On Mon, Dec 5, 2011 at 11:45 AM, Bruno Vernay <[email protected]> wrote: > Hello, > > I cannot get the client to communicate with the server. > I followed the OSSEC tutorial to add the agent, copy the key and re-start > ossec-control. > > > The server is running an up-to-date AlienVault 3.0 64bit. > > On the Server: > > /var/ossec/bin/ossec-analysisd -V > OSSEC HIDS v2.5.1 - Trend Micro Inc. > > cat /etc/ossec-init.conf > DIRECTORY="/var/ossec" > VERSION="v2.0" > DATE="Mon Mar 2 12:57:41 GMT-1 2009" > TYPE="server" > > /var/ossec/etc/ossec.conf > Seems related to local server monitoring > ... > <active-response><disabled>yes</disabled></active-response> > <remote><connection>secure</connection></remote> > <alerts><log_alert_level>1</log_alert_level></alerts> > ... > > > /var/ossec/logs/ossec.log (extract) > ... > ossec-remoted(4111): INFO: Maximum number of agents allowed: '2048'. > ossec-remoted(1410): INFO: Reading authentication keys file. > ossec-remoted: INFO: Assigning counter for agent FR3600: '4:605'. > ossec-remoted: INFO: Assigning sender counter: 0:930 > ossec-monitord: INFO: Started (pid: 2628). > ossec-syscheckd: INFO: Started (pid: 2622). > ossec-rootcheck: INFO: Started (pid: 2622). > ... > > uname -a > Linux alienvault 2.6.31.6 #3 SMP Tue Jul 13 06:50:17 EDT 2010 x86_64 > GNU/Linux > > On the client "Windows 2008 Server" with OSSEC Agent 2.6: > ... > ossec-agent: INFO: Started (pid: 4336). > ossec-agent(1214): WARN: Problem receiving message from 10.1.5.111. > ossec-agent(1214): WARN: Problem receiving message from 10.1.5.111. > ossec-agent: WARN: Process locked. Waiting for permission... > ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: > '10.1.5.111'. > ossec-agent: INFO: Trying to connect to server (10.1.5.111:1514). > ossec-agent: INFO: Using IPv4 for: 10.1.5.111 . > ossec-agent(1214): WARN: Problem receiving message from 10.1.5.111. > ... > > Client config: > <ossec_config> > <client> > <server-ip>10.1.5.111</server-ip> > </client> > <localfile> > > <location>C:\opt\apache-tomcat-7.0.19\logs\localhost_access_log.%Y-%m-%d.log</location> > <log_format>apache</log_format> > </localfile> > <localfile> > > <location>C:\opt\apache-tomcat-7.0.19\logs\catalina.%Y-%m-%d.log</location> > <log_format>multi-line: 2</log_format> > </localfile> > <localfile> > <location>Application</location> > <log_format>eventlog</log_format> > </localfile> > <localfile> > <location>Security</location> > <log_format>eventlog</log_format> > </localfile> > <localfile> > <location>System</location> > <log_format>eventlog</log_format> > </localfile> > <rootcheck> > <windows_audit>./shared/win_audit_rcl.txt</windows_audit> > <windows_apps>./shared/win_applications_rcl.txt</windows_apps> > <windows_malware>./shared/win_malware_rcl.txt</windows_malware> > </rootcheck> > <syscheck> > > <frequency>72000</frequency> > <disabled>no</disabled> > > <directories check_all="yes">%WINDIR%/win.ini</directories> > > ... > <directories check_all="yes">%WINDIR%/System32/drivers/etc</directories> > <directories check_all="yes">C:\Documents and Settings/All Users/Start > Menu/Programs/Startup</directories> > <ignore > type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore> > > > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry> > ... > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active > Setup\Installed Components</windows_registry> > > <!-- Windows registry entries to ignore. --> > > <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore> > <registry_ignore type="sregex">\Enum$</registry_ignore> > </syscheck> > > <active-response> > <disabled>yes</disabled> > </active-response> > </ossec_config> > > What did I miss ??? > > Regards > Bruno >
Are packets making it to the manager on port 1514/udp? If so, are the replies making it to the agent? Is this your only agent? Are other agents working? Does the agent have multiple IP addresses? Is the correct one being used?
