[ossec-list] Ossec remote alerting problem

[Lalbee99]

 

I have configued remote alerting via ossec-remotd but am unable to get 
alerts from the client. I am running ossec 2.7 on both the client and 
server.

Below I have listed what I have done thus far. 

 

 

*My server is up and running the following daemons:*

 

ossecm   14539     1  0 14:51 ?        00:00:00 /backup/ossec/bin/ossec-dbd 
-d
ossecm   14545     1  0 14:51 ?        00:00:00 
/backup/ossec/bin/ossec-maild -d
ossec    14552     1  0 14:51 ?        00:00:00 
/backup/ossec/bin/ossec-analysisd -d
root     14556     1  0 14:51 ?        00:00:00 
/backup/ossec/bin/ossec-logcollector -d
ossecr   14561     1  0 14:51 ?        00:00:00 
/backup/ossec/bin/ossec-remoted -d
root     14565     1  0 14:51 ?        00:00:00 
/backup/ossec/bin/ossec-syscheckd -d
ossec    14571     1  0 14:51 ?        00:00:00 
/backup/ossec/bin/ossec-monitord -d

*My server is able to run the rootcheck & syscheck on the client with no 
problems:*

** 

OSSEC HIDS agent_control. Agent information:
   Agent ID:   001

   Agent Name: XXXXXX

   IP address: xxx.xxx.xxx.15
   Status:     Active

   Operating system:    AIX XXXXXX 1 6  

   Client version:      OSSEC HIDS v2.7 / 3d94910986a318645f68e44531fd5742
   Last keep alive:     Fri Jun 21 15:01:58 2013

   Syscheck last started at:  Fri Jun 21 09:01:04 2013
   Syscheck last ended   at:  Fri Jun 21 09:15:29 2013
   Rootcheck last started at: Fri Jun 21 05:20:26 2013
   Rootcheck last ended   at: Fri Jun 21 05:21:04 2013

 

*I see my client is active: *

OSSEC HIDS agent_control. List of available agents:
   ID: 000, Name: XXXXX (server), IP: 127.0.0.1, Active/Local
   ID: 006, Name: XXXXX, IP: xxx.xxx.xxx.15, Active

 

*I have my server setup to accept secure connections from the client: 
(global ossec.conf)*


  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <allowed-ips>xxx.xxx.xxx.15</allowed-ips> <!-- cistest -->
  </remote>

*I can see the ossec_remotd daemon running on port 1514 on my server *

 netstat -panu | grep 514
udp        0      0 0.0.0.0:1514                
0.0.0.0:*                               14561/ossec-remoted

 

*I can see the connection to the master on port 1514 from the client *

netstat -an | grep 1514

 udp4       0      0  xxx.xxx.xxx.15.34095    xxx.xxx.xxx.119.1514

 

*I setup a tcpdump on the client to monitor traffic on port 1514*

tcpdump -i eno port 1514

 

*I then performed a logtest on the master server to make sure everything 
was ok  *

 echo "Jun 21 11:08:58 sysutil1 su: pam_unix(su-l:auth): authentication 
failure; logname=albee uid=XXXXeuid=0 tty=pts/1 ruser=albee rhost=  
user=root" | /backup/ossec/bin/ossec-logtest -a | 
/backup/ossec/bin/ossec-reportd
2013/06/21 15:11:19 ossec-reportd: INFO: Started (pid: 17468).
2013/06/21 15:11:19 ossec-testrule: INFO: Reading local decoder file.
2013/06/21 15:11:19 ossec-testrule: INFO: Started (pid: 17467).
2013/06/21 15:11:24 ossec-reportd: INFO: Report completed. Creating 
output...

Report completed. ==
------------------------------------------------
->Processed alerts: 1
->Post-filtering alerts: 1
->First alert: 2013 Jun 21 15:11:19
->Last alert: 2013 Jun 21 15:11:19


Top entries for 'Level':
------------------------------------------------
Severity 6                                      |1       |


Top entries for 'Group':
------------------------------------------------
authentication_failed                           |1       |
local                                           |1       |
syslog                                          |1       |


Top entries for 'Location':
------------------------------------------------
sysutil1->stdin                                 |1       |


Top entries for 'Rule':
------------------------------------------------
5503 - User login failed.                       |1       |

 

 

*While the tcpdump was running I performed a logger command with the same 
info on the client *

** 

logger -pauth.err "Jun 21 11:08:58 xxxxx su: pam_unix(su-l:auth): 
authentication failure; logname=albee uid=xxxx euid=0 tty=pts/1 ruser=albee 
rhost=  user=root"

 

*When I look at the tcpdump screen I can see the data was sent to the 
ossec-remoted daemon running on the master server via port 1514 *

 

root: --> tcpdump -i en0 port 1514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type 1, capture size 96 bytes
15:16:56.102511 IP xxxxx.pdc.tch.harvard.edu.33812 > xxxxx.tch.harvard.edu: 
UDP, length 209

 

*Although I receive an alert when tested from the server , the same test 
does not generate an alert when run from the client. This despite seeing 
the message being sent from the client and received by *

*the ossec-remotd daemon on the server. Any help would be appreciated. *

** 

*-Leo  

*

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.