No dice.
<remote>
<connection>secure</connection>
<local_ip>x.x.x.1</local_ip>
<port>1514</port>
</remote>
Any other ideas?
On Jan 19, 12:07 pm, Nick Green <n...@attackstack.net> wrote:
> I've see this before and got around it by setting the two directives below:
> local_ip and port. Although defaults ...setting this explicitly worked.
>
> <remote>
> <connection>secure</connection>
> <local_ip>x.x.x.x</local_ip>
> <port>1514</port>
> </remote>
>
> /nick
>
>
>
> On Thu, Jan 19, 2012 at 3:25 PM, kcjames <kcja...@gmail.com> wrote:
> > I’m pulling my hair out here. I have a new install of ossec server
> > and it is working great. I’ve incorporated the webui and splunk and
> > that is all working great. However, I can not get any agents
> > connecting. I have tried just about every solution I could find and I
> > am still getting nowhere.
>
> > Here is the relevant log portions from the agents:
>
> > ossec-agent(4101): WARN: Waiting for server reply (not started).
> > Tried: 'x.x.x.1'.
>
> > On the server here are the relevant log portions for ossec-remoted:
>
> > ossec.log:2012/01/18 15:40:18 ossec-remoted: INFO: Started (pid:
> > 8606).
>
> > ossec.log:2012/01/18 15:40:18 ossec-remoted: INFO: Started (pid:
> > 8608).
>
> > ossec.log:2012/01/18 15:40:18 ossec-remoted: Remote syslog allowed
> > from: 'x.x.0.0/24'
>
> > ossec.log:2012/01/18 15:40:18 ossec-remoted: Remote syslog allowed
> > from: 'x.x.1.2'
>
> > ossec.log:2012/01/18 15:40:18 ossec-remoted: INFO: Started (pid:
> > 8607).
>
> > ossec.log:2012/01/18 15:40:19 ossec-remoted(4111): INFO: Maximum
> > number of agents allowed: '256'.
>
> > ossec.log:2012/01/18 15:40:19 ossec-remoted(1410): INFO: Reading
> > authentication keys file.
>
> > ossec.log:2012/01/18 15:40:19 ossec-remoted: INFO: No previous counter
> > available for 'agent001'.
>
> > ossec.log:2012/01/18 15:40:19 ossec-remoted: INFO: Assigning counter
> > for agent agent001: '0:0'.
>
> > ossec.log:2012/01/18 15:40:19 ossec-remoted: INFO: No previous sender
> > counter.
>
> > ossec.log:2012/01/18 15:40:19 ossec-remoted: INFO: Assigning sender
> > counter: 0:0
>
> > ossec.log:2012/01/18 15:56:49 ossec-remoted(1213): WARN: Message from
> > 127.0.0.1 not allowed.
>
> > Tcpdump data shows traffic from agents to server, but no server
> > response.
>
> > # tcpdump -ni eth0 port 1514
>
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol
> > decode
>
> > listening on eth0, link-type EN10MB (Ethernet), capture size 65535
> > bytes
>
> > 08:15:15.627737 IP x.x.1.2.4476 > x.x.x.1.1514: UDP, length 73
>
> > 08:15:21.628234 IP x.x.1.2.4476 > x.x.x.1.1514: UDP, length 73
>
> > 08:15:25.628378 IP x.x.1.2.4476 > x.x.x.1.1514: UDP, length 73
>
> > 08:15:30.628481 IP x.x.1.2.4476 > x.x.x.1.1514: UDP, length 73
>
> > 08:15:36.628707 IP x.x.1.2.4476 > x.x.x.1.1514: UDP, length 73
>
> > Netstat output shows remoted to binded to 1514:
>
> > 8608/ossec-remoted
>
> > udp 0 0 *:syslog
> > *:*
>
> > 8607/ossec-remoted
>
> > udp 0 0 *:39324
> > *:*
>
> > Iptables is open on port 1514 in and all out ports are open. I also
> > turned iptables off altogether and still no traffic from the ossec
> > server to the agents:
>
> > # iptables –L
> > Chain INPUT (policy DROP)
> > target prot opt source destination
> > ACCEPT udp -- anywhere anywhere udp
> > dpt:syslog
> > ACCEPT tcp -- anywhere anywhere tcp dpt:
> > 8089
> > …
> > Chain FORWARD (policy DROP)
> > target prot opt source destination
> > LOG all -- anywhere anywhere limit:
> > avg 3/min burst 5 LOG level warning tcp-options ip-options prefix
> > "SFW2-FWD-ILL-ROUTING "
>
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source destination
> > ACCEPT all -- anywhere anywhere
>
> > Here are the lines in the conf for the agent IPs:
>
> > <global>
> > <white_list>127.0.0.1</white_list>
> > <white_list>^localhost.localdomain$</white_list>
> > <white_list> x.x.x.8</white_list>
> > <white_list> x.x.x.10</white_list>
> > <white_list> x.x.x.10</white_list>
> > <white_list> x.x.1.2</white_list>
> > </global>
>
> > <remote>
> > <connection>syslog</connection>
> > <allowed-ips>x.x.0.0/24</allowed-ips>
> > <allowed-ips>x.x.1.2</allowed-ips>
> > </remote>
>
> > <remote>
> > <connection>secure</connection>
> > </remote>
>
> > I am not behind any NAT and I am not using any firewalls on the
> > agents, though I see no traffic even being sent from the server to the
> > agents, so I am relatively sure that isn’t a problem anyway.
>
> > Any help would be much appreciated!
>
> > James- Hide quoted text -
>
> - Show quoted text -
