I have configued remote alerting via ossec-remotd but am unable to get
alerts from the client. I am running ossec 2.7 on both the client and
server.
Below I have listed what I have done thus far.
*My server is up and running the following daemons:*
ossecm 14539 1 0 14:51 ? 00:00:00 /backup/ossec/bin/ossec-dbd
-d
ossecm 14545 1 0 14:51 ? 00:00:00
/backup/ossec/bin/ossec-maild -d
ossec 14552 1 0 14:51 ? 00:00:00
/backup/ossec/bin/ossec-analysisd -d
root 14556 1 0 14:51 ? 00:00:00
/backup/ossec/bin/ossec-logcollector -d
ossecr 14561 1 0 14:51 ? 00:00:00
/backup/ossec/bin/ossec-remoted -d
root 14565 1 0 14:51 ? 00:00:00
/backup/ossec/bin/ossec-syscheckd -d
ossec 14571 1 0 14:51 ? 00:00:00
/backup/ossec/bin/ossec-monitord -d
*My server is able to run the rootcheck & syscheck on the client with no
problems:*
**
OSSEC HIDS agent_control. Agent information:
Agent ID: 001
Agent Name: XXXXXX
IP address: xxx.xxx.xxx.15
Status: Active
Operating system: AIX XXXXXX 1 6
Client version: OSSEC HIDS v2.7 / 3d94910986a318645f68e44531fd5742
Last keep alive: Fri Jun 21 15:01:58 2013
Syscheck last started at: Fri Jun 21 09:01:04 2013
Syscheck last ended at: Fri Jun 21 09:15:29 2013
Rootcheck last started at: Fri Jun 21 05:20:26 2013
Rootcheck last ended at: Fri Jun 21 05:21:04 2013
*I see my client is active: *
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: XXXXX (server), IP: 127.0.0.1, Active/Local
ID: 006, Name: XXXXX, IP: xxx.xxx.xxx.15, Active
*I have my server setup to accept secure connections from the client:
(global ossec.conf)*
<remote>
<connection>secure</connection>
<port>1514</port>
<allowed-ips>xxx.xxx.xxx.15</allowed-ips> <!-- cistest -->
</remote>
*I can see the ossec_remotd daemon running on port 1514 on my server *
netstat -panu | grep 514
udp 0 0 0.0.0.0:1514
0.0.0.0:* 14561/ossec-remoted
*I can see the connection to the master on port 1514 from the client *
netstat -an | grep 1514
udp4 0 0 xxx.xxx.xxx.15.34095 xxx.xxx.xxx.119.1514
*I setup a tcpdump on the client to monitor traffic on port 1514*
tcpdump -i eno port 1514
*I then performed a logtest on the master server to make sure everything
was ok *
echo "Jun 21 11:08:58 sysutil1 su: pam_unix(su-l:auth): authentication
failure; logname=albee uid=XXXXeuid=0 tty=pts/1 ruser=albee rhost=
user=root" | /backup/ossec/bin/ossec-logtest -a |
/backup/ossec/bin/ossec-reportd
2013/06/21 15:11:19 ossec-reportd: INFO: Started (pid: 17468).
2013/06/21 15:11:19 ossec-testrule: INFO: Reading local decoder file.
2013/06/21 15:11:19 ossec-testrule: INFO: Started (pid: 17467).
2013/06/21 15:11:24 ossec-reportd: INFO: Report completed. Creating
output...
Report completed. ==
------------------------------------------------
->Processed alerts: 1
->Post-filtering alerts: 1
->First alert: 2013 Jun 21 15:11:19
->Last alert: 2013 Jun 21 15:11:19
Top entries for 'Level':
------------------------------------------------
Severity 6 |1 |
Top entries for 'Group':
------------------------------------------------
authentication_failed |1 |
local |1 |
syslog |1 |
Top entries for 'Location':
------------------------------------------------
sysutil1->stdin |1 |
Top entries for 'Rule':
------------------------------------------------
5503 - User login failed. |1 |
*While the tcpdump was running I performed a logger command with the same
info on the client *
**
logger -pauth.err "Jun 21 11:08:58 xxxxx su: pam_unix(su-l:auth):
authentication failure; logname=albee uid=xxxx euid=0 tty=pts/1 ruser=albee
rhost= user=root"
*When I look at the tcpdump screen I can see the data was sent to the
ossec-remoted daemon running on the master server via port 1514 *
root: --> tcpdump -i en0 port 1514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type 1, capture size 96 bytes
15:16:56.102511 IP xxxxx.pdc.tch.harvard.edu.33812 > xxxxx.tch.harvard.edu:
UDP, length 209
*Although I receive an alert when tested from the server , the same test
does not generate an alert when run from the client. This despite seeing
the message being sent from the client and received by *
*the ossec-remotd daemon on the server. Any help would be appreciated. *
**
*-Leo
*
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.