Re: [ossec-list] Re: OSSEC Compatibility Issue

[Mario d'Aniello]

Yes... here's my ossec.log in attachment.

2014-10-24 14:17 GMT+02:00 dan (ddp) <ddp...@gmail.com>:

> On Fri, Oct 24, 2014 at 8:16 AM, Mario d'Aniello <diablo85...@gmail.com>
> wrote:
> > Ok i verified with a working ossec server,  that list_agent wont show the
> > agent if hadn't a first access.
> > But my problem still, an agent can't connect on a server installed on
> > openSUSE.
> > There's anyone with an ossec server on openSUSE?
> >
>
> Is there anything in the ossec.log files?
>
> > Il 24/ott/2014 13:37 "dan (ddp)" <ddp...@gmail.com> ha scritto:
> >
> > On Fri, Oct 24, 2014 at 6:54 AM, Mario d'Aniello <diablo85...@gmail.com>
> > wrote:
> >> Hi all.
> >> I recently installed Ossec-hids-2.8.1 downloaded from main site, on
> >> openSUSE
> >> 13.1.
> >> First i did a Server installation and seems that all gone fine. Then i
> >> added
> >> an agent with ./manage-agent, extracted the key and imported to an
> agent.
> >>
> >> But when i try to connect the agent, the agent wont connect with the
> >> server.
> >>
> >> So i comeback to see what's wrong with the server and i see a strange
> >> thing.
> >> In ./manage-agent i have the list of my agent. But if i use
> ./list_agents
> >> there's no agents in list, even with parameter -a (list all agent) or -n
> >> (not connected).
> >>
> >> There's any problem\bug well know to that?
> >>
> >>
> >
> > Never heard of that issue.
> >
> >>
> >>
> >> Il giorno martedì 28 gennaio 2014 19:24:56 UTC+1, BMor ha scritto:
> >>>
> >>> OSSEC installs well on many Linux operating systems.  Recently, I
> >>> have begun using OpenSUSE (13.1 x64) and tried to use OSSEC on that
> >>> system.  For some reason it creates multiple new users, none of which
> >>> are able to be used, and does not start up in boot, even though the
> >>> installation confirms that the "int" file was modified to accomplish
> >>> this task.  I can logon to my account, but I am forced to issue the
> >>> start command every time I want to start the program.
> >>>
> >>>     I am new to the system, and do not consider myself a programmer.  I
> >>> only program for scientific purposes, and do not know many of the
> >>> specifics that professional programmers do.  Having said this, I posted
> >>> a question on the OpenSUSE forum regarding this issue, and one person
> >>> seems to suggest that it is a compatibility issue with OpenSUSE, and
> >>> thus the program would need modification.  I wish I could tell you what
> >>> caused this issue, but I don't have that knowledge.  Nevertheless,
> >>> OpenSUSE is a popular distribution and I wanted to let you know of this
> >>> issue.
> >>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to the Google
> Groups
> >> "ossec-list" group.
> >> To unsubscribe from this group and stop receiving emails from it, send
> an
> >> email to ossec-list+unsubscr...@googlegroups.com.
> >> For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

