Dear Dan, I am pretty sure I know what is wrong. We don't put compilers on production servers so I've built it on a development server, created a package to install it and copied that to the production server. Now, my guess is that the name of the server where it was built is built into the system and it uses that when coding or decoding the key.
What I wonder is can it be built on one server and run on another. Obviously the agent can but what about the server? Best wishes.... Colin -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: 21 November 2014 17:40 To: [email protected] Subject: Re: [ossec-list] Cant Get it Working On Fri, Nov 21, 2014 at 12:17 PM, Colin Bruce <[email protected]> wrote: > Dear Dan, > > Thanks for the suggestion. I get a lot of information in the logs now and > when I start one of the clients I get this in the file: > > ossec-remoted(1403): ERROR: Incorrectly formatted message from > '192.168.30.221'. > > It is repeated many times. That is the address of the client. I have created > key on the server using that address and installed it on the client. If fact > I just did it again just to be sure. > So it seems like something is wrong with the key. I haven't really seen any complaints about this not working for anyone else. What SSH client/terminal are you using? Perhaps you can visually compare the keys on the manager and the agent. Also make sure the manager's ossec processes stopped. Stop them, make sure they're stopped (`ps auxww | grep ossec` should probably be enough), then start them again. I've seen that be the issue in the past. > Best wishes.... > Colin > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of dan (ddp) > Sent: 21 November 2014 16:22 > To: [email protected] > Subject: Re: [ossec-list] Cant Get it Working > > On Fri, Nov 21, 2014 at 11:11 AM, Colin Bruce <[email protected]> wrote: >> Dear Dan, >> >> >> >> Thanks for the reply. Sadly the answer to each of your questions is >> yes. I just double checked to make sure. >> >> > > Does the manager respond to the packets? > Try turning debug on on the manager (`/var/ossec/bin/ossec-control enable > debug && /var/ossec/bin/ossec-control restart`), and check the logs for more > information. > > >> >> As a last attempt I am going to delete everything and start again. >> After that I think I'll give up. >> > Good luck > >> >> >> Best wishes... >> >> Colin >> >> >> >> From: [email protected] >> [mailto:[email protected]] >> On Behalf Of dan (ddp) >> Sent: 21 November 2014 16:00 >> To: [email protected] >> Subject: Re: [ossec-list] Cant Get it Working >> >> >> >> >> On Nov 21, 2014 10:46 AM, "Colin Bruce" <[email protected]> wrote: >>> >>> Hi, >>> >>> >>> >>> I have been trying to get this to work for a couple of months now >>> and have got absolutely nowhere. I see lots of people with questions >>> which suggests that they have it running. I just don't understand >>> what I am doing wrong, >>> >>> >>> >>> I've started again untarred the file ossec-hids-2.8.1.tar.gz, run >>> install.sh using all the defaults and whe I run it I do get a >>> notification by e-mail that it has started. However, the log file includes: >>> >>> >>> >>> >>> >>> Why is the socket not available? Surely if it is required it should >>> either be in the install.sh or documented somewhere. >>> >>> >>> >>> I've installed two agents - one on a windows server and one on a >>> Linux server. Neither of them connect to the ossec server. On both I get >>> this: >>> >>> >>> >>> >>> >>> The log on the ossec server shows absolutely no attempt to connect >>> from anywhere. It just ignores everything. All the servers are on >>> the same network 192.168.30.0/24 and I've given them keys. There is >>> no firewall of any kind between the servers and all other communications >>> works fine. >>> >>> >>> >>> This is an absolutely out of the box install with no configuration >>> other than what install.sh does and it doesn't work. >>> >>> >>> >>> Does anyone have any idea what is wrong or even where to look. >>> >>> >> >> Is ossec-remoted working? >> Are udp packets making it to the manager? >> Are the keys and ips for the agents unique? >> Did you restart the manager's ossec processes after adding the agents? >> Are you sure you gave each agent the correct key? >> >>> >>> Best wishes.... >>> >>> Colin >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
