Hi again Dan, Cheers for helping me out with this. I was indeed prompted for a password after the HP advertisement, however I input the correct password and it still timed out.
Everything switch side is configured properly so this has to be a config issue within Ossec. I'll give -d a try tomorrow and see what info it gives, I'd say it roughly times out after about 20 seconds but can't be sure. Any chance you could screenshot your the configuration for ossec.conf, ssh.exp and ssh_generic_diff? I know it's a pain but perhaps I have something missing as my passlist file looks like you suggest. Thanks again :) On Tuesday, 12 August 2014 16:54:30 UTC+1, dan (ddpbsd) wrote: > On Tue, Aug 12, 2014 at 11:36 AM, dan (ddp) <[email protected] > <javascript:>> wrote: > > On Tue, Aug 12, 2014 at 11:22 AM, Andreas Fantides > > <[email protected] <javascript:>> wrote: > >> Hi Dan, > >> > >> I run the test and can see that it logs onto the HP Switch and you get > the > >> same message displayed that you would if you used PuTTy to connect, > however > >> it then seems to kick you out and ask for the password again?...... > >> > >> I've attached another screenshot. > >> > > > > Did you try typing the password in? If so, it doesn't look like it's > > catching the password prompt properly, the timeout happens because > > there is no authentication taking place and the ssh connection times > > out. Could you get rid of the HP advertisement to see if that helps? > > You can also add the "-d" flag to expect to see if that provides more > > useful information. > > > > I just setup a linux box to look similar (same advertisement, the > prompt looks basically the same). It works fine for me. Make sure your > /var/ossec/agentlessd/.passlist looks something like: > [email protected] <javascript:>|YEsTaS87| > > If you run `ssh [email protected] <javascript:> "show config"` do you > get the > output you expect (after typing in the password)? > > About how long does it take to timeout? > > > > >> > >> > >> On Tuesday, 12 August 2014 14:44:21 UTC+1, dan (ddpbsd) wrote: > >>> > >>> On Tue, Aug 12, 2014 at 9:40 AM, Andreas Fantides > >>> <[email protected]> wrote: > >>> > Hi Dan, > >>> > > >>> > I have moved all of Ossec to the /var/ossec directory and confirmed > that > >>> > everything is started, working and reporting, but am still having no > >>> > luck > >>> > with agentless. > >>> > > >>> > I have tried your command and received the output in the attachment. > Any > >>> > ideas? > >>> > > >>> > >>> > >>> Try `expect agentless/ssh_generic_diff HOST` or something like that. > >>> I thinkn that's what you wanted to run. > >>> > >>> > Many thanks > >>> > Andreas > >>> > > >>> > > >>> > On Tuesday, 12 August 2014 13:33:42 UTC+1, Andreas Fantides wrote: > >>> >> > >>> >> Cheers Dan, I think you might be on to something here, I'll test > and > >>> >> report back.... > >>> >> > >>> >> On Tuesday, 12 August 2014 12:11:27 UTC+1, dan (ddpbsd) wrote: > >>> >>> > >>> >>> On Tue, Aug 12, 2014 at 6:54 AM, Andreas Fantides > >>> >>> <[email protected]> wrote: > >>> >>> > Hi Dan, and thanks for the information. How do I run manually > >>> >>> > though? > >>> >>> > > >>> >>> > >>> >>> `cd /var/ossec && expect agentless/script` > >>> >>> > >>> >>> I think it expects to be run from /var/ossec. > >>> >>> > >>> >>> > I have attached my expect script and can't see anything wrong, > but > >>> >>> > was > >>> >>> > wondering if anyone could take a look? > >>> >>> > > >>> >>> > Cheers. > >>> >>> > > >>> >>> > > >>> >>> > On Monday, 11 August 2014 17:49:28 UTC+1, dan (ddpbsd) wrote: > >>> >>> >> > >>> >>> >> On Sun, Aug 10, 2014 at 9:20 AM, Andreas Fantides > >>> >>> >> <[email protected]> wrote: > >>> >>> >> > I've been really struggling to get agentless monitoring set > up > >>> >>> >> > and > >>> >>> >> > working > >>> >>> >> > with HP Procurve 2524 switches. > >>> >>> >> > > >>> >>> >> > I have done the following: > >>> >>> >> > > >>> >>> >> > · Enabled agentless on the Ossec server. > >>> >>> >> > > >>> >>> >> > · Registered the switch using a password like this > >>> >>> >> > [email protected] Password (I am assuming that you place > the > >>> >>> >> > user/login > >>> >>> >> > name to ssh into the switch before the @, and the password is > the > >>> >>> >> > ssh > >>> >>> >> > password) > >>> >>> >> > > >>> >>> >> > · Set Ossec config for ssh_generic_diff, with > >>> >>> >> > [email protected] as > >>> >>> >> > the host, argument is show config > >>> >>> >> > > >>> >>> >> > · I have enabled logging to my server on the switch > >>> >>> >> > > >>> >>> >> > · Added my server as an ip-authorised manager on the > >>> >>> >> > switch > >>> >>> >> > > >>> >>> >> > · Enabled ssh on the switch (can PuTTy in) > >>> >>> >> > > >>> >>> >> > Yet after all this agentless doesn't want to work and in the > >>> >>> >> > ossec.log > >>> >>> >> > it > >>> >>> >> > says test passed for ssh_generic_diff, but then shows that > >>> >>> >> > agentless > >>> >>> >> > times > >>> >>> >> > out and wont connect to the switch. > >>> >>> >> > > >>> >>> >> > Can anyone help? > >>> >>> >> > > >>> >>> >> > >>> >>> >> Try running it manually. I'm guessing the login doesn't quite > look > >>> >>> >> the > >>> >>> >> way "expect" expects. > >>> >>> >> I don't know a whole lot about it, but I think the list could > help > >>> >>> >> to > >>> >>> >> get it working. Knowing what the SSH login looks like, and what > >>> >>> >> commands you need run would help. > >>> >>> >> > >>> >>> >> > -- > >>> >>> >> > > >>> >>> >> > --- > >>> >>> >> > You received this message because you are subscribed to the > >>> >>> >> > Google > >>> >>> >> > Groups > >>> >>> >> > "ossec-list" group. > >>> >>> >> > To unsubscribe from this group and stop receiving emails from > it, > >>> >>> >> > send > >>> >>> >> > an > >>> >>> >> > email to [email protected]. > >>> >>> >> > For more options, visit https://groups.google.com/d/optout. > >>> >>> > > >>> >>> > -- > >>> >>> > > >>> >>> > --- > >>> >>> > You received this message because you are subscribed to the > Google > >>> >>> > Groups > >>> >>> > "ossec-list" group. > >>> >>> > To unsubscribe from this group and stop receiving emails from > it, > >>> >>> > send > >>> >>> > an > >>> >>> > email to [email protected]. > >>> >>> > For more options, visit https://groups.google.com/d/optout. > >>> > > >>> > -- > >>> > > >>> > --- > >>> > You received this message because you are subscribed to the Google > >>> > Groups > >>> > "ossec-list" group. > >>> > To unsubscribe from this group and stop receiving emails from it, > send > >>> > an > >>> > email to [email protected]. > >>> > For more options, visit https://groups.google.com/d/optout. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected] <javascript:>. > >> For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