2014/10/24 13:28:33 ossec-testrule: INFO: Reading local decoder file.
2014/10/24 13:28:33 ossec-testrule: INFO: Started (pid: 5907).
2014/10/24 13:28:33 ossec-maild: INFO: E-Mail notification disabled. Clean Exit.
2014/10/24 13:28:33 ossec-execd: INFO: Started (pid: 5929).
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading local decoder file.
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'symantec-ws_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml'
2014/10/24 13:28:33 ossec-remoted: INFO: Started (pid: 5941).
2014/10/24 13:28:33 ossec-remoted: INFO: Started (pid: 5943).
2014/10/24 13:28:33 ossec-remoted(1501): ERROR: No IP or network allowed in the access list for syslog. No reason for running it. Exiting.
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'pure-ftpd_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'roundcube_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'wordpress_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'cimserver_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'vmpop3d_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'courier_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'web_appsec_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'apache_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'nginx_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'php_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'postgresql_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'cisco-ios_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'sonicwall_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'sendmail_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'mailscanner_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'dovecot_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'ms-exchange_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'racoon_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'vpn_concentrator_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'spamd_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'msauth_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'mcafee_av_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'trend-osce_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'ms-se_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'zeus_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'solaris_bsm_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'vmware_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'ms_dhcp_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'asterisk_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'attack_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'openbsd_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'clam_av_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'dropbear_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Reading rules file: 'local_rules.xml'
2014/10/24 13:28:33 ossec-analysisd: INFO: Total rules enabled: '1310'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: '/etc/svc/volatile'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/System32/LogFiles'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Debug'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/WindowsUpdate.log'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/iis6.log'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/wbem/Logs'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/wbem/Repository'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Prefetch'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/SoftwareDistribution'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Temp'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/config'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/spool'
2014/10/24 13:28:33 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/CatRoot'
2014/10/24 13:28:33 ossec-analysisd: INFO: White listing IP: '127.0.0.1'
2014/10/24 13:28:33 ossec-analysisd: INFO: White listing IP: '192.133.28.1'
2014/10/24 13:28:33 ossec-analysisd: INFO: White listing IP: '192.133.28.7'
2014/10/24 13:28:33 ossec-analysisd: INFO: 3 IPs in the white list for active response.
2014/10/24 13:28:33 ossec-analysisd: INFO: White listing Hostname: 'localhost.localdomain'
2014/10/24 13:28:33 ossec-analysisd: INFO: 1 Hostname(s) in the white list for active response.
2014/10/24 13:28:33 ossec-analysisd: INFO: Started (pid: 5933).
2014/10/24 13:28:34 ossec-remoted(4111): INFO: Maximum number of agents allowed: '256'.
2014/10/24 13:28:34 ossec-remoted(1410): INFO: Reading authentication keys file.
2014/10/24 13:28:34 ossec-remoted: INFO: No previous counter available for 'prova'.
2014/10/24 13:28:34 ossec-remoted: INFO: Assigning counter for agent prova: '0:0'.
2014/10/24 13:28:34 ossec-remoted: INFO: No previous sender counter.
2014/10/24 13:28:34 ossec-remoted: INFO: Assigning sender counter: 0:0
2014/10/24 13:28:34 ossec-monitord: INFO: Started (pid: 5953).
2014/10/24 13:28:36 ossec-analysisd: INFO: Connected to '/queue/alerts/ar' (active-response queue)
2014/10/24 13:28:36 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' (exec queue)
2014/10/24 13:28:38 ossec-syscheckd: INFO: Started (pid: 5949).
2014/10/24 13:28:38 ossec-rootcheck: INFO: Started (pid: 5949).
2014/10/24 13:28:38 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2014/10/24 13:28:38 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2014/10/24 13:28:38 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.
2014/10/24 13:28:38 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2014/10/24 13:28:38 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2014/10/24 13:28:39 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'.
2014/10/24 13:28:39 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/mail.info'.
2014/10/24 13:28:39 ossec-logcollector: INFO: Monitoring output of command(360): df -h
2014/10/24 13:28:39 ossec-logcollector: INFO: Monitoring full output of command(360): netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort
2014/10/24 13:28:39 ossec-logcollector: INFO: Monitoring full output of command(360): last -n 5
2014/10/24 13:28:39 ossec-logcollector: INFO: Started (pid: 5937).
2014/10/24 13:29:40 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2014/10/24 13:29:40 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
2014/10/24 13:43:12 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).
2014/10/24 13:43:24 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database).
2014/10/24 13:43:44 ossec-rootcheck: INFO: Starting rootcheck scan.
2014/10/24 13:52:41 ossec-rootcheck: INFO: Ending rootcheck scan.
2014/10/24 14:32:36 ossec-testrule: INFO: Reading local decoder file.
2014/10/24 14:32:36 ossec-testrule: INFO: Started (pid: 7154).
2014/10/24 14:32:37 ossec-maild: INFO: E-Mail notification disabled. Clean Exit.