On Fri, Oct 24, 2014 at 9:58 AM, Mario d'Aniello <[email protected]> wrote: > I tried stuffs like tcpdump or nmap but seems all ok on communication. > > > Now i tried to add my agent to a working ossec-server and all went fine. > Then i retried to add same agent to openSUSE-ossec-server, and still don't > work. So i checked file ossec.log of the agent and i see just 1 difference > from when it worked with first ossec-server, and when not with > openSUSE-ossec-server: > > When it tried to connect with openSUSE-ossec-server give me a warning: > "ossec-logcollector:WARN > : Process Locked. Waiting for permission..." > > Could be usefull to detect the problem? >
Maybe. I mean, that's a fairly generic message. I'd start by using tcpdump to see if the agent is communicating with the manager, and make sure replies are being sent (or even received). Troubleshooting is the first step in finding the issue, and since the log file isn't very helpful we'll have to look elsewhere. Troubleshooting a niche distro like suse will also complicate matters. > 2014-10-24 15:35 GMT+02:00 dan (ddp) <[email protected]>: > >> On Fri, Oct 24, 2014 at 9:32 AM, Mario d'Aniello <[email protected]> >> wrote: >> > What you mean with "manager" and how can i check if manager respond? >> > >> >> The manager is the OSSEC server. I try to say manager most of the time >> because some people get confused when I say "OSSEC server," thinking I >> mean the server that the agent is installed on. >> >> Try using tcpdump. >> tcpdump port 1514 and udp >> >> > 2014-10-24 14:52 GMT+02:00 dan (ddp) <[email protected]>: >> > >> >> On Fri, Oct 24, 2014 at 8:43 AM, Mario d'Aniello >> >> <[email protected]> >> >> wrote: >> >> > Yes... here's my ossec.log in attachment. >> >> > >> >> >> >> So, no. Nothing interesting in the ossec.log. >> >> Are the packets making it to the manager from the agent? >> >> Is there a firewall blocking them on the manager? >> >> Does the manager respond? >> >> >> >> > 2014-10-24 14:17 GMT+02:00 dan (ddp) <[email protected]>: >> >> > >> >> >> On Fri, Oct 24, 2014 at 8:16 AM, Mario d'Aniello >> >> >> <[email protected]> >> >> >> wrote: >> >> >> > Ok i verified with a working ossec server, that list_agent wont >> >> >> > show >> >> >> > the >> >> >> > agent if hadn't a first access. >> >> >> > But my problem still, an agent can't connect on a server installed >> >> >> > on >> >> >> > openSUSE. >> >> >> > There's anyone with an ossec server on openSUSE? >> >> >> > >> >> >> >> >> >> Is there anything in the ossec.log files? >> >> >> >> >> >> > Il 24/ott/2014 13:37 "dan (ddp)" <[email protected]> ha scritto: >> >> >> > >> >> >> > On Fri, Oct 24, 2014 at 6:54 AM, Mario d'Aniello >> >> >> > <[email protected]> >> >> >> > wrote: >> >> >> >> Hi all. >> >> >> >> I recently installed Ossec-hids-2.8.1 downloaded from main site, >> >> >> >> on >> >> >> >> openSUSE >> >> >> >> 13.1. >> >> >> >> First i did a Server installation and seems that all gone fine. >> >> >> >> Then >> >> >> >> i >> >> >> >> added >> >> >> >> an agent with ./manage-agent, extracted the key and imported to >> >> >> >> an >> >> >> >> agent. >> >> >> >> >> >> >> >> But when i try to connect the agent, the agent wont connect with >> >> >> >> the >> >> >> >> server. >> >> >> >> >> >> >> >> So i comeback to see what's wrong with the server and i see a >> >> >> >> strange >> >> >> >> thing. >> >> >> >> In ./manage-agent i have the list of my agent. But if i use >> >> >> >> ./list_agents >> >> >> >> there's no agents in list, even with parameter -a (list all >> >> >> >> agent) >> >> >> >> or >> >> >> >> -n >> >> >> >> (not connected). >> >> >> >> >> >> >> >> There's any problem\bug well know to that? >> >> >> >> >> >> >> >> >> >> >> > >> >> >> > Never heard of that issue. >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> Il giorno martedì 28 gennaio 2014 19:24:56 UTC+1, BMor ha >> >> >> >> scritto: >> >> >> >>> >> >> >> >>> OSSEC installs well on many Linux operating systems. Recently, >> >> >> >>> I >> >> >> >>> have begun using OpenSUSE (13.1 x64) and tried to use OSSEC on >> >> >> >>> that >> >> >> >>> system. For some reason it creates multiple new users, none of >> >> >> >>> which >> >> >> >>> are able to be used, and does not start up in boot, even though >> >> >> >>> the >> >> >> >>> installation confirms that the "int" file was modified to >> >> >> >>> accomplish >> >> >> >>> this task. I can logon to my account, but I am forced to issue >> >> >> >>> the >> >> >> >>> start command every time I want to start the program. >> >> >> >>> >> >> >> >>> I am new to the system, and do not consider myself a >> >> >> >>> programmer. >> >> >> >>> I >> >> >> >>> only program for scientific purposes, and do not know many of >> >> >> >>> the >> >> >> >>> specifics that professional programmers do. Having said this, I >> >> >> >>> posted >> >> >> >>> a question on the OpenSUSE forum regarding this issue, and one >> >> >> >>> person >> >> >> >>> seems to suggest that it is a compatibility issue with OpenSUSE, >> >> >> >>> and >> >> >> >>> thus the program would need modification. I wish I could tell >> >> >> >>> you >> >> >> >>> what >> >> >> >>> caused this issue, but I don't have that knowledge. >> >> >> >>> Nevertheless, >> >> >> >>> OpenSUSE is a popular distribution and I wanted to let you know >> >> >> >>> of >> >> >> >>> this >> >> >> >>> issue. >> >> >> >> >> >> >> >> -- >> >> >> >> >> >> >> >> --- >> >> >> >> You received this message because you are subscribed to the >> >> >> >> Google >> >> >> >> Groups >> >> >> >> "ossec-list" group. >> >> >> >> To unsubscribe from this group and stop receiving emails from it, >> >> >> >> send >> >> >> >> an >> >> >> >> email to [email protected]. >> >> >> >> For more options, visit https://groups.google.com/d/optout. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> -- >> >> >> >> >> >> --- >> >> >> You received this message because you are subscribed to the Google >> >> >> Groups >> >> >> "ossec-list" group. >> >> >> To unsubscribe from this group and stop receiving emails from it, >> >> >> send >> >> >> an >> >> >> email to [email protected]. >> >> >> For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to [email protected]. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
