OK here is some output :) Client (agent side) *lab_webfarm [[email protected] ~]# /var/ossec/bin/ossec-control status* *ossec-logcollector not running...* *ossec-syscheckd not running...* *ossec-agentd not running...* *ossec-execd is running...* *lab_webfarm [[email protected] ~]# /var/ossec/bin/ossec-control start* *Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...* *ossec-execd already running...* *2014/08/03 10:07:38 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800* *Started ossec-agentd...* *Started ossec-logcollector...* *2014/08/03 10:07:41 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.* *2014/08/03 10:07:41 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.* *2014/08/03 10:07:49 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.* *2014/08/03 10:07:49 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.* *2014/08/03 10:08:02 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.* *2014/08/03 10:08:02 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..* *ossec-syscheckd did not start* *lab_webfarm [[email protected] ~]# dpkg -l | grep -i ossec* *ii ossec-hids-agent 2.8-1wheezy amd64 OSSEC Agent - Host Based Intrusion Detection System* *lab_webfarm [[email protected] ~]# ps aux | grep ossec* *root 2391 0.0 0.1 12564 492 ? S Aug02 0:01 /var/ossec/bin/ossec-execd* *root 21590 0.0 0.1 6304 588 pts/0 S+ 10:12 0:00 grep ossec* *lab_webfarm [[email protected] ~]# service ossec status* *ossec-logcollector: Process 21570 not used by ossec, removing ..* *ossec-logcollector not running...* *ossec-syscheckd not running...* *ossec-agentd: Process 21565 not used by ossec, removing ..* *ossec-agentd not running...* *ossec-execd is running...* *lab_webfarm [[email protected] ~]# cat /etc/debian_version* *7.5* *lab_webfarm [[email protected] ~]#*
OSSIM Server *alienvault:~# ps aux | grep ossec* *ossec 20538 0.0 0.0 12472 576 ? S 10:06 0:00 /var/ossec/bin/ossec-agentlessd -d* *ossec 20548 1.4 0.0 13992 2324 ? S 10:06 0:03 /var/ossec/bin/ossec-analysisd -d* *root 20552 0.1 0.0 4096 548 ? S 10:06 0:00 /var/ossec/bin/ossec-logcollector -d* *ossecr 20558 0.0 0.0 31184 920 ? Sl 10:06 0:00 /var/ossec/bin/ossec-remoted -d* *root 20563 0.2 0.0 4600 920 ? S 10:06 0:00 /var/ossec/bin/ossec-syscheckd -d* *ossec 20567 0.0 0.0 12600 600 ? S 10:06 0:00 /var/ossec/bin/ossec-monitord -d* *ossec 25577 0.0 0.0 9064 1228 ? S 10:09 0:00 sh -c /var/ossec/agentless/ssh_integrity_check_linux "@172.16.202.40" /bin /etc /sbin 2>&1* *ossec 25578 0.1 0.0 35212 2500 ? Sl 10:09 0:00 expect /var/ossec/agentless/ssh_integrity_check_linux @172.16.202.40 /bin /etc /sbin* *ossec 25580 0.1 0.0 38520 2792 pts/0 Ss+ 10:09 0:00 ssh @172.16.202.40* *root 26170 0.0 0.0 6028 704 pts/2 S+ 10:10 0:00 grep --color=auto ossec* *alienvault:~# service ossec status* *ossec-monitord is running...* *ossec-logcollector is running...* *ossec-remoted is running...* *ossec-syscheckd is running...* *ossec-analysisd is running...* *ossec-maild not running...* *ossec-execd not running...* *ossec-dbd not running...* *ossec-csyslogd not running...* *ossec-agentlessd is running...* *alienvault:~# cat /etc/debian_version* *6.0.9* *alienvault:~#* I know a couple of services arent running no idea why yet , but I do think for this it shouldnt be an issue ? On Saturday, August 2, 2014 5:25:49 PM UTC+2, Santiago Bassett wrote: > > As well, in case it helps, these is what I got in a new agent installation > (which is working as I would expect). > > root@ip-10-0-0-242:/home/admin# dpkg -l | grep ossec > > ii ossec-hids-agent 2.8-1wheezy amd64 > OSSEC Agent - Host Based Intrusion Detection System > > > root@ip-10-0-0-242:/home/admin# service ossec status > > ossec-logcollector is running... > > ossec-syscheckd is running... > > ossec-agentd is running... > > ossec-execd is running... > > > root@ip-10-0-0-242:/home/admin# ps aux | grep ossec > > root 2600 0.0 0.0 12560 504 ? S 15:10 0:00 > /var/ossec/bin/ossec-execd > > ossec 2604 0.1 0.1 12848 928 ? S 15:10 0:00 > /var/ossec/bin/ossec-agentd > > root 2608 0.0 0.0 4300 516 ? S 15:10 0:00 > /var/ossec/bin/ossec-logcollector > > root 2611 0.6 0.1 4624 800 ? S 15:10 0:01 > /var/ossec/bin/ossec-syscheckd > > > root@ip-10-0-0-242:/home/admin# cat /etc/debian_version > > 7.2 > > > On Sat, Aug 2, 2014 at 8:23 AM, Santiago Bassett <[email protected] > <javascript:>> wrote: > >> Hi Jelle, >> >> ossec-hids-agent package should be the only one you need. Not sure why >> you are getting these errors. >> >> The process to connect an agent to a server requires you to: >> >> - Run /var/ossec/bin/manage_agents and import the key from the server. >> - Edit /var/ossec/etc/ossec.conf and set the server-ip variable. >> - Restart ossec-hids (service ossec restart) >> >> Of course, previously to these steps, you would also need to add a new >> agent on the manager (your OSSIM system in this case). You can also use >> manage_agents for this (or do it from the GUI). >> >> If you already did this and it doesn't work, lets try to figure out what >> the issue is. Please if possible let me know what Debian version you are >> using. As well please double check that ossec-remoted process is running on >> the server. >> >> The output of these commands would help: >> >> ps aux | grep ossec (both for the agent and your ossim box, the manager) >> dpkg -l | grep -i ossec >> service ossec status >> cat /etc/debian_version >> >> Thank you, >> >> Santiago. >> >> >> >> >> >> >> >> On Sat, Aug 2, 2014 at 2:02 AM, Jelle B. <[email protected] <javascript:> >> > wrote: >> >>> Hi all, >>> >>> I have this issue which seems to normally be server related but I might >>> be wrong I. >>> >>> I am trying to setup a collection of Debian host to connect with agent >>> to my OSSIM appliance. >>> >>> Now with my wfirst test host I run into a problem, as I will have to >>> redistribute the software via puppet I want to use the dibian repository >>> and as such I thought installing the ossec-hids-agent package would install >>> all I would need except the client key but then ... >>> >>> lab_webfarm [[email protected] etc]# service ossec start >>> Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)... >>> Deleting PID file '/var/ossec/var/run/ossec-logcollector-20693.pid' not >>> used... >>> Deleting PID file '/var/ossec/var/run/ossec-agentd-20689.pid' not used... >>> ossec-execd already running... >>> 2014/08/02 10:59:55 ossec-agentd: INFO: Using notify time: 600 and max >>> time to reconnect: 1800 >>> Started ossec-agentd... >>> 2014/08/02 10:59:55 ossec-logcollector: DEBUG: Starting ... >>> Started ossec-logcollector... >>> 2014/08/02 10:59:55 ossec-syscheckd: DEBUG: Starting ... >>> 2014/08/02 10:59:55 ossec-rootcheck: DEBUG: Starting ... >>> 2014/08/02 10:59:55 ossec-rootcheck: Starting queue ... >>> 2014/08/02 10:59:58 ossec-syscheckd(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2014/08/02 10:59:58 ossec-rootcheck(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2014/08/02 11:00:06 ossec-syscheckd(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2014/08/02 11:00:06 ossec-rootcheck(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2014/08/02 11:00:19 ossec-syscheckd(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2014/08/02 11:00:19 ossec-rootcheck(1211): ERROR: Unable to access >>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>> ossec-syscheckd did not start >>> lab_webfarm [[email protected] etc]# service ossec status >>> ossec-logcollector: Process 20732 not used by ossec, removing .. >>> ossec-logcollector not running... >>> ossec-syscheckd not running... >>> ossec-agentd: Process 20728 not used by ossec, removing .. >>> ossec-agentd not running... >>> ossec-execd is running... >>> lab_webfarm [[email protected] etc]# >>> >>> I assume I am missing something , do I need the ossec-hids package >>> aswell , and if so why is it not installed as a dependency to >>> ossec-hids-agent ;-) >>> >>> Any help and pointers in teh right direction would be helpfull. >>> >>> Regards, >>> J. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected] <javascript:>. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
