On Sun, May 27, 2012 at 1:04 PM, hoa nguyen <[email protected]> wrote: > Hi Dan, > > Thanks you very much for your response. > My problem is OK. I found this error that the device tap0 (virtual > bridge). tap0 receive data from XP (not device eth0). > > But, I have other problem: I'm trying test a rule using SSHD. > scenario: ossec server: ubuntu and ossec agent: XP (virtual machine) > - I trying to connect remotly (from ubuntu) to XP using ssh. On XP, i > see sshd event in Event viewer.
Are you monitoring that stream (or whatever event viewer calls it?)? Turn on the log all option on the OSSEC server, restart the OSSEC processes and try again. Do you see the log in /var/ossec/logs/archives/archives.log? If not, then the log isn't making it to the OSSEC server to be processed. If it is, reply with a copy of the log. We'll use ossec-logtest to see how it is decoded and to correct any issues. > - But i can't see this event (or ALERT) on ossec server. What alert are you expecting? > > > Please help me a solution > > Thanks again > > > On May 23, 9:23 pm, "dan (ddp)" <[email protected]> wrote: >> What version of OSSEC (onserverand agent)? >> >> Has the agent ever successfully communicated with theserver? >> >> Run tcpdump on theserver. Can you see the udp packets arriving on >> port 1514? Do you see response packets back to the agent? Are the >> packets from the agent coming in from the correct IP (the correct IP >> is the IP you entered into manage_agents on theserverwhen adding the >> agent)? >> >> Recopy the key from theserverto the agent and restart the agent's >> ossec service. >> >> Anything in theserveror agent's ossec.log? Try running the ossec >> processes in debug mode. Does anything show up in the logs now? >> >> On Wed, May 23, 2012 at 5:26 AM, hoa nguyen <[email protected]> wrote: >> > I'd tried. >> > But this problem isn't OK yet. >> >> > Ubuntu and XP virtual machine, two node communicate via NIC eth0 >> > Please help me a solution >> > Thanks >> >> > Hoa >> >> > On May 23, 3:16 pm, mikes <[email protected]> wrote: >> >> Try it: >> >> >> /etc/init.d/ossec stop >> >> rm /var/ossec/queue/rids/* >> >> /etc/init.d/ossec start >> >> >> And check key for agent. Try remove agent fromserverand generate new key, >> >> remember delete rids/* after >> >> >> W dniu ¶roda, 11 kwietnia 2012 09:59:41 UTC+2 u¿ytkownik >> >> [email protected] >> >> napisa³: >> >> >> > Hi, >> >> > I have ossecserveron ubuntu, and an agent on windows xp. windows xp >> >> > is a virtual machine. >> >> > At beginning, everything is OK. But when I chang virtual machine to >> >> > older snapshot (its agent works fine when I took this snapshot), the >> >> > agent can notconnecttoserveronly more. It's log is as follow: >> >> >> > 2012/04/11 15:17:59 ossec-agent: INFO: Started (pid: 6404). >> >> > 2012/04/11 15:18:09 ossec-agent: WARN: Process locked. Waiting for >> >> > permission... >> >> > 2012/04/11 15:18:20 ossec-agent(4101): WARN: Waiting forserverreply >> >> > (not started). Tried: '202.197.1.100'. >> >> > 2012/04/11 15:18:22 ossec-agent: INFO: Trying toconnecttoserver >> >> > (202.197.1.100:1514). >> >> > 2012/04/11 15:18:22 ossec-agent: INFO: Using IPv4 for: 202.197.1.100 . >> >> > 2012/04/11 15:18:43 ossec-agent(4101): WARN: Waiting forserverreply >> >> > (not started). Tried: '202.197.1.100'. >> >> >> > What's the problem with it? >> >> > Gratitude! >> >>
