On Thu, Aug 16, 2012 at 10:47 PM, Adriel Desautels <[email protected]>wrote:
> One last thing... > > % /var/ossec/bin/ossec-control restart > Killing ossec-monitord .. > Killing ossec-logcollector .. > Killing ossec-remoted .. > Killing ossec-syscheckd .. > Killing ossec-analysisd .. > Killing ossec-maild .. > Killing ossec-execd .. > OSSEC HIDS v2.6 Stopped > Starting OSSEC HIDS v2.6 (by Trend Micro Inc.)... > *OSSEC analysisd: Testing rules failed. Configuration error. Exiting.* > <-- LIES > It's a known bug with 2.6. The fix has been posted numerous times in the mailing list. > Started ossec-maild... > Started ossec-execd... > Started ossec-analysisd... > Started ossec-logcollector... > Started ossec-remoted... > Started ossec-syscheckd... > Started ossec-monitord... > Completed. > [root@bos-ossec01][/var/ossec/bin] > % ps auwwx | grep analysisd > ossec 14415 0.3 0.2 14032 2320 ? S 22:46 0:00 > /var/ossec/bin/ossec-analysisd > root 14438 0.0 0.0 7548 836 pts/4 S+ 22:46 0:00 grep > analysisd > [root@bos-ossec01][/var/ossec/bin] > % > > On 8/16/12 9:51 PM, Tony Perez, PMP wrote: > > Hi Adriel > > Gotcha, sorry didn't phrase the question right, but you answered it right. > > Have you been able to turn on debug mode to see if you can see anything > there? Anything that would help understand the failed comm attempts? > > Thanks > > Adriel Desautels <[email protected]> > August 16, 2012 6:43 PM > So, the server (10.5.4.1) is a pfsense firewall. It is sending all of > its syslog data to the OSSEC server on UDP 514. Every time the OSSEC > server receives a syslog message it generates the error "2012/08/16 > 21:41:03 ossec-remoted(1213): WARN: Message from 10.5.4.1 not allowed." > > So, yes pfsense is sending on UDP 514 and is being received by UDP 514 on > the OSSEC box. So based on the error I don't think its a network issue, > but an OSSEC issue. > > Help? > > > > On 8/16/12 9:30 PM, Tony Perez, PMP wrote: > > Tony Perez, PMP <[email protected]> > August 16, 2012 6:30 PM > Hi Adriel > > You have the same port set on both the Agent and Server? Which server does > this ossec.conf belong to? > > Thanks > > Tony > > Adriel Desautels <[email protected]> > August 16, 2012 6:25 PM > I have the following in ossec.conf: > > . > . > . > <remote> > <connection>syslog</connection> > <allowed-ips>10.5.4.1</allowed-ips> > <port>514</port> > </remote> > > <remote> > <connection>secure</connection> > </remote> > . > . > . > > And yet when 10.5.4.1 sends a message to the OSSEC server I get this: > > WARN: Message from 10.5.4.1 not allowed. > > > Am I missing something? > > And yes... I've restarted the server. > > >
<<compose-unknown-contact.jpg>>
<<postbox-contact.jpg>>
