On Thu, Nov 8, 2012 at 9:43 AM, Scott Nelson <[email protected]> wrote: > > On Nov 8, 2012, at 8:18 AM, dan (ddp) wrote: > >> Funny time to be upgrading... > > Why? I like to keep my software up-to-date! >
2.7 has entered release candidate stage. >>> <remote> >>> <connection>syslog</connection> >>> <allowed-ips>0.0.0.0/0</allowed-ips> >>> </remote> >> >> Is that exact? I have no idea if 0.0.0.0/0 will actually work or not. > > Yes, that is correct and is unchanged from 2.5.1. > >>> Netstat/lsof/ps shows that ossec-remoted has the connection open. I am >>> getting local syslog information, just not remote. >> >> So ossec-remoted is listening to udp 514? > > Yes > >> Turn on the log all option, do you see the log entries in archives.log? > > I already have it on, and no, I do not see log entries in archives.log. > >> Run tcpdump, do the log messages make it to the OSSEC server (on udp 514)? > > No need to run tcpdump since this is only a ossec upgrade. But, here it is, > anyway: > I don't understand why there was no need. Something's not working, it's an easy check, why not do it? > # tcpdump -i en0 udp and port 514 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes > 06:39:28.903939 IP 10.XXX.XXX.XXX.57978 > 10.XXX.XXX.XXX.syslog: SYSLOG > unknown (24).info, length: 124 > >> Run ossec-remoted with debugging turned on, any messages of interest? > > Here's the log. Notice the "dummy" agent -- I created that so that I > wouldn't get messages about no agents and remoted exiting. I see that it > ignored my -f. Yeah, -f doesn't work. I've removed it from the documentation. Luckily ossec.log should capture most of the important logs. If you don't have any agents, why have the secure remote method active? > > # bin/ossec-remoted -f -d > 2012/11/08 06:34:48 ossec-remoted: DEBUG: Starting ... > 2012/11/08 06:34:48 ossec-remoted: INFO: Started (pid: 4250). > 2012/11/08 06:34:48 ossec-remoted: DEBUG: Forking remoted: '0'. > 2012/11/08 06:34:48 ossec-remoted: Remote syslog allowed from: '0.0.0.0/0' > 2012/11/08 06:34:48 ossec-remoted: INFO: Started (pid: 4251). > 2012/11/08 06:34:48 2012/11/08 06:34:48 ossec-remoted: INFO: (unix_domain) > Maximum send buffer set to: '6400'. > ossec-remoted: DEBUG: Forking remoted: '1'. > 2012/11/08 06:34:48 ossec-remoted: INFO: Started (pid: 4252). > 2012/11/08 06:34:48 ossec-remoted: DEBUG: Running manager_init > 2012/11/08 06:34:48 ossec-remoted: INFO: (unix_domain) Maximum send buffer > set to: '6400'. > 2012/11/08 06:34:48 ossec-remoted(4111): INFO: Maximum number of agents > allowed: '256'. > 2012/11/08 06:34:48 ossec-remoted(1410): INFO: Reading authentication keys > file. > 2012/11/08 06:34:48 ossec-remoted: DEBUG: OS_StartCounter. > 2012/11/08 06:34:48 ossec-remoted: OS_StartCounter: keysize: 1 > 2012/11/08 06:34:48 ossec-remoted: INFO: No previous counter available for > 'dummy'. > 2012/11/08 06:34:48 ossec-remoted: INFO: Assigning counter for agent dummy: > '0:0'. > 2012/11/08 06:34:48 ossec-remoted: INFO: No previous sender counter. > 2012/11/08 06:34:48 ossec-remoted: INFO: Assigning sender counter: 0:0 > 2012/11/08 06:34:48 ossec-remoted: DEBUG: OS_StartCounter completed. > > >> Make sure the host doesn't have a firewall blocking the traffic. > > Nope: > > # ipfw list > 33300 deny log icmp from any to me in icmptypes 8 > 65535 allow ip from any to any > > > Thanks for your suggestions; got any others? > > > > Scott >
