Hi Dan... Hi Dan... I'll update the next time I see this event happening and will put in a full timeline.
Thanks On Oct 4, 12:59 am, "dan (ddp)" <[email protected]> wrote: > On Fri, Sep 30, 2011 at 6:59 AM, PJG <[email protected]> wrote: > > Hi Dan, > > > Sorry for the extremely delayed reponse. Like most things if other > > priorities come along your focus gets placed somewhere else. > > > I've got nothing else listed on 1514. Netstat -pan | grep 1514 gives > > the following output: > > > udp 0 0 0.0.0.0:1514 > > 0.0.0.0:* 483/ossec-remoted > > > The remote config in ossec.conf is as such: > > > <remote> > > <connection>syslog</connection> > > </remote> > > > <remote> > > <connection>secure</connection> > > </remote> > > > You asked : Is that what you want to use for agents to send logs to > > the manager? > > A: Isn't the above the default? > > > Then You asked: If so, you need to add allowed IPs. > > A: Where do I do this? I've never needed to add allowed IP's before? > > The allowed ips are just for the syslog method. If you want to use the > secure log transfer method you don't have to worry about it. > > There's definitely something strange going on with your setup. You > shouldn't be getting the bind errors if nothing's listening to 1514 > when ossec-remoted isn't running. > > Are there any error messages on the agents? > > > > > Thanks in advance for you help... > > > Pip > > > On Sep 8, 7:29 pm, "dan (ddp)" <[email protected]> wrote: > >> On Wed, Sep 7, 2011 at 4:27 AM, PJG <[email protected]> wrote: > >> > Folks > > >> > I'm sure I've posted something about this in the past, but couldn't > >> > find it so I'll go again. > > >> > We are continually have to restart the OSSEC Service on server asall > >> >agentsare goingoffline. > > >> > The only errors appearing the logs are: > > >> > 2011/09/06 12:03:29 ossec-remoted(1501): ERROR: No IP or network > >> > allowed in the access list for syslog. No reason for running it. > >> > Exiting. > >> > 2011/09/07 03:00:02 ossec-remoted(1501): ERROR: No IP or network > >> > allowed in the access list for syslog. No reason for running it. > >> > Exiting. > > >> Do you have syslog as the connection type in <remote> (in the > >> ossec.conf on the manager)? > >> Is that what you want to use foragentsto send logs to the manager? > >> If so, you need to add allowed IPs. > > >> > 2011/09/07 03:00:02 ossec-remoted(1206): ERROR: Unable to Bind port > >> > '1514' > > >> This is a major error. OSSEC, by default, uses port 1514. It appears > >> that something is using it. > >> If you're using Linux, run (as root): "netstat -pan | grep 1514" > >> That should tell you what's using port 1514. > > >> Providing the ossec.conf from your manager might be helpful in > >> tracking this down. > >> Remember to remove sensitive info (DB passwords, etc.). > > >> > 2011/09/07 03:08:41 ossec-rootcheck(1224): ERROR: Error sending > >> > message to queue. > >> > 2011/09/07 08:53:38 ossec-remoted(1501): ERROR: No IP or network > >> > allowed in the access list for syslog. No reason for running it. > >> > Exiting. > > >> > Can anyone shed some light on: > > >> > 1 - How to monitor this? I have raised the Agentofflinealert to a > >> > higher level, but I would like some automated monitoring of this > >> > state. > > >> I use nagios. > > >> > 2 - Whether anyone has any idea of how to troubleshoot this issue? > > >> The logs you posted offer some clues. Follow them, or post more > >> information. > > >> Checking firewalls, routing, and active response mightallgive you clues. > >> Make sureallagentshave unique IDs. > >> When they stop working see which ossec processes are running > >> (ossec-control status), and which are stopped. > > >> > I'm running v2.6 on the server. > > >> > I've increased Maxagentsto 2048 as I have about 260agents. > > >> > Thanks > > >> > Pip- Hide quoted text - > > >> - Show quoted text -- Hide quoted text - > > >> - Show quoted text -- Hide quoted text - > > - Show quoted text -- Hide quoted text - > > - Show quoted text -
