On Wed, Jun 4, 2014 at 3:53 PM, Bjoern Schwabe <[email protected]> wrote: > Dan, > thank you for taking interest in this issue. > > Yes, there is a ossec.log file. > I have restarted the server and several times the client to see what happens > to the log file: > http://i.imgur.com/OOEMtyI.png > (Not much) > > Server IP: > http://imgur.com/Y5FgKRb > > Here is a server shot from tcpdump filtered where source ip address = > agent's address > > + netstat -tulpn that ossec-remoted is listening on 1514 udp port > http://i.imgur.com/MAs7mBy.png > > Sorry for the screenshots, but I cannot copy paste from the console to the > host system. >
That's ok, I can't look at the pictures. :) > On the agent the log looks like this: > http://pastebin.com/B5cBkvWv > > So the IP addresses are the same. > > It is the only agent running. > > When I open, as an administrator, cmd on the client machine, and call the > manage_agents.exe the following output is shown: > C:\Program Files\ossec-agent>manage_agents.exe > 2014/06/04 20:44:07 manage-agents: Could not run GetModuleFileName with > returned > (127). > > I am really confused where the problem could lie, I have followed the > tutorials such as http://ossec.net/ossec-docs/OSSEC-book-Ch02_SA240.pdf > > On Wednesday, 4 June 2014 13:51:20 UTC+1, dan (ddpbsd) wrote: >> >> On Tue, Jun 3, 2014 at 9:52 PM, Bjoern Schwabe <[email protected]> >> wrote: >> > Hey guys, >> > >> > I have been having troubles configuring agents and establishing >> > communication between the OSSEC server I have set up and the agent. >> > >> > The configuration: >> > Server: Debian Wheezy - standard installation from github with option: >> > server >> > Client: Windows XP - Simple Agent from Github >> > >> > All of this runs on VMWare Workstation - I tried it both with NAT and >> > Host-to-host routing. >> > >> > There is no firewall installed either on a VM nor in between them. >> > >> > I can see the UDP packets coming FROM the Windows Agent TO the debian >> > server >> > >> > In the Windows Agent however I get the 4101 error as described here: >> > >> > http://ossec-docs.readthedocs.org/en/latest/faq/unexpected.html#the-communication-between-my-agent-and-the-server-is-not-working-what-to-do >> > >> > The keys have been transferred correctly. >> > >> > It is a fresh debian setup with just the essentials being installed. >> > >> > I have also set explicitly set the local_ip and port options in the >> > <remote> >> > configuration in /var/ossec/etc/ossec.conf >> > >> > IPs + Subnet range is whitelisted >> > >> > The Client has been restarted and run under System / User rights >> > The server, the ossec server and the networking has been restarted >> > several >> > times between configuration changes. >> > >> > The ossec server logs and the WUI shows events such as - tcpdump has >> > been >> > started, root has logged in etc. But it does not show the windows agent >> > >> > What could be the problem ? >> > >> > Any help is highly apprechiated! >> > >> >> Are there any logs in the manager's ossec.log? Try turning on debug >> (`/var/ossec/bin/ossec-control enable debug && >> /var/ossec/bin/ossec-control restart`) and check again. >> Do the agents have multiple IP addresses? Are they using the correct >> IP when contacting the manager? >> >> > Best >> > R >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
