One last thing... % /var/ossec/bin/ossec-control restart Killing ossec-monitord .. Killing ossec-logcollector .. Killing ossec-remoted .. Killing ossec-syscheckd .. Killing ossec-analysisd .. Killing ossec-maild .. Killing ossec-execd .. OSSEC HIDS v2.6 Stopped Starting OSSEC HIDS v2.6 (by Trend Micro Inc.)... *OSSEC analysisd: Testing rules failed. Configuration error. Exiting.* <-- LIES Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-remoted... Started ossec-syscheckd... Started ossec-monitord... Completed. [root@bos-ossec01][/var/ossec/bin] % ps auwwx | grep analysisd ossec 14415 0.3 0.2 14032 2320 ? S 22:46 0:00 /var/ossec/bin/ossec-analysisd root 14438 0.0 0.0 7548 836 pts/4 S+ 22:46 0:00 grep analysisd [root@bos-ossec01][/var/ossec/bin] %
On 8/16/12 9:51 PM, Tony Perez, PMP wrote: > Hi Adriel > > Gotcha, sorry didn't phrase the question right, but you answered it right. > > Have you been able to turn on debug mode to see if you can see > anything there? Anything that would help understand the failed comm > attempts? > > Thanks > >> Adriel Desautels <mailto:[email protected]> >> August 16, 2012 6:43 PM >> So, the server (10.5.4.1) is a pfsense firewall. It is sending all >> of its syslog data to the OSSEC server on UDP 514. Every time the >> OSSEC server receives a syslog message it generates the error >> "2012/08/16 21:41:03 ossec-remoted(1213): WARN: Message from 10.5.4.1 >> not allowed." >> >> So, yes pfsense is sending on UDP 514 and is being received by UDP >> 514 on the OSSEC box. So based on the error I don't think its a >> network issue, but an OSSEC issue. >> >> Help? >> >> >> >> On 8/16/12 9:30 PM, Tony Perez, PMP wrote: >> >> Tony Perez, PMP <mailto:[email protected]> >> August 16, 2012 6:30 PM >> Hi Adriel >> >> You have the same port set on both the Agent and Server? Which server >> does this ossec.conf belong to? >> >> Thanks >> >> Tony >> >> Adriel Desautels <mailto:[email protected]> >> August 16, 2012 6:25 PM >> I have the following in ossec.conf: >> >> . >> . >> . >> <remote> >> <connection>syslog</connection> >> <allowed-ips>10.5.4.1</allowed-ips> >> <port>514</port> >> </remote> >> >> <remote> >> <connection>secure</connection> >> </remote> >> . >> . >> . >> >> And yet when 10.5.4.1 sends a message to the OSSEC server I get this: >> >> WARN: Message from 10.5.4.1 not allowed. >> >> >> Am I missing something? >> >> And yes... I've restarted the server.
<<inline: compose-unknown-contact.jpg>>
<<inline: postbox-contact.jpg>>
