Hello,
I cannot get the client to communicate with the server.
I followed the OSSEC tutorial to add the agent, copy the key and re-start
ossec-control.
The server is running an up-to-date AlienVault 3.0 64bit.
On the Server:
*/var/ossec/bin/ossec-analysisd -V*
OSSEC HIDS v2.5.1 - Trend Micro Inc.
*cat /etc/ossec-init.conf*
DIRECTORY="/var/ossec"
VERSION="v2.0"
DATE="Mon Mar 2 12:57:41 GMT-1 2009"
TYPE="server"
*/var/ossec/etc/ossec.conf *
Seems related to local server monitoring
...
<active-response><disabled>yes</disabled></active-response>
<remote><connection>secure</connection></remote>
<alerts><log_alert_level>1</log_alert_level></alerts>
...
*/var/ossec/logs/ossec.log* (extract)
...
ossec-remoted(4111): INFO: Maximum number of agents allowed: '2048'.
ossec-remoted(1410): INFO: Reading authentication keys file.
ossec-remoted: INFO: Assigning counter for agent FR3600: '4:605'.
ossec-remoted: INFO: Assigning sender counter: 0:930
ossec-monitord: INFO: Started (pid: 2628).
ossec-syscheckd: INFO: Started (pid: 2622).
ossec-rootcheck: INFO: Started (pid: 2622).
...
*uname -a*
Linux alienvault 2.6.31.6 #3 SMP Tue Jul 13 06:50:17 EDT 2010 x86_64
GNU/Linux
On the client "Windows 2008 Server" with OSSEC Agent 2.6:
...
ossec-agent: INFO: Started (pid: 4336).
ossec-agent(1214): WARN: Problem receiving message from 10.1.5.111.
ossec-agent(1214): WARN: Problem receiving message from 10.1.5.111.
ossec-agent: WARN: Process locked. Waiting for permission...
ossec-agent(4101): WARN: Waiting for server reply (not started). Tried:
'10.1.5.111'.
ossec-agent: INFO: Trying to connect to server (10.1.5.111:1514).
ossec-agent: INFO: Using IPv4 for: 10.1.5.111 .
ossec-agent(1214): WARN: Problem receiving message from 10.1.5.111.
...
Client config:
<ossec_config>
<client>
<server-ip>10.1.5.111</server-ip>
</client>
<localfile>
<location>C:\opt\apache-tomcat-7.0.19\logs\localhost_access_log.%Y-%m-%d.log</location>
<log_format>apache</log_format>
</localfile>
<localfile>
<location>C:\opt\apache-tomcat-7.0.19\logs\catalina.%Y-%m-%d.log</location>
<log_format>multi-line: 2</log_format>
</localfile>
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
<rootcheck>
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
<syscheck>
<frequency>72000</frequency>
<disabled>no</disabled>
<directories check_all="yes">%WINDIR%/win.ini</directories>
...
<directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
<directories check_all="yes">C:\Documents and Settings/All Users/Start
Menu/Programs/Startup</directories>
<ignore
type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
...
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active
Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
</syscheck>
<active-response>
<disabled>yes</disabled>
</active-response>
</ossec_config>
What did I miss ???
Regards
Bruno
