hi guys, i have 2 VMs with Internal Network set with these IPs : 192.168.1.100 (Server) | 192.168.1.101 (Windows Client) the server is a ubuntu 13.10 , and the client is windows 8.1 enterprise , both are fully functional. my agent is installed and works properly when i get the status of my agent :
> $ ./agent_control -l > > OSSEC HIDS agent_control. List of available agents: > ID: 000, Name: XXX (server), IP: 127.0.0.1, Active/Local > ID: 004, Name: Windows8.1, IP: 192.168.1.101, Active > > now i want to configure my windows client to send all it's data to server for collection, parsing and then sending it to ellasticsearch for easy access and search. the problem is that i configure the windows and i is probably sending everything but on my server it says : 2013/12/15 16:42:23 ossec-csyslogd: DEBUG: Starting ... > 2013/12/15 16:42:23 ossec-csyslogd: INFO: Remote syslog server not > configured. Clean exit. i dont know what it means or what should i do... the windows logs are below : 2013/12/15 04:17:47 ossec-agent: INFO: Real time file monitoring started. 2013/12/15 04:17:47 ossec-agent: INFO: Finished creating syscheck database (pre-scan completed). 2013/12/15 04:17:57 ossec-agent: INFO: Ending syscheck scan (forwarding database). 2013/12/15 04:18:17 ossec-agent: INFO: Starting rootcheck scan. 2013/12/15 04:18:22 ossec-agent: INFO: Ending rootcheck scan. 2013/12/15 04:25:30 ossec-agent Sending keep alive message.... 2013/12/15 04:34:13 ossec-agent Sending keep alive message.... 2013/12/15 04:38:35 ossec-agent More than 600 seconds without server response...sending win32info 2013/12/15 04:38:35 ossec-agent Sending keep alive message.... 2013/12/15 04:38:36 ossec-agent Sending keep alive message.... 2013/12/15 04:47:20 ossec-agent Sending keep alive message.... 2013/12/15 04:56:04 ossec-agent Sending keep alive message.... 2013/12/15 05:04:47 ossec-agent Sending keep alive message.... 2013/12/15 05:09:09 ossec-agent More than 600 seconds without server response...sending win32info 2013/12/15 05:09:09 ossec-agent Sending keep alive message.... 2013/12/15 05:09:10 ossec-agent Sending keep alive message.... 2013/12/15 05:17:55 ossec-agent Sending keep alive message.... 2013/12/15 05:26:39 ossec-agent Sending keep alive message.... it seems that it's working properly...i then restarted the agent and now it's the rest: 2013/12/15 05:33:23 ossec-agent: INFO: Started (pid: 11376). *2013/12/15 05:33:24 ossec-agent(4102): INFO: Connected to the server (192.168.1.100:1514).* 2013/12/15 05:33:24 ossec-agent Sending keep alive message.... 2013/12/15 05:33:24 ossec-agent(1951): INFO: Analyzing event log: 'Application'. 2013/12/15 05:33:24 ossec-agent(1951): INFO: Analyzing event log: 'Security'. 2013/12/15 05:33:24 ossec-agent(1951): INFO: Analyzing event log: 'System'. 2013/12/15 05:33:24 ossec-agent: INFO: Started (pid: 11376). this is how i configed it to connect to the server for LOGS: <ossec_config> > <syslog_output> > <server>192.168.1.100</server> > <port>514</port> > <format>cef</format> > </syslog_output> > </ossec_config> and this is the config log on my server which i'm almost sure is wrong but i really dont know what i have to do anymore : > <ossec_config> > <remote> > <connection>syslog</connection> > <port>514</port> > <protocol>udp</protocol> > </remote> > </ossec_config> i don't understand the concept here, whether i should use Local or Server settings for the collector server. my ossec status is : > $ ./ossec-control status > ossec-monitord is running... > ossec-logcollector is running... > ossec-remoted is running... > ossec-syscheckd is running... > ossec-analysisd is running... > ossec-maild not running... > ossec-execd is running... > *ossec-csyslogd not running...* which shows that my logging program is not working which is why i'm here if u need any mnore information let me know, i'm really desperate..i would appreciate if u share ur thoughts. tnx -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
