Hi Dan, Thanks you very much for your response. My problem is OK. I found this error that the device tap0 (virtual bridge). tap0 receive data from XP (not device eth0).
But, I have other problem: I'm trying test a rule using SSHD. scenario: ossec server: ubuntu and ossec agent: XP (virtual machine) - I trying to connect remotly (from ubuntu) to XP using ssh. On XP, i see sshd event in Event viewer. - But i can't see this event (or ALERT) on ossec server. Please help me a solution Thanks again On May 23, 9:23 pm, "dan (ddp)" <[email protected]> wrote: > What version of OSSEC (onserverand agent)? > > Has the agent ever successfully communicated with theserver? > > Run tcpdump on theserver. Can you see the udp packets arriving on > port 1514? Do you see response packets back to the agent? Are the > packets from the agent coming in from the correct IP (the correct IP > is the IP you entered into manage_agents on theserverwhen adding the > agent)? > > Recopy the key from theserverto the agent and restart the agent's > ossec service. > > Anything in theserveror agent's ossec.log? Try running the ossec > processes in debug mode. Does anything show up in the logs now? > > On Wed, May 23, 2012 at 5:26 AM, hoa nguyen <[email protected]> wrote: > > I'd tried. > > But this problem isn't OK yet. > > > Ubuntu and XP virtual machine, two node communicate via NIC eth0 > > Please help me a solution > > Thanks > > > Hoa > > > On May 23, 3:16 pm, mikes <[email protected]> wrote: > >> Try it: > > >> /etc/init.d/ossec stop > >> rm /var/ossec/queue/rids/* > >> /etc/init.d/ossec start > > >> And check key for agent. Try remove agent fromserverand generate new key, > >> remember delete rids/* after > > >> W dniu ¶roda, 11 kwietnia 2012 09:59:41 UTC+2 u¿ytkownik [email protected] > >> napisa³: > > >> > Hi, > >> > I have ossecserveron ubuntu, and an agent on windows xp. windows xp > >> > is a virtual machine. > >> > At beginning, everything is OK. But when I chang virtual machine to > >> > older snapshot (its agent works fine when I took this snapshot), the > >> > agent can notconnecttoserveronly more. It's log is as follow: > > >> > 2012/04/11 15:17:59 ossec-agent: INFO: Started (pid: 6404). > >> > 2012/04/11 15:18:09 ossec-agent: WARN: Process locked. Waiting for > >> > permission... > >> > 2012/04/11 15:18:20 ossec-agent(4101): WARN: Waiting forserverreply > >> > (not started). Tried: '202.197.1.100'. > >> > 2012/04/11 15:18:22 ossec-agent: INFO: Trying toconnecttoserver > >> > (202.197.1.100:1514). > >> > 2012/04/11 15:18:22 ossec-agent: INFO: Using IPv4 for: 202.197.1.100 . > >> > 2012/04/11 15:18:43 ossec-agent(4101): WARN: Waiting forserverreply > >> > (not started). Tried: '202.197.1.100'. > > >> > What's the problem with it? > >> > Gratitude! > >
