i tired to change in the ossec.conf of the agent I changed it to port 1514
and it didnt help.
there isnt any FW between both machines.
I paste here the configurations of the agent and the server,first the agent:
[root@uiointalio etc]# vi ossec.conf
obexch02.mre.corp<ossec_config>
<client>
<server-ip>10.10.8.128</server-ip>
</client>
<alerts>
<log_alert_level>7</log_alert_level>
<email_alert_level>8</email_alert_level>
</alerts>
<global><email_notification>yes</email_notification>
<email_to>[email protected]</email_to>
<smtp_server>10.10.8.107</smtp_server>
<email_from>[email protected]</email_from>
<email_maxperhour>5</email_maxperhour>
</global>
<client>
<server-ip>10.10.8.128</server-ip>
<port>1514</port>
</client>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>300</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories realtime="yes" check_all="yes">/etc</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
"ossec.conf" 76L, 2198C written
[root@uiointalio etc]# service ossec restart
Stopping OSSEC: [ OK ]
Starting OSSEC: [ OK ]
[root@uiointalio etc]# vi ossec.conf
obexch02.mre.corp<ossec_config>
<client>
<server-ip>10.10.8.128</server-ip>
</client>
<alerts>
<log_alert_level>7</log_alert_level>
<email_alert_level>8</email_alert_level>
</alerts>
<global><email_notification>yes</email_notification>
<email_to>[email protected]</email_to>
<smtp_server>10.10.8.107</smtp_server>
<email_from>[email protected]</email_from>
<email_maxperhour>5</email_maxperhour>
</global>
<client>
<server-ip>10.10.8.128</server-ip>
<port>1514</port>
</client>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>300</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories realtime="yes" check_all="yes">/etc</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
"ossec.conf" 76L, 2198C written
[root@uiointalio etc]# cat ossec.conf
obexch02.mre.corp<ossec_config>
<client>
<server-ip>10.10.8.128</server-ip>
</client>
<alerts>
<log_alert_level>7</log_alert_level>
<email_alert_level>8</email_alert_level>
</alerts>
<global><email_notification>yes</email_notification>
<email_to>[email protected]</email_to>
<smtp_server>10.10.8.107</smtp_server>
<email_from>[email protected]</email_from>
<email_maxperhour>5</email_maxperhour>
</global>
<client>
<server-ip>10.10.8.128</server-ip>
<port>1514</port>
</client>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>300</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories realtime="yes" check_all="yes">/etc</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
<active-response>
<disabled>yes</disabled>
</active-response>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
</localfile>
</ossec_config>
the configuration of the server:
[root@uiointalio etc]# vi ossec.conf
obexch02.mre.corp<ossec_config>
<client>
<server-ip>10.10.8.128</server-ip>
</client>
<alerts>
<log_alert_level>7</log_alert_level>
<email_alert_level>8</email_alert_level>
</alerts>
<global><email_notification>yes</email_notification>
<email_to>[email protected]</email_to>
<smtp_server>10.10.8.107</smtp_server>
<email_from>[email protected]</email_from>
<email_maxperhour>5</email_maxperhour>
</global>
<client>
<server-ip>10.10.8.128</server-ip>
<port>1514</port>
</client>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>300</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories realtime="yes" check_all="yes">/etc</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
"ossec.conf" 76L, 2198C written
[root@uiointalio etc]# service ossec restart
Stopping OSSEC: [ OK ]
Starting OSSEC: [ OK ]
[root@uiointalio etc]# vi ossec.conf
obexch02.mre.corp<ossec_config>
<client>
<server-ip>10.10.8.128</server-ip>
</client>
<alerts>
<log_alert_level>7</log_alert_level>
<email_alert_level>8</email_alert_level>
</alerts>
<global><email_notification>yes</email_notification>
<email_to>[email protected]</email_to>
<smtp_server>10.10.8.107</smtp_server>
<email_from>[email protected]</email_from>
<email_maxperhour>5</email_maxperhour>
</global>
<client>
<server-ip>10.10.8.128</server-ip>
<port>1514</port>
</client>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>300</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories realtime="yes" check_all="yes">/etc</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
"ossec.conf" 76L, 2198C written
[root@uiointalio etc]# cat ossec.conf
obexch02.mre.corp<ossec_config>
<client>
<server-ip>10.10.8.128</server-ip>
</client>
<alerts>
<log_alert_level>7</log_alert_level>
<email_alert_level>8</email_alert_level>
</alerts>
<global><email_notification>yes</email_notification>
<email_to>[email protected]</email_to>
<smtp_server>10.10.8.107</smtp_server>
<email_from>[email protected]</email_from>
<email_maxperhour>5</email_maxperhour>
</global>
<client>
<server-ip>10.10.8.128</server-ip>
<port>1514</port>
</client>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>300</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories realtime="yes" check_all="yes">/etc</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
<active-response>
<disabled>yes</disabled>
</active-response>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
</localfile>
</ossec_config>
I think there is an issue of the asosiation of the agent in the server:
[root@UIONAGIOS bin]# ./list_agents -a
** No agent available.
also when scan with nmap from the agent port 1514 I get port udp is closed:
[root@uiointalio etc]# nmap -sU -p 1514 10.10.8.128 -vv
Starting Nmap 5.51 ( http://nmap.org ) at 2014-02-21 15:13 ECT
Initiating ARP Ping Scan at 15:13
Scanning 10.10.8.128 [1 port]
Completed ARP Ping Scan at 15:13, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:13
Completed Parallel DNS resolution of 1 host. at 15:13, 0.00s elapsed
Initiating UDP Scan at 15:13
Scanning 10.10.8.128 [1 port]
Completed UDP Scan at 15:13, 0.00s elapsed (1 total ports)
Nmap scan report for 10.10.8.128
Host is up (0.00059s latency).
Scanned at 2014-02-21 15:13:46 ECT for 0s
PORT STATE SERVICE
1514/udp filtered fujitsu-dtcns
maybe to re install the server using upgrade options??
thanks
marco
On Friday, 21 February 2014 16:24:13 UTC-3, marco cohen wrote:
>
> hi,
>
> i get errors in the logs of the agent (Centos):
>
> 2014/02/21 14:16:29 ossec-agentd(1218): ERROR: Unable to send message to
> server.
> 2014/02/21 14:16:41 ossec-agentd(1218): ERROR: Unable to send message to
> server.
> 2014/02/21 14:16:42 ossec-agentd(4101): WARN: Waiting for server reply
> (not started). Tried: '10.10.8.128'.
> 2014/02/21 14:16:42 ossec-agentd: INFO: Trying next server ip in the line:
> '10.10.8.128'.
> 2014/02/21 14:16:43 ossec-agentd: INFO: Closing connection to server (
> 10.10.8.128:1519).
> 2014/02/21 14:16:43 ossec-agentd: INFO: Trying to connect to server (
> 10.10.8.128:1519).
> 2014/02/21 14:16:43 ossec-agentd: INFO: Using IPv4 for: 10.10.8.128
>
> i dont understand what is the problem. I saw in a post that maybe to re
> join the agent to the server so i deleted it and created it again but the
> same error happens.
> I checked networking issues and the port 1519 in the server both tcp and
> udp are both closed when I scanned the server from the agent.
> there isnt any firewall between the agent and the server. i also stopeed
> the iptables service in the server just to try to solve it but nothing
> helped.
>
> what can be the issue?
>
> thanks
> marco
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
