Dan, thank you for taking interest in this issue. Yes, there is a ossec.log file. I have restarted the server and several times the client to see what happens to the log file: http://i.imgur.com/OOEMtyI.png (Not much)
Server IP: http://imgur.com/Y5FgKRb Here is a server shot from tcpdump filtered where source ip address = agent's address + netstat -tulpn that ossec-remoted is listening on 1514 udp port http://i.imgur.com/MAs7mBy.png Sorry for the screenshots, but I cannot copy paste from the console to the host system. On the agent the log looks like this: http://pastebin.com/B5cBkvWv So the IP addresses are the same. It is the only agent running. When I open, as an administrator, cmd on the client machine, and call the manage_agents.exe the following output is shown: C:\Program Files\ossec-agent>manage_agents.exe 2014/06/04 20:44:07 manage-agents: Could not run GetModuleFileName with returned (127). I am really confused where the problem could lie, I have followed the tutorials such as http://ossec.net/ossec-docs/OSSEC-book-Ch02_SA240.pdf On Wednesday, 4 June 2014 13:51:20 UTC+1, dan (ddpbsd) wrote: > > On Tue, Jun 3, 2014 at 9:52 PM, Bjoern Schwabe <[email protected] > <javascript:>> wrote: > > Hey guys, > > > > I have been having troubles configuring agents and establishing > > communication between the OSSEC server I have set up and the agent. > > > > The configuration: > > Server: Debian Wheezy - standard installation from github with option: > > server > > Client: Windows XP - Simple Agent from Github > > > > All of this runs on VMWare Workstation - I tried it both with NAT and > > Host-to-host routing. > > > > There is no firewall installed either on a VM nor in between them. > > > > I can see the UDP packets coming FROM the Windows Agent TO the debian > server > > > > In the Windows Agent however I get the 4101 error as described here: > > > http://ossec-docs.readthedocs.org/en/latest/faq/unexpected.html#the-communication-between-my-agent-and-the-server-is-not-working-what-to-do > > > > > The keys have been transferred correctly. > > > > It is a fresh debian setup with just the essentials being installed. > > > > I have also set explicitly set the local_ip and port options in the > <remote> > > configuration in /var/ossec/etc/ossec.conf > > > > IPs + Subnet range is whitelisted > > > > The Client has been restarted and run under System / User rights > > The server, the ossec server and the networking has been restarted > several > > times between configuration changes. > > > > The ossec server logs and the WUI shows events such as - tcpdump has > been > > started, root has logged in etc. But it does not show the windows agent > > > > What could be the problem ? > > > > Any help is highly apprechiated! > > > > Are there any logs in the manager's ossec.log? Try turning on debug > (`/var/ossec/bin/ossec-control enable debug && > /var/ossec/bin/ossec-control restart`) and check again. > Do the agents have multiple IP addresses? Are they using the correct > IP when contacting the manager? > > > Best > > R > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
