Oops, hit send too soon On Fri, Nov 21, 2014 at 1:34 PM, dan (ddp) <[email protected]> wrote: > On Fri, Nov 21, 2014 at 1:15 PM, Colin Bruce <[email protected]> wrote: >> Dear Dan, >> >> I am pretty sure I know what is wrong. We don't put compilers on production >> servers so I've built it on a development server, created a package to >> install it and copied that to the production server. Now, my guess is that >> the name of the server where it was built is built into the system and it >> uses that when coding or decoding the key. >> > > Where in the code do you see that? I haven't looked at that area of > the tree very much. > >> What I wonder is can it be built on one server and run on another. Obviously >> the agent can but what about the server? >> > > Never tried it. >
Since there are RPM and deb packages for OSSEC, I'd assume it's possible. >> Best wishes.... >> Colin >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of dan (ddp) >> Sent: 21 November 2014 17:40 >> To: [email protected] >> Subject: Re: [ossec-list] Cant Get it Working >> >> On Fri, Nov 21, 2014 at 12:17 PM, Colin Bruce <[email protected]> >> wrote: >>> Dear Dan, >>> >>> Thanks for the suggestion. I get a lot of information in the logs now and >>> when I start one of the clients I get this in the file: >>> >>> ossec-remoted(1403): ERROR: Incorrectly formatted message from >>> '192.168.30.221'. >>> >>> It is repeated many times. That is the address of the client. I have >>> created key on the server using that address and installed it on the >>> client. If fact I just did it again just to be sure. >>> >> >> So it seems like something is wrong with the key. I haven't really seen any >> complaints about this not working for anyone else. What SSH client/terminal >> are you using? Perhaps you can visually compare the keys on the manager and >> the agent. Also make sure the manager's ossec processes stopped. Stop them, >> make sure they're stopped (`ps auxww | grep ossec` should probably be >> enough), then start them again. I've seen that be the issue in the past. >> >>> Best wishes.... >>> Colin >>> >>> >>> >>> -----Original Message----- >>> From: [email protected] [mailto:[email protected]] >>> On Behalf Of dan (ddp) >>> Sent: 21 November 2014 16:22 >>> To: [email protected] >>> Subject: Re: [ossec-list] Cant Get it Working >>> >>> On Fri, Nov 21, 2014 at 11:11 AM, Colin Bruce <[email protected]> >>> wrote: >>>> Dear Dan, >>>> >>>> >>>> >>>> Thanks for the reply. Sadly the answer to each of your questions is >>>> yes. I just double checked to make sure. >>>> >>>> >>> >>> Does the manager respond to the packets? >>> Try turning debug on on the manager (`/var/ossec/bin/ossec-control enable >>> debug && /var/ossec/bin/ossec-control restart`), and check the logs for >>> more information. >>> >>> >>>> >>>> As a last attempt I am going to delete everything and start again. >>>> After that I think I'll give up. >>>> >>> Good luck >>> >>>> >>>> >>>> Best wishes... >>>> >>>> Colin >>>> >>>> >>>> >>>> From: [email protected] >>>> [mailto:[email protected]] >>>> On Behalf Of dan (ddp) >>>> Sent: 21 November 2014 16:00 >>>> To: [email protected] >>>> Subject: Re: [ossec-list] Cant Get it Working >>>> >>>> >>>> >>>> >>>> On Nov 21, 2014 10:46 AM, "Colin Bruce" <[email protected]> wrote: >>>>> >>>>> Hi, >>>>> >>>>> >>>>> >>>>> I have been trying to get this to work for a couple of months now >>>>> and have got absolutely nowhere. I see lots of people with questions >>>>> which suggests that they have it running. I just don't understand >>>>> what I am doing wrong, >>>>> >>>>> >>>>> >>>>> I've started again untarred the file ossec-hids-2.8.1.tar.gz, run >>>>> install.sh using all the defaults and whe I run it I do get a >>>>> notification by e-mail that it has started. However, the log file >>>>> includes: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Why is the socket not available? Surely if it is required it should >>>>> either be in the install.sh or documented somewhere. >>>>> >>>>> >>>>> >>>>> I've installed two agents - one on a windows server and one on a >>>>> Linux server. Neither of them connect to the ossec server. On both I get >>>>> this: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> The log on the ossec server shows absolutely no attempt to connect >>>>> from anywhere. It just ignores everything. All the servers are on >>>>> the same network 192.168.30.0/24 and I've given them keys. There is >>>>> no firewall of any kind between the servers and all other communications >>>>> works fine. >>>>> >>>>> >>>>> >>>>> This is an absolutely out of the box install with no configuration >>>>> other than what install.sh does and it doesn't work. >>>>> >>>>> >>>>> >>>>> Does anyone have any idea what is wrong or even where to look. >>>>> >>>>> >>>> >>>> Is ossec-remoted working? >>>> Are udp packets making it to the manager? >>>> Are the keys and ips for the agents unique? >>>> Did you restart the manager's ossec processes after adding the agents? >>>> Are you sure you gave each agent the correct key? >>>> >>>>> >>>>> Best wishes.... >>>>> >>>>> Colin >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, >>>>> send an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>> send an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>> send an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
