I have now reinstalled version 2.8 for both agent and server. Before I used the server from github. - now using the stable version with debug mode on.
I have also, deleted the agent via manage_agent on the server and added a new one. Configured the IP static on the client. Log is now filling up like this on the server: 2014/06/05 21:42:05 ossec-remoted(1403): ERROR: Incorrectly formated message from '172.16.215.128'. 2014/06/05 21:42:11 ossec-remoted(1403): ERROR: Incorrectly formated message from '172.16.215.128'. 2014/06/05 21:42:15 ossec-remoted(1403): ERROR: Incorrectly formated message from '172.16.215.128'. 2014/06/05 21:42:20 ossec-remoted(1403): ERROR: Incorrectly formated message from '172.16.215.128'. 2014/06/05 21:42:26 ossec-remoted(1403): ERROR: Incorrectly formated message from '172.16.215.128'. 2014/06/05 21:43:04 ossec-remoted(1403): ERROR: Incorrectly formated message from '172.16.215.128'. 2014/06/05 21:43:10 ossec-remoted(1403): ERROR: Incorrectly formated message from '172.16.215.128'. 2014/06/05 21:43:14 ossec-remoted(1403): ERROR: Incorrectly formated message from '172.16.215.128'. 2014/06/05 21:43:19 ossec-remoted(1403): ERROR: Incorrectly formated message from '172.16.215.128'. 2014/06/05 21:43:25 ossec-remoted(1403): ERROR: Incorrectly formated message from '172.16.215.128'. The client.keys looks like this: 002 xp2 172.16.215.128 c3e69f757b182a39aa78e73824f6673b720c01fe8a24d92f74be647d40671fc3 The service and the client have been restarted after each step/change. I am using putty from the xp machine to transfer the key to the client via copy and paste. The FAQ says: How to fix it: - Check if you imported the right authentication keys into the agent. - Check if the IP address is correctly. - You can also try to remove the agent (using manage_agents), add it back again and re-import the keys into the agent. Make sure to restart the server (first) and then the agent after that. I did all of these. ---- I was about to send this, but did all of it several times and deleted the keys and pressed save on the agent. Then reimported the key again. Restarted everything again - now it is working. I have no idea what happened. But it is solved. On Thursday, 5 June 2014 21:36:44 UTC+1, dan (ddpbsd) wrote: > > On Thu, Jun 5, 2014 at 4:13 PM, Bjoern Schwabe <[email protected] > <javascript:>> wrote: > > Yes, on the server seem to be now error in the logs. > > > > Did you turn on debugging and restart the processes? I think you said > the packets are making it to the manager, but is the manager > responding? Do the packets look like they are coming from the IP > addresses added when the agent was configured with manage_agents on > the manager? > > > On the client however is: > > 2014/06/05 21:10:55 ossec-agent: WARN: Process locked. Waiting for > > permission... > > 2014/06/05 21:11:06 ossec-agent(4101): WARN: Waiting for server reply > (not > > started). Tried: '172.16.215.143'. > > 2014/06/05 21:11:08 ossec-agent: INFO: Trying to connect to server > > (172.16.215.143:1514). > > 2014/06/05 21:11:08 ossec-agent: INFO: Using IPv4 for: 172.16.215.143 . > > 2014/06/05 21:11:29 ossec-agent(4101): WARN: Waiting for server reply > (not > > started). Tried: '172.16.215.143'. > > 2014/06/05 21:11:49 ossec-agent: INFO: Trying to connect to server > > (172.16.215.143:1514). > > 2014/06/05 21:11:49 ossec-agent: INFO: Using IPv4 for: 172.16.215.143 . > > 2014/06/05 21:12:10 ossec-agent(4101): WARN: Waiting for server reply > (not > > started). Tried: '172.16.215.143'. > > > > On Thursday, 5 June 2014 00:18:02 UTC+1, dan (ddpbsd) wrote: > >> > >> > >> On Jun 4, 2014 4:36 PM, "Bjoern Schwabe" <[email protected]> wrote: > >> > > >> > Dan, > >> > thank you for taking interest in this issue. > >> > > >> > Yes, there