Could you paste ifconfig and netstat output (feel free to anonymize any data if needed)? At this point I don't know what the issue could be but this info may help.
On Thu, Apr 10, 2014 at 8:32 AM, Devendra Agarwal < [email protected]> wrote: > No firewall (hardware or software) involved and tcpdump does not show any > communication between client and server. As soon as I install it on a > server that doesn't have network bonding/teaming configured (even with > multiple IPs), issue doesn't happen. > > > > On Thursday, 10 April 2014 11:29:39 UTC-4, Santiago Bassett wrote: > >> Could you check on the server with tcpdump if there is any traffic sent >> from the agent and, in case there is, what IP is being used? I know you did >> it with Netstat but there could be other factors involved (maybe >> firewalls...) >> >> >> >> >> On Thu, Apr 10, 2014 at 8:05 AM, Binet, Valere (NIH/NIA/IRP) [C] < >> [email protected]> wrote: >> >>> What do the logs say? >>> They should be in /var/ossec/logs >>> >>> Valère Binet [C] >>> IT Security Administrator >>> Kelly Government Solutions On-Site at the NIH >>> NIH / NIA / IRP >>> Tel : 410 558 8013 >>> mailto: [email protected] >>> >>> >>> >>> NCTS performance comments and survey at: >>> https://niairpkiosk.irp.nia.nih.gov/content/ncts-user-survey >>> >>> On Apr 10, 2014, at 9:43 AM, Devendra Agarwal <[email protected]< >>> mailto:[email protected]>> wrote: >>> >>> Hi Santiago, >>> >>> Thanks for the response. The system does have 2 IPs. I have verified >>> with netstat that ossec binds to correct IP. There is no communication >>> shown in the output of tcpdump on either IPs. In every case it fails, that >>> server has NIC bonding (teaming) setup. I am wondering if I need to do >>> anything else to configure ossec to accommodate NIC bonding. >>> >>> >>> >>> On Wednesday, 9 April 2014 21:26:15 UTC-4, Santiago Bassett wrote: >>> Hi Devendra, >>> >>> does your system have multiple IP addresses? Is there any other agent >>> connected to the server? >>> >>> I have experienced issues with systems running multiple IP addresses. If >>> that is the case I would recommend to check with tcpdump which is the one >>> that the agent uses to send data to the server, and be sure it matches the >>> one configured for the agent. >>> >>> I hope it helps >>> >>> >>> >>> On Wed, Apr 9, 2014 at 1:29 PM, Devendra Agarwal >>> <[email protected]<javascript:>> >>> wrote: >>> I installed ossec-hids-2.4.1 agent on a server running on Red Hat Linux >>> 5.4. The agent is not communicating. Other agents are fine. It seems if I >>> hace NIC bonding setup, this isue happens. Is there any known issue with >>> ossec if there is NIC bonding setup? >>> >>> 2014/04/09 16:23:28 ossec-agentd: INFO: Trying to connect to server ( >>> 3.144.193.45:1514<http://3.144.193.45:1514/>). >>> 2014/04/09 16:23:49 ossec-agentd(4101): WARN: Waiting for server reply >>> (not started). Tried: '3.144.193.45'. >>> 2014/04/09 16:24:27 ossec-agentd: INFO: Trying to connect to server ( >>> 3.144.193.45:1514<http://3.144.193.45:1514/>). >>> 2014/04/09 16:24:48 ossec-agentd(4101): WARN: Waiting for server reply >>> (not started). Tried: '3.144.193.45'. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]<javascript:>. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]<mailto:ossec- >>> [email protected]>. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
