On Fri, Feb 21, 2014 at 3:14 PM, marco cohen <[email protected]> wrote: > i tired to change in the ossec.conf of the agent I changed it to port 1514 > and it didnt help. > > there isnt any FW between both machines. > > I paste here the configurations of the agent and the server,first the agent: > > [root@uiointalio etc]# vi ossec.conf > obexch02.mre.corp<ossec_config> > <client> > <server-ip>10.10.8.128</server-ip> > </client> > > <alerts> > <log_alert_level>7</log_alert_level> > <email_alert_level>8</email_alert_level> > </alerts> > > <global><email_notification>yes</email_notification> > <email_to>[email protected]</email_to> > <smtp_server>10.10.8.107</smtp_server> > <email_from>[email protected]</email_from> > <email_maxperhour>5</email_maxperhour> > </global> > > <client> > <server-ip>10.10.8.128</server-ip> > <port>1514</port> > </client> >
How did you install this? There's no reason the agent should have the email stuff in the config. > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>300</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories realtime="yes" check_all="yes">/etc</directories> > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > > <!-- Windows files to ignore --> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > "ossec.conf" 76L, 2198C written > [root@uiointalio etc]# service ossec restart > Stopping OSSEC: [ OK ] > Starting OSSEC: [ OK ] > [root@uiointalio etc]# vi ossec.conf > obexch02.mre.corp<ossec_config> > <client> > <server-ip>10.10.8.128</server-ip> > </client> > > <alerts> > <log_alert_level>7</log_alert_level> > <email_alert_level>8</email_alert_level> > </alerts> > > <global><email_notification>yes</email_notification> > <email_to>[email protected]</email_to> > <smtp_server>10.10.8.107</smtp_server> > <email_from>[email protected]</email_from> > <email_maxperhour>5</email_maxperhour> > </global> > > <client> > <server-ip>10.10.8.128</server-ip> > <port>1514</port> > </client> > > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>300</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories realtime="yes" check_all="yes">/etc</directories> > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > > <!-- Windows files to ignore --> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > "ossec.conf" 76L, 2198C written > [root@uiointalio etc]# cat ossec.conf > obexch02.mre.corp<ossec_config> > <client> > <server-ip>10.10.8.128</server-ip> > </client> > > <alerts> > <log_alert_level>7</log_alert_level> > <email_alert_level>8</email_alert_level> > </alerts> > > <global><email_notification>yes</email_notification> > <email_to>[email protected]</email_to> > <smtp_server>10.10.8.107</smtp_server> > <email_from>[email protected]</email_from> > <email_maxperhour>5</email_maxperhour> > </global> > > <client> > <server-ip>10.10.8.128</server-ip> > <port>1514</port> > </client> > > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>300</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories realtime="yes" check_all="yes">/etc</directories> > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > > <!-- Windows files to ignore --> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > <ignore>C:\WINDOWS/Debug</ignore> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > <ignore>C:\WINDOWS/iis6.log</ignore> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > <ignore>C:\WINDOWS/Prefetch</ignore> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > <ignore>C:\WINDOWS/Temp</ignore> > <ignore>C:\WINDOWS/system32/config</ignore> > <ignore>C:\WINDOWS/system32/spool</ignore> > <ignore>C:\WINDOWS/system32/CatRoot</ignore> > </syscheck> > > > <active-response> > <disabled>yes</disabled> > </active-response> > > <!-- Files to monitor (localfiles) --> > > > > > > <localfile> > <log_format>full_command</log_format> > <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command> > </localfile> > > </ossec_config> > There are multiple <client> sections, and plenty of configurations that don't belong on an agent. > > the configuration of the server: > > [root@uiointalio etc]# vi ossec.conf > obexch02.mre.corp<ossec_config> > <client> > <server-ip>10.10.8.128</server-ip> > </client> > If this is an OSSEC server, it does not need the above configuration. That's only for agents. > <alerts> > <log_alert_level>7</log_alert_level> > <email_alert_level>8</email_alert_level> > </alerts> > > <global><email_notification>yes</email_notification> > <email_to>[email protected]</email_to> > <smtp_server>10.10.8.107</smtp_server> > <email_from>[email protected]</email_from> > <email_maxperhour>5</email_maxperhour> > </global> > > <client> > <server-ip>10.10.8.128</server-ip> > <port>1514</port> > </client> > > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>300</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories realtime="yes" check_all="yes">/etc</directories> > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > > <!