You'rr missing ossec-remoted On Jul 26, 2012 6:02 PM, "William Lindfors" <[email protected]> wrote:
> The list below is what I got when I ran the command. I even rebooted the > ossec server and the list stated the same. I don’t know what services need > to be running. Does the list below look ok?**** > > ** ** > > ** ** > > ossecm 24686 1 0 00:42 ? 00:00:00 > /var/ossec/bin/ossec-csyslogd**** > > ossecm 24690 1 0 00:42 ? 00:00:00 /var/ossec/bin/ossec-maild > **** > > root 24694 1 0 00:42 ? 00:00:00 /var/ossec/bin/ossec-execd > **** > > ossec 24698 1 0 00:42 ? 00:00:05 > /var/ossec/bin/ossec-analysisd**** > > root 24702 1 0 00:42 ? 00:00:00 > /var/ossec/bin/ossec-logcollector**** > > root 24714 1 0 00:42 ? 00:00:18 > /var/ossec/bin/ossec-syscheckd**** > > ossec 24718 1 0 00:42 ? 00:00:00 > /var/ossec/bin/ossec-monitord**** > > root 29455 29425 0 17:49 pts/1 00:00:00 grep ossec**** > > ** ** > > ** ** > > *From:* [email protected] [mailto:[email protected]] *On > Behalf Of *Scott Klauminzer > *Sent:* Thursday, July 26, 2012 2:26 PM > *To:* [email protected] > *Subject:* Re: [ossec-list] Rule ID 5701? Possible attack on the SSH > server? All agents inactive, what gives?**** > > ** ** > > Did you verify that all ossec services stopped before restarting?**** > > ** ** > > I had this issue previously, and one of the services was hanging and not > allowing the restart to function. **** > > ** ** > > run: ps -eaf | grep ossec**** > > ** ** > > ** ** > > On Jul 26, 2012, at 11:12 AM, William Lindfors wrote:**** > > > > **** > > Here is a screen capture of what I'm talking about. Thx.**** > > **** > > <image001.png>**** > > **** > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Thursday, July 26, 2012 1:08 PM > To: [email protected] > Subject: Re: [ossec-list] Rule ID 5701? Possible attack on the SSH server? > All agents inactive, what gives?**** > > **** > > On Thu, Jul 26, 2012 at 12:56 PM, William Lindfors <[email protected]> > wrote:**** > > > How do I get all the agents back online? I stopped and started the > service, but they all remain red and I am getting the following message:** > ** > > > **** > > **** > > Red? What are you seeing red in?**** > > **** > > > **** > > > 2012 Jul 26 12:42:25 Rule Id: 5701 level: 8**** > > > Location: profim01->/var/log/secure**** > > > Src IP: UNKNOWN**** > > > Possible attack on the ssh server (or version gathering).**** > > > **** > > > **** > > **** > > This looks unrelated. There should be a log message that goes with that.** > ** > > **** > > Check the ossec.log on the manager and the agents to see if there are any > log messages about why they are disconnected. Double check with > `/var/ossec/bin/list_agents -c` that they are disconnected. Have all of > your agents been connected at some point?**** > > **** > > > **** > > > **** > > > -----Original Message-----**** > > > From: [email protected] [mailto:[email protected]]** > ** > > > On Behalf Of dan (ddp)**** > > > Sent: Thursday, July 26, 2012 9:02 AM**** > > > To: [email protected]**** > > > Subject: Re: [ossec-list] Rule ID 5701? Possible attack on the SSH > server? All agents inactive, what gives?**** > > > **** > > > On Thu, Jul 26, 2012 at 12:55 AM, William Lindfors < > [email protected]> wrote:**** > > >> **** > > >> **** > > >> **** > > >> **** > > >> Latest events**** > > >> **** > > >> **** > > >> **** > > >> 2012 Jul 26 00:47:01 Rule Id: 5701 level: 8**** > > >> Location: profim01->/var/log/secure**** > > >> Src IP: UNKNOWN**** > > >> Possible attack on the ssh server (or version gathering).**** > > > **** > > > What's the question exactly?**** > > ** ** >
