On the server I see the following via tcpdump -ni eth3 'port 1514' 10:21:19.752015 IP 10.100.10.21.55493 > 10.100.10.11.fujitsu-dtcns: UDP, length 73 10:21:25.752227 IP 10.100.10.21.55493 > 10.100.10.11.fujitsu-dtcns: UDP, length 73
I'm reluctant to install wireshark on the agent at this point. No traffic is NATted on this network so all IPs are unique. On Jan 25, 6:58 pm, BP9906 <[email protected]> wrote: > Could it be because you have multiple source IPs? > > Try creating a new agent on the server and use the subnet. > > manage_agents, a, hostname, 192.168.1.0/24, y. > > Then import the new key generated and see if that helps. That would > confirm source IP origination is the problem. > > Else, use wireshark or tcpdump on agent and server to look for 1514 > packets sent/received. > > On Jan 25, 12:35 pm, Steve Kuntz <[email protected]> wrote: > > > > > > > > > I have communication issues between my server and agents. > > > All agents on the servers subnet can connect to the server. > > > I have agents on other subnets which I've tried to configure in > > different ways and they can't connect to the server > > > 2012/01/25 15:25:51 ossec-agent: INFO: Trying to connect to server > > (10.100.10.11:1514). > > 2012/01/25 15:25:51 ossec-agent: INFO: Using IPv4 for: 10.100.10.11 . > > 2012/01/25 15:26:12 ossec-agent(4101): WARN: Waiting for server reply > > (not started). Tried: '10.100.10.11'. > > > No entries in the log of the server ossec.log for this. > > No client firewall running. > > > There is a firewall between the subnets so I opened 1514 between them > > but I still had the communication issue. I tried to get around this by > > adding an interface for the other subnets on the ossec server with IPs > > on those subnets and pointing the agents to the IP on their subnet. I > > get the same result above. I haven't been able to find anything. Any > > help is appreciated. > > > OSSEC HIDS v2.6