-- Windows files to ignore --> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > "ossec.conf" 76L, 2198C written > [root@uiointalio etc]# service ossec restart > Stopping OSSEC: [ OK ] > Starting OSSEC: [ OK ] > [root@uiointalio etc]# vi ossec.conf > obexch02.mre.corp<ossec_config> > <client> > <server-ip>10.10.8.128</server-ip> > </client> > > <alerts> > <log_alert_level>7</log_alert_level> > <email_alert_level>8</email_alert_level> > </alerts> > > <global><email_notification>yes</email_notification> > <email_to>[email protected]</email_to> > <smtp_server>10.10.8.107</smtp_server> > <email_from>[email protected]</email_from> > <email_maxperhour>5</email_maxperhour> > </global> > > <client> > <server-ip>10.10.8.128</server-ip> > <port>1514</port> > </client> > > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>300</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories realtime="yes" check_all="yes">/etc</directories> > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > > <!-- Windows files to ignore --> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > "ossec.conf" 76L, 2198C written > [root@uiointalio etc]# cat ossec.conf > obexch02.mre.corp<ossec_config> > <client> > <server-ip>10.10.8.128</server-ip> > </client> > > <alerts> > <log_alert_level>7</log_alert_level> > <email_alert_level>8</email_alert_level> > </alerts> > > <global><email_notification>yes</email_notification> > <email_to>[email protected]</email_to> > <smtp_server>10.10.8.107</smtp_server> > <email_from>[email protected]</email_from> > <email_maxperhour>5</email_maxperhour> > </global> > > <client> > <server-ip>10.10.8.128</server-ip> > <port>1514</port> > </client> > > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>300</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories realtime="yes" check_all="yes">/etc</directories> > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > > <!-- Windows files to ignore --> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > <ignore>C:\WINDOWS/Debug</ignore> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > <ignore>C:\WINDOWS/iis6.log</ignore> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > <ignore>C:\WINDOWS/Prefetch</ignore> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > <ignore>C:\WINDOWS/Temp</ignore> > <ignore>C:\WINDOWS/system32/config</ignore> > <ignore>C:\WINDOWS/system32/spool</ignore> > <ignore>C:\WINDOWS/system32/CatRoot</ignore> > </syscheck> > > > <active-response> > <disabled>yes</disabled> > </active-response> > > <!-- Files to monitor (localfiles) --> > > > > > > <localfile> > <log_format>full_command</log_format> > <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command> > </localfile> > > </ossec_config> > > Generally there are more <localfile>s defined. The server config you posted also did not have a <remote> section, which might explain the issue. I'm very curious as to how OSSEC was installed on these systems, but it wasn't done correctly. > > > I think there is an issue of the asosiation of the agent in the server: > > [root@UIONAGIOS bin]# ./list_agents -a > ** No agent available. > > also when scan with nmap from the agent port 1514 I get port udp is closed: > > [root@uiointalio etc]# nmap -sU -p 1514 10.10.8.128 -vv > > Starting Nmap 5.51 ( http://nmap.org ) at 2014-02-21 15:13 ECT > Initiating ARP Ping Scan at 15:13 > Scanning 10.10.8.128 [1 port] > Completed ARP Ping Scan at 15:13, 0.08s elapsed (1 total hosts) > Initiating Parallel DNS resolution of 1 host. at 15:13 > Completed Parallel DNS resolution of 1 host. at 15:13, 0.00s elapsed > Initiating UDP Scan at 15:13 > Scanning 10.10.8.128 [1 port] > Completed UDP Scan at 15:13, 0.00s elapsed (1 total ports) > Nmap scan report for 10.10.8.128 > Host is up (0.00059s latency). > Scanned at 2014-02-21 15:13:46 ECT for 0s > PORT STATE SERVICE > 1514/udp filtered fujitsu-dtcns > > > maybe to re install the server using upgrade options?? > > thanks > > marco > > > > On Friday, 21 February 2014 16:24:13 UTC-3, marco cohen wrote: >> >> hi, >> >> i get errors in the logs of the agent (Centos): >> >> 2014/02/21 14:16:29 ossec-agentd(1218): ERROR: Unable to send message to >> server. >> 2014/02/21 14:16:41 ossec-agentd(1218): ERROR: Unable to send message to >> server. >> 2014/02/21 14:16:42 ossec-agentd(4101): WARN: Waiting for server reply >> (not started). Tried: '10.10.8.128'. >> 2014/02/21 14:16:42 ossec-agentd: INFO: Trying next server ip in the line: >> '10.10.8.128'. >> 2014/02/21 14:16:43 ossec-agentd: INFO: Closing connection to server >> (10.10.8.128:1519). >> 2014/02/21 14:16:43 ossec-agentd: INFO: Trying to connect to server >> (10.10.8.128:1519). >> 2014/02/21 14:16:43 ossec-agentd: INFO: Using IPv4 for: 10.10.8.128 >> >> i dont understand what is the problem. I saw in a post that maybe to re >> join the agent to the server so i deleted it and created it again but the >> same error happens. >> I checked networking issues and the port 1519 in the server both tcp and >> udp are both closed when I scanned the server from the agent. >> there isnt any firewall between the agent and the server. i also stopeed >> the iptables service in the server just to try to solve it but nothing >> helped. >> >> what can be the issue? >> >> thanks >> marco > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
