On Mon, Sep 3, 2012 at 1:49 PM, tstoneami <[email protected]> wrote: > Here is a summary: > > > I have a Windows 7 system with VM player, a Linux OSSEC server VM, a Windows > OSSEC Client. > > My goal ultimately is to monitor a log file and send alerts when certain > text shows up..when I add this to the ossec.config file, > it never shows up in the ossec.log like the other files do - but I am > wondering if I am having another problem altogether here. > > It looks like it connects...it will connect to any agent I set up in manage > agents on the OSSEC server, referencing it in the dialogue box. > > > (xxxServer is the agent setup on the > 2012/09/01 10:31:03 ossec-agent: INFO: No previous counter available for > 'xxxServer'. > 2012/09/01 10:31:03 ossec-agent: INFO: Assigning counter for agent > xxxServer: '0:0'. > 2012/09/01 10:31:03 ossec-agent: INFO: Assigning sender counter: 0:604 > 2012/09/01 10:31:03 ossec-agent: INFO: Trying to connect to server > (192.168.41.130:1514). > 2012/09/01 10:31:03 ossec-agent: INFO: Using IPv4 for: 192.168.41.130 . > > then, later on in the log... > > 2012/09/01 10:31:27 c Tried: '192.168.41.130'. > 2012/09/01 10:31:29 ossec-agent: INFO: Trying to connect to server > (192.168.41.130:1514). > 2012/09/01 10:31:29 ossec-agent: INFO: Using IPv4 for: 192.168.41.130 . > 2012/09/01 10:31:50 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '192.168.41.130'. > > And it will keep re-trying. >
I'll hold your hand: Does the OSSEC server see the traffic from the agent? Do the replies make it from the server to the agent? Are there any logs related to the agent IP in the server's ossec.log? When you setup the agent in manage_agents on the server did you input a unique IP address (no other agents can use the same IP), or any, or a CIDR? > The IP here is the one returned by ifconfig on the Linux VM. I can ping it > successfully from the Windows VM. > > I CANNOT ping the IP on the OSSEC Client system from the Linux VM, but I can > ping the Default Gateway. > > I am set to NAT on the VM NICS. > > >>>>IPCONFIG ON THE OSSCEC CLIENT > Ethernet adapter Local Area Connection: > > Connection-specific DNS Suffix . : xxx.com > IPv4 Address. . . . . . . . . . . : 192.168.41.129 > Subnet Mask . . . . . . . . . . . : 255.255.255.0 > Default Gateway . . . . . . . . . : 192.168.41.2 > > Tunnel adapter isatap.electridion.com: > > Media State . . . . . . . . . . . : Media disconnected > Connection-specific DNS Suffix . : xxx.com > > Tunnel adapter Local Area Connection* 9: > > Connection-specific DNS Suffix . : > IPv6 Address. . . . . . . . . . . : 2001:0:9d38:953c:1c6a:20e4:3f57:d67e > Link-local IPv6 Address . . . . . : fe80::1c6a:20e4:3f57:d67e%12 > Default Gateway . . . . . . . . . : :: > > >>>>>IPCONFIG ON HOST SYSTEM: > Ethernet adapter Local Area Connection: > > Connection-specific DNS Suffix . : xxx.com > IPv4 Address. . . . . . . . . . . : 192.168.41.129 > Subnet Mask . . . . . . . . . . . : 255.255.255.0 > Default Gateway . . . . . . . . . : 192.168.41.2 > > Tunnel adapter isatap.electridion.com: > > Media State . . . . . . . . . . . : Media disconnected > Connection-specific DNS Suffix . : xxx.com > > Tunnel adapter Local Area Connection* 9: > > Connection-specific DNS Suffix . : > IPv6 Address. . . . . . . . . . . : 2001:0:9d38:953c:1c6a:20e4:3f57:d67e > Link-local IPv6 Address . . . . . : fe80::1c6a:20e4:3f57:d67e%12 > Default Gateway . . . . . . . . . : :: >
