On Tue, Jun 3, 2014 at 9:52 PM, Bjoern Schwabe <[email protected]> wrote: > Hey guys, > > I have been having troubles configuring agents and establishing > communication between the OSSEC server I have set up and the agent. > > The configuration: > Server: Debian Wheezy - standard installation from github with option: > server > Client: Windows XP - Simple Agent from Github > > All of this runs on VMWare Workstation - I tried it both with NAT and > Host-to-host routing. > > There is no firewall installed either on a VM nor in between them. > > I can see the UDP packets coming FROM the Windows Agent TO the debian server > > In the Windows Agent however I get the 4101 error as described here: > http://ossec-docs.readthedocs.org/en/latest/faq/unexpected.html#the-communication-between-my-agent-and-the-server-is-not-working-what-to-do > > The keys have been transferred correctly. > > It is a fresh debian setup with just the essentials being installed. > > I have also set explicitly set the local_ip and port options in the <remote> > configuration in /var/ossec/etc/ossec.conf > > IPs + Subnet range is whitelisted > > The Client has been restarted and run under System / User rights > The server, the ossec server and the networking has been restarted several > times between configuration changes. > > The ossec server logs and the WUI shows events such as - tcpdump has been > started, root has logged in etc. But it does not show the windows agent > > What could be the problem ? > > Any help is highly apprechiated! >
Are there any logs in the manager's ossec.log? Try turning on debug (`/var/ossec/bin/ossec-control enable debug && /var/ossec/bin/ossec-control restart`) and check again. Do the agents have multiple IP addresses? Are they using the correct IP when contacting the manager? > Best > R > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
