You will also need to check ossec.log on the server to see if it received the agent's message.
Perhaps it is easier to create a VPN tunnel between OSSEC Agents and OSSEC Server. On Tuesday, June 25, 2013 1:44:02 PM UTC-7, Erik Karnafel wrote: > > Dan, > I do have udp/1514 port forwarded to my server. > I created an agent with private ip. 172.50.50.0/24. The agent is actually > on 172.50.1.0/24 subnet. The ossec server is on 172.50.50.0/24 subnet. > And > it's going over the internet to a public ip. 5.4.5.4 > > This is the error that I get in the OSSEC.log file. > > 2013/06/25 13:38:26 ossec-agent: INFO: Started (pid: 6636). > 2013/06/25 13:38:36 ossec-agent: WARN: Process locked. Waiting for > permission... > 2013/06/25 13:38:47 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '5.4.5.4'. > 2013/06/25 13:38:49 ossec-agent: INFO: Trying to connect to server > (5.4.5.4:1514). > 2013/06/25 13:38:49 ossec-agent: INFO: Using IPv4 for: 5.4.5.4. > 2013/06/25 13:39:10 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '5.4.5.4'. > 2013/06/25 13:39:30 ossec-agent: INFO: Trying to connect to server > (5.4.5.4:1514). > 2013/06/25 13:39:30 ossec-agent: INFO: Using IPv4 for: 5.4.5.4. > > > -----Original Message----- > From: [email protected] <javascript:> [mailto: > [email protected] <javascript:>] On > Behalf Of dan (ddp) > Sent: Friday, June 21, 2013 12:00 PM > To: [email protected] <javascript:> > Subject: Re: [ossec-list] OSSEC Over Nat > > On Fri, Jun 21, 2013 at 2:51 PM, Erik Karnafel > <[email protected] <javascript:>> wrote: > > Hi All, > > > > Have any of you had success deploying ossec over nat. > > I want agents reporting to my OSSEC server from internet. Different > > Clients. > > > > What ports do I need to nat in order for this to work. > > > > I tried nating 12201 (GELF) port, but that does not work. I thought > > maybe ssh needed also. That didn't help. > > Agents over nat cannot seem to communicate. > > > > OSSEC continues to use udp/1514 for secure communications. If multiple > agents will appear to be coming from the same IP address, remember to add > them with IP "any" so the duplicate IPs won't be an issue. > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
