Dear Dan, Thanks for the suggestion. I get a lot of information in the logs now and when I start one of the clients I get this in the file:
ossec-remoted(1403): ERROR: Incorrectly formatted message from '192.168.30.221'. It is repeated many times. That is the address of the client. I have created key on the server using that address and installed it on the client. If fact I just did it again just to be sure. Best wishes.... Colin -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: 21 November 2014 16:22 To: [email protected] Subject: Re: [ossec-list] Cant Get it Working On Fri, Nov 21, 2014 at 11:11 AM, Colin Bruce <[email protected]> wrote: > Dear Dan, > > > > Thanks for the reply. Sadly the answer to each of your questions is > yes. I just double checked to make sure. > > Does the manager respond to the packets? Try turning debug on on the manager (`/var/ossec/bin/ossec-control enable debug && /var/ossec/bin/ossec-control restart`), and check the logs for more information. > > As a last attempt I am going to delete everything and start again. > After that I think I'll give up. > Good luck > > > Best wishes... > > Colin > > > > From: [email protected] [mailto:[email protected]] > On Behalf Of dan (ddp) > Sent: 21 November 2014 16:00 > To: [email protected] > Subject: Re: [ossec-list] Cant Get it Working > > > > > On Nov 21, 2014 10:46 AM, "Colin Bruce" <[email protected]> wrote: >> >> Hi, >> >> >> >> I have been trying to get this to work for a couple of months now and >> have got absolutely nowhere. I see lots of people with questions >> which suggests that they have it running. I just don't understand >> what I am doing wrong, >> >> >> >> I've started again untarred the file ossec-hids-2.8.1.tar.gz, run >> install.sh using all the defaults and whe I run it I do get a >> notification by e-mail that it has started. However, the log file includes: >> >> >> >> >> >> Why is the socket not available? Surely if it is required it should >> either be in the install.sh or documented somewhere. >> >> >> >> I've installed two agents - one on a windows server and one on a >> Linux server. Neither of them connect to the ossec server. On both I get >> this: >> >> >> >> >> >> The log on the ossec server shows absolutely no attempt to connect >> from anywhere. It just ignores everything. All the servers are on the >> same network 192.168.30.0/24 and I've given them keys. There is no >> firewall of any kind between the servers and all other communications works >> fine. >> >> >> >> This is an absolutely out of the box install with no configuration >> other than what install.sh does and it doesn't work. >> >> >> >> Does anyone have any idea what is wrong or even where to look. >> >> > > Is ossec-remoted working? > Are udp packets making it to the manager? > Are the keys and ips for the agents unique? > Did you restart the manager's ossec processes after adding the agents? > Are you sure you gave each agent the correct key? > >> >> Best wishes.... >> >> Colin >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
