On Thu, Jun 5, 2014 at 4:13 PM, Bjoern Schwabe <[email protected]> wrote: > Yes, on the server seem to be now error in the logs. >
Did you turn on debugging and restart the processes? I think you said the packets are making it to the manager, but is the manager responding? Do the packets look like they are coming from the IP addresses added when the agent was configured with manage_agents on the manager? > On the client however is: > 2014/06/05 21:10:55 ossec-agent: WARN: Process locked. Waiting for > permission... > 2014/06/05 21:11:06 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '172.16.215.143'. > 2014/06/05 21:11:08 ossec-agent: INFO: Trying to connect to server > (172.16.215.143:1514). > 2014/06/05 21:11:08 ossec-agent: INFO: Using IPv4 for: 172.16.215.143 . > 2014/06/05 21:11:29 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '172.16.215.143'. > 2014/06/05 21:11:49 ossec-agent: INFO: Trying to connect to server > (172.16.215.143:1514). > 2014/06/05 21:11:49 ossec-agent: INFO: Using IPv4 for: 172.16.215.143 . > 2014/06/05 21:12:10 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '172.16.215.143'. > > On Thursday, 5 June 2014 00:18:02 UTC+1, dan (ddpbsd) wrote: >> >> >> On Jun 4, 2014 4:36 PM, "Bjoern Schwabe" <[email protected]> wrote: >> > >> > Dan, >> > thank you for taking interest in this issue. >> > >> > Yes, there is a ossec.log file. >> > I have restarted the server and several times the client to see what >> > happens to the log file: >> > http://i.imgur.com/OOEMtyI.png >> > (Not much) >> > >> > Server IP: >> > http://imgur.com/Y5FgKRb >> > >> > Here is a server shot from tcpdump filtered where source ip address = >> > agent's address >> > >> > + netstat -tulpn that ossec-remoted is listening on 1514 udp port >> > http://i.imgur.com/MAs7mBy.png >> > >> > Sorry for the screenshots, but I cannot copy paste from the console to >> > the host system. >> > >> > On the agent the log looks like this: >> > http://pastebin.com/B5cBkvWv >> > >> >> I don't see any connection errors in that log. Did I miss them? >> >> > So the IP addresses are the same. >> > >> > It is the only agent running. >> > >> > When I open, as an administrator, cmd on the client machine, and call >> > the manage_agents.exe the following output is shown: >> > C:\Program Files\ossec-agent>manage_agents.exe >> > 2014/06/04 20:44:07 manage-agents: Could not run GetModuleFileName with >> > returned >> > (127). >> > >> > I am really confused where the problem could lie, I have followed the >> > tutorials such as http://ossec.net/ossec-docs/OSSEC-book-Ch02_SA240.pdf >> > >> > On Wednesday, 4 June 2014 13:51:20 UTC+1, dan (ddpbsd) wrote: >> >> >> >> On Tue, Jun 3, 2014 at 9:52 PM, Bjoern Schwabe <[email protected]> >> >> wrote: >> >> > Hey guys, >> >> > >> >> > I have been having troubles configuring agents and establishing >> >> > communication between the OSSEC server I have set up and the agent. >> >> > >> >> > The configuration: >> >> > Server: Debian Wheezy - standard installation from github with >> >> > option: >> >> > server >> >> > Client: Windows XP - Simple Agent from Github >> >> > >> >> > All of this runs on VMWare Workstation - I tried it both with NAT and >> >> > Host-to-host routing. >> >> > >> >> > There is no firewall installed either on a VM nor in between them. >> >> > >> >> > I can see the UDP packets coming FROM the Windows Agent TO the debian >> >> > server >> >> > >> >> > In the Windows Agent however I get the 4101 error as described here: >> >> > >> >> > http://ossec-docs.readthedocs.org/en/latest/faq/unexpected.html#the-communication-between-my-agent-and-the-server-is-not-working-what-to-do >> >> > >> >> > The keys have been transferred correctly. >> >> > >> >> > It is a fresh debian setup with just the essentials being installed. >> >> > >> >> > I have also set explicitly set the local_ip and port options in the >> >> > <remote> >> >> > configuration in /var/ossec/etc/ossec.conf >> >> > >> >> > IPs + Subnet range is whitelisted >> >> > >> >> > The Client has been restarted and run under System / User rights >> >> > The server, the ossec server and the networking has been restarted >> >> > several >> >> > times between configuration changes. >> >> > >> >> > The ossec server logs and the WUI shows events such as - tcpdump has >> >> > been >> >> > started, root has logged in etc. But it does not show the windows >> >> > agent >> >> > >> >> > What could be the problem ? >> >> > >> >> > Any help is highly apprechiated! >> >> > >> >> >> >> Are there any logs in the manager's ossec.log? Try turning on debug >> >> (`/var/ossec/bin/ossec-control enable debug && >> >> /var/ossec/bin/ossec-control restart`) and check again. >> >> Do the agents have multiple IP addresses? Are they using the correct >> >> IP when contacting the manager? >> >> >> >> > Best >> >> > R >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
