When I've had problems getting ossec-remoted to start it's been because the port it listens on is already in use.
You should be able to see that by watching the console as you start up the services or checking the logs. Or look for the port in use by using netstat or lsof. From: "dan (ddp)" <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Thursday, July 26, 2012 3:11 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: RE: [ossec-list] Rule ID 5701? Possible attack on the SSH server? All agents inactive, what gives? You'rr missing ossec-remoted On Jul 26, 2012 6:02 PM, "William Lindfors" <[email protected]<mailto:[email protected]>> wrote: The list below is what I got when I ran the command. I even rebooted the ossec server and the list stated the same. I don’t know what services need to be running. Does the list below look ok? ossecm 24686 1 0 00:42 ? 00:00:00 /var/ossec/bin/ossec-csyslogd ossecm 24690 1 0 00:42 ? 00:00:00 /var/ossec/bin/ossec-maild root 24694 1 0 00:42 ? 00:00:00 /var/ossec/bin/ossec-execd ossec 24698 1 0 00:42 ? 00:00:05 /var/ossec/bin/ossec-analysisd root 24702 1 0 00:42 ? 00:00:00 /var/ossec/bin/ossec-logcollector root 24714 1 0 00:42 ? 00:00:18 /var/ossec/bin/ossec-syscheckd ossec 24718 1 0 00:42 ? 00:00:00 /var/ossec/bin/ossec-monitord root 29455 29425 0 17:49 pts/1 00:00:00 grep ossec From:[email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Scott Klauminzer Sent: Thursday, July 26, 2012 2:26 PM To: [email protected]<mailto:[email protected]> Subject: Re: [ossec-list] Rule ID 5701? Possible attack on the SSH server? All agents inactive, what gives? Did you verify that all ossec services stopped before restarting? I had this issue previously, and one of the services was hanging and not allowing the restart to function. run: ps -eaf | grep ossec On Jul 26, 2012, at 11:12 AM, William Lindfors wrote: Here is a screen capture of what I'm talking about. Thx. <image001.png> -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]]<mailto:[mailto:[email protected]]> On Behalf Of dan (ddp) Sent: Thursday, July 26, 2012 1:08 PM To: [email protected]<mailto:[email protected]> Subject: Re: [ossec-list] Rule ID 5701? Possible attack on the SSH server? All agents inactive, what gives? On Thu, Jul 26, 2012 at 12:56 PM, William Lindfors <[email protected]<mailto:[email protected]>> wrote: > How do I get all the agents back online? I stopped and started the service, > but they all remain red and I am getting the following message: > Red? What are you seeing red in? > > 2012 Jul 26 12:42:25 Rule Id: 5701 level: 8 > Location: profim01->/var/log/secure > Src IP: UNKNOWN > Possible attack on the ssh server (or version gathering). > > This looks unrelated. There should be a log message that goes with that. Check the ossec.log on the manager and the agents to see if there are any log messages about why they are disconnected. Double check with `/var/ossec/bin/list_agents -c` that they are disconnected. Have all of your agents been connected at some point? > > > -----Original Message----- > From: [email protected]<mailto:[email protected]> > [mailto:[email protected]]<mailto:[mailto:[email protected]]> > On Behalf Of dan (ddp) > Sent: Thursday, July 26, 2012 9:02 AM > To: [email protected]<mailto:[email protected]> > Subject: Re: [ossec-list] Rule ID 5701? Possible attack on the SSH server? > All agents inactive, what gives? > > On Thu, Jul 26, 2012 at 12:55 AM, William Lindfors > <[email protected]<mailto:[email protected]>> wrote: >> >> >> >> >> Latest events >> >> >> >> 2012 Jul 26 00:47:01 Rule Id: 5701 level: 8 >> Location: profim01->/var/log/secure >> Src IP: UNKNOWN >> Possible attack on the ssh server (or version gathering). > > What's the question exactly?