is a ossec.log file. > >> > I have restarted the server and several times the client to see what > >> > happens to the log file: > >> > http://i.imgur.com/OOEMtyI.png > >> > (Not much) > >> > > >> > Server IP: > >> > http://imgur.com/Y5FgKRb > >> > > >> > Here is a server shot from tcpdump filtered where source ip address = > >> > agent's address > >> > > >> > + netstat -tulpn that ossec-remoted is listening on 1514 udp port > >> > http://i.imgur.com/MAs7mBy.png > >> > > >> > Sorry for the screenshots, but I cannot copy paste from the console > to > >> > the host system. > >> > > >> > On the agent the log looks like this: > >> > http://pastebin.com/B5cBkvWv > >> > > >> > >> I don't see any connection errors in that log. Did I miss them? > >> > >> > So the IP addresses are the same. > >> > > >> > It is the only agent running. > >> > > >> > When I open, as an administrator, cmd on the client machine, and call > >> > the manage_agents.exe the following output is shown: > >> > C:\Program Files\ossec-agent>manage_agents.exe > >> > 2014/06/04 20:44:07 manage-agents: Could not run GetModuleFileName > with > >> > returned > >> > (127). > >> > > >> > I am really confused where the problem could lie, I have followed the > >> > tutorials such as > http://ossec.net/ossec-docs/OSSEC-book-Ch02_SA240.pdf > >> > > >> > On Wednesday, 4 June 2014 13:51:20 UTC+1, dan (ddpbsd) wrote: > >> >> > >> >> On Tue, Jun 3, 2014 at 9:52 PM, Bjoern Schwabe <[email protected]> > > >> >> wrote: > >> >> > Hey guys, > >> >> > > >> >> > I have been having troubles configuring agents and establishing > >> >> > communication between the OSSEC server I have set up and the > agent. > >> >> > > >> >> > The configuration: > >> >> > Server: Debian Wheezy - standard installation from github with > >> >> > option: > >> >> > server > >> >> > Client: Windows XP - Simple Agent from Github > >> >> > > >> >> > All of this runs on VMWare Workstation - I tried it both with NAT > and > >> >> > Host-to-host routing. > >> >> > > >> >> > There is no firewall installed either on a VM nor in between them. > >> >> > > >> >> > I can see the UDP packets coming FROM the Windows Agent TO the > debian > >> >> > server > >> >> > > >> >> > In the Windows Agent however I get the 4101 error as described > here: > >> >> > > >> >> > > http://ossec-docs.readthedocs.org/en/latest/faq/unexpected.html#the-communication-between-my-agent-and-the-server-is-not-working-what-to-do > > >> >> > > >> >> > The keys have been transferred correctly. > >> >> > > >> >> > It is a fresh debian setup with just the essentials being > installed. > >> >> > > >> >> > I have also set explicitly set the local_ip and port options in > the > >> >> > <remote> > >> >> > configuration in /var/ossec/etc/ossec.conf > >> >> > > >> >> > IPs + Subnet range is whitelisted > >> >> > > >> >> > The Client has been restarted and run under System / User rights > >> >> > The server, the ossec server and the networking has been restarted > >> >> > several > >> >> > times between configuration changes. > >> >> > > >> >> > The ossec server logs and the WUI shows events such as - tcpdump > has > >> >> > been > >> >> > started, root has logged in etc. But it does not show the windows > >> >> > agent > >> >> > > >> >> > What could be the problem ? > >> >> > > >> >> > Any help is highly apprechiated! > >> >> > > >> >> > >> >> Are there any logs in the manager's ossec.log? Try turning on debug > >> >> (`/var/ossec/bin/ossec-control enable debug && > >> >> /var/ossec/bin/ossec-control restart`) and check again. > >> >> Do the agents have multiple IP addresses? Are they using the correct > >> >> IP when contacting the manager? > >> >> > >> >> > Best > >> >> > R > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
