On Nov 8, 2012, at 8:18 AM, dan (ddp) wrote: > Funny time to be upgrading...
Why? I like to keep my software up-to-date! >> <remote> >> <connection>syslog</connection> >> <allowed-ips>0.0.0.0/0</allowed-ips> >> </remote> > > Is that exact? I have no idea if 0.0.0.0/0 will actually work or not. Yes, that is correct and is unchanged from 2.5.1. >> Netstat/lsof/ps shows that ossec-remoted has the connection open. I am >> getting local syslog information, just not remote. > > So ossec-remoted is listening to udp 514? Yes > Turn on the log all option, do you see the log entries in archives.log? I already have it on, and no, I do not see log entries in archives.log. > Run tcpdump, do the log messages make it to the OSSEC server (on udp 514)? No need to run tcpdump since this is only a ossec upgrade. But, here it is, anyway: # tcpdump -i en0 udp and port 514 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes 06:39:28.903939 IP 10.XXX.XXX.XXX.57978 > 10.XXX.XXX.XXX.syslog: SYSLOG unknown (24).info, length: 124 > Run ossec-remoted with debugging turned on, any messages of interest? Here's the log. Notice the "dummy" agent -- I created that so that I wouldn't get messages about no agents and remoted exiting. I see that it ignored my -f. # bin/ossec-remoted -f -d 2012/11/08 06:34:48 ossec-remoted: DEBUG: Starting ... 2012/11/08 06:34:48 ossec-remoted: INFO: Started (pid: 4250). 2012/11/08 06:34:48 ossec-remoted: DEBUG: Forking remoted: '0'. 2012/11/08 06:34:48 ossec-remoted: Remote syslog allowed from: '0.0.0.0/0' 2012/11/08 06:34:48 ossec-remoted: INFO: Started (pid: 4251). 2012/11/08 06:34:48 2012/11/08 06:34:48 ossec-remoted: INFO: (unix_domain) Maximum send buffer set to: '6400'. ossec-remoted: DEBUG: Forking remoted: '1'. 2012/11/08 06:34:48 ossec-remoted: INFO: Started (pid: 4252). 2012/11/08 06:34:48 ossec-remoted: DEBUG: Running manager_init 2012/11/08 06:34:48 ossec-remoted: INFO: (unix_domain) Maximum send buffer set to: '6400'. 2012/11/08 06:34:48 ossec-remoted(4111): INFO: Maximum number of agents allowed: '256'. 2012/11/08 06:34:48 ossec-remoted(1410): INFO: Reading authentication keys file. 2012/11/08 06:34:48 ossec-remoted: DEBUG: OS_StartCounter. 2012/11/08 06:34:48 ossec-remoted: OS_StartCounter: keysize: 1 2012/11/08 06:34:48 ossec-remoted: INFO: No previous counter available for 'dummy'. 2012/11/08 06:34:48 ossec-remoted: INFO: Assigning counter for agent dummy: '0:0'. 2012/11/08 06:34:48 ossec-remoted: INFO: No previous sender counter. 2012/11/08 06:34:48 ossec-remoted: INFO: Assigning sender counter: 0:0 2012/11/08 06:34:48 ossec-remoted: DEBUG: OS_StartCounter completed. > Make sure the host doesn't have a firewall blocking the traffic. Nope: # ipfw list 33300 deny log icmp from any to me in icmptypes 8 65535 allow ip from any to any Thanks for your suggestions; got any others? Scott
