >> >> > 2 - Whether anyone has any idea of how to troubleshoot this issue? >> >> The logs you posted offer some clues. Follow them, or post more information. >> >> Checking firewalls, routing, and active response mightallgive you clues. >> Make sureallagentshave unique IDs. >> When they stop working see which ossec processes are running >> (ossec-control status), and which are stopped. >> >> >> >> > I'm running v2.6 on the server. >> >> > I've increased Maxagentsto 2048 as I have about 260agents. >> >> > Thanks >> >> > Pip- Hide quoted text - >> >> - Show quoted text -- Hide quoted text - >> >> - Show quoted text - >
