Yes, on the server seem to be now error in the logs. On the client however is: 2014/06/05 21:10:55 ossec-agent: WARN: Process locked. Waiting for permission... 2014/06/05 21:11:06 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '172.16.215.143'. 2014/06/05 21:11:08 ossec-agent: INFO: Trying to connect to server (172.16.215.143:1514). 2014/06/05 21:11:08 ossec-agent: INFO: Using IPv4 for: 172.16.215.143 . 2014/06/05 21:11:29 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '172.16.215.143'. 2014/06/05 21:11:49 ossec-agent: INFO: Trying to connect to server (172.16.215.143:1514). 2014/06/05 21:11:49 ossec-agent: INFO: Using IPv4 for: 172.16.215.143 . 2014/06/05 21:12:10 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '172.16.215.143'.
On Thursday, 5 June 2014 00:18:02 UTC+1, dan (ddpbsd) wrote: > > > On Jun 4, 2014 4:36 PM, "Bjoern Schwabe" <[email protected] > <javascript:>> wrote: > > > > Dan, > > thank you for taking interest in this issue. > > > > Yes, there is a ossec.log file. > > I have restarted the server and several times the client to see what > happens to the log file: > > http://i.imgur.com/OOEMtyI.png > > (Not much) > > > > Server IP: > > http://imgur.com/Y5FgKRb > > > > Here is a server shot from tcpdump filtered where source ip address = > agent's address > > > > + netstat -tulpn that ossec-remoted is listening on 1514 udp port > > http://i.imgur.com/MAs7mBy.png > > > > Sorry for the screenshots, but I cannot copy paste from the console to > the host system. > > > > On the agent the log looks like this: > > http://pastebin.com/B5cBkvWv > > > > I don't see any connection errors in that log. Did I miss them? > > > So the IP addresses are the same. > > > > It is the only agent running. > > > > When I open, as an administrator, cmd on the client machine, and call > the manage_agents.exe the following output is shown: > > C:\Program Files\ossec-agent>manage_agents.exe > > 2014/06/04 20:44:07 manage-agents: Could not run GetModuleFileName with > returned > > (127). > > > > I am really confused where the problem could lie, I have followed the > tutorials such as http://ossec.net/ossec-docs/OSSEC-book-Ch02_SA240.pdf > > > > On Wednesday, 4 June 2014 13:51:20 UTC+1, dan (ddpbsd) wrote: > >> > >> On Tue, Jun 3, 2014 at 9:52 PM, Bjoern Schwabe <[email protected]> > wrote: > >> > Hey guys, > >> > > >> > I have been having troubles configuring agents and establishing > >> > communication between the OSSEC server I have set up and the agent. > >> > > >> > The configuration: > >> > Server: Debian Wheezy - standard installation from github with > option: > >> > server > >> > Client: Windows XP - Simple Agent from Github > >> > > >> > All of this runs on VMWare Workstation - I tried it both with NAT and > >> > Host-to-host routing. > >> > > >> > There is no firewall installed either on a VM nor in between them. > >> > > >> > I can see the UDP packets coming FROM the Windows Agent TO the debian > server > >> > > >> > In the Windows Agent however I get the 4101 error as described here: > >> > > http://ossec-docs.readthedocs.org/en/latest/faq/unexpected.html#the-communication-between-my-agent-and-the-server-is-not-working-what-to-do > > >> > > >> > The keys have been transferred correctly. > >> > > >> > It is a fresh debian setup with just the essentials being installed. > >> > > >> > I have also set explicitly set the local_ip and port options in the > <remote> > >> > configuration in /var/ossec/etc/ossec.conf > >> > > >> > IPs + Subnet range is whitelisted > >> > > >> > The Client has been restarted and run under System / User rights > >> > The server, the ossec server and the networking has been restarted > several > >> > times between configuration changes. > >> > > >> > The ossec server logs and the WUI shows events such as - tcpdump has > been > >> > started, root has logged in etc. But it does not show the windows > agent > >> > > >> > What could be the problem ? > >> > > >> > Any help is highly apprechiated! > >> > > >> > >> Are there any logs in the manager's ossec.log? Try turning on debug > >> (`/var/ossec/bin/ossec-control enable debug && > >> /var/ossec/bin/ossec-control restart`) and check again. > >> Do the agents have multiple IP addresses? Are they using the correct > >> IP when contacting the manager? > >> > >> > Best > >> > R > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
