Great news. Do you know what caused the permissions issue? Thank you! Santiago.
On Sun, Aug 3, 2014 at 1:41 AM, Jelle B. <[email protected]> wrote: > Found it , cant believe I overlooked this ....... > > My client.keys file had the wrong ownership after changing it to ossec it > started right up. > > Thanks for your help > > > On Saturday, August 2, 2014 5:25:49 PM UTC+2, Santiago Bassett wrote: > >> As well, in case it helps, these is what I got in a new agent >> installation (which is working as I would expect). >> >> root@ip-10-0-0-242:/home/admin# dpkg -l | grep ossec >> >> ii ossec-hids-agent 2.8-1wheezy amd64 >> OSSEC Agent - Host Based Intrusion Detection System >> >> >> root@ip-10-0-0-242:/home/admin# service ossec status >> >> ossec-logcollector is running... >> >> ossec-syscheckd is running... >> >> ossec-agentd is running... >> >> ossec-execd is running... >> >> >> root@ip-10-0-0-242:/home/admin# ps aux | grep ossec >> >> root 2600 0.0 0.0 12560 504 ? S 15:10 0:00 >> /var/ossec/bin/ossec-execd >> >> ossec 2604 0.1 0.1 12848 928 ? S 15:10 0:00 >> /var/ossec/bin/ossec-agentd >> >> root 2608 0.0 0.0 4300 516 ? S 15:10 0:00 >> /var/ossec/bin/ossec-logcollector >> >> root 2611 0.6 0.1 4624 800 ? S 15:10 0:01 >> /var/ossec/bin/ossec-syscheckd >> >> >> root@ip-10-0-0-242:/home/admin# cat /etc/debian_version >> >> 7.2 >> >> >> On Sat, Aug 2, 2014 at 8:23 AM, Santiago Bassett <[email protected]> >> wrote: >> >>> Hi Jelle, >>> >>> ossec-hids-agent package should be the only one you need. Not sure why >>> you are getting these errors. >>> >>> The process to connect an agent to a server requires you to: >>> >>> - Run /var/ossec/bin/manage_agents and import the key from the server. >>> - Edit /var/ossec/etc/ossec.conf and set the server-ip variable. >>> - Restart ossec-hids (service ossec restart) >>> >>> Of course, previously to these steps, you would also need to add a new >>> agent on the manager (your OSSIM system in this case). You can also use >>> manage_agents for this (or do it from the GUI). >>> >>> If you already did this and it doesn't work, lets try to figure out what >>> the issue is. Please if possible let me know what Debian version you are >>> using. As well please double check that ossec-remoted process is running on >>> the server. >>> >>> The output of these commands would help: >>> >>> ps aux | grep ossec (both for the agent and your ossim box, the manager) >>> dpkg -l | grep -i ossec >>> service ossec status >>> cat /etc/debian_version >>> >>> Thank you, >>> >>> Santiago. >>> >>> >>> >>> >>> >>> >>> >>> On Sat, Aug 2, 2014 at 2:02 AM, Jelle B. <[email protected]> wrote: >>> >>>> Hi all, >>>> >>>> I have this issue which seems to normally be server related but I might >>>> be wrong I. >>>> >>>> I am trying to setup a collection of Debian host to connect with agent >>>> to my OSSIM appliance. >>>> >>>> Now with my wfirst test host I run into a problem, as I will have to >>>> redistribute the software via puppet I want to use the dibian repository >>>> and as such I thought installing the ossec-hids-agent package would install >>>> all I would need except the client key but then ... >>>> >>>> lab_webfarm [[email protected] etc]# service ossec start >>>> Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)... >>>> Deleting PID file '/var/ossec/var/run/ossec-logcollector-20693.pid' >>>> not used... >>>> Deleting PID file '/var/ossec/var/run/ossec-agentd-20689.pid' not >>>> used... >>>> ossec-execd already running... >>>> 2014/08/02 10:59:55 ossec-agentd: INFO: Using notify time: 600 and max >>>> time to reconnect: 1800 >>>> Started ossec-agentd... >>>> 2014/08/02 10:59:55 ossec-logcollector: DEBUG: Starting ... >>>> Started ossec-logcollector... >>>> 2014/08/02 10:59:55 ossec-syscheckd: DEBUG: Starting ... >>>> 2014/08/02 10:59:55 ossec-rootcheck: DEBUG: Starting ... >>>> 2014/08/02 10:59:55 ossec-rootcheck: Starting queue ... >>>> 2014/08/02 10:59:58 ossec-syscheckd(1210): ERROR: Queue >>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>> 2014/08/02 10:59:58 ossec-rootcheck(1210): ERROR: Queue >>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>> 2014/08/02 11:00:06 ossec-syscheckd(1210): ERROR: Queue >>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>> 2014/08/02 11:00:06 ossec-rootcheck(1210): ERROR: Queue >>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>> 2014/08/02 11:00:19 ossec-syscheckd(1210): ERROR: Queue >>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>> 2014/08/02 11:00:19 ossec-rootcheck(1211): ERROR: Unable to access >>>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>>> ossec-syscheckd did not start >>>> lab_webfarm [[email protected] etc]# service ossec status >>>> ossec-logcollector: Process 20732 not used by ossec, removing .. >>>> ossec-logcollector not running... >>>> ossec-syscheckd not running... >>>> ossec-agentd: Process 20728 not used by ossec, removing .. >>>> ossec-agentd not running... >>>> ossec-execd is running... >>>> lab_webfarm [[email protected] etc]# >>>> >>>> I assume I am missing something , do I need the ossec-hids package >>>> aswell , and if so why is it not installed as a dependency to >>>> ossec-hids-agent ;-) >>>> >>>> Any help and pointers in teh right direction would be helpfull. >>>> >>>> Regards, >>>> J. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
