On Fri, Nov 21, 2014 at 1:15 PM, Colin Bruce <[email protected]> wrote: > Dear Dan, > > I am pretty sure I know what is wrong. We don't put compilers on production > servers so I've built it on a development server, created a package to > install it and copied that to the production server. Now, my guess is that > the name of the server where it was built is built into the system and it > uses that when coding or decoding the key. >
Where in the code do you see that? I haven't looked at that area of the tree very much. > What I wonder is can it be built on one server and run on another. Obviously > the agent can but what about the server? > Never tried it. > Best wishes.... > Colin > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: 21 November 2014 17:40 > To: [email protected] > Subject: Re: [ossec-list] Cant Get it Working > > On Fri, Nov 21, 2014 at 12:17 PM, Colin Bruce <[email protected]> wrote: >> Dear Dan, >> >> Thanks for the suggestion. I get a lot of information in the logs now and >> when I start one of the clients I get this in the file: >> >> ossec-remoted(1403): ERROR: Incorrectly formatted message from >> '192.168.30.221'. >> >> It is repeated many times. That is the address of the client. I have created >> key on the server using that address and installed it on the client. If fact >> I just did it again just to be sure. >> > > So it seems like something is wrong with the key. I haven't really seen any > complaints about this not working for anyone else. What SSH client/terminal > are you using? Perhaps you can visually compare the keys on the manager and > the agent. Also make sure the manager's ossec processes stopped. Stop them, > make sure they're stopped (`ps auxww | grep ossec` should probably be > enough), then start them again. I've seen that be the issue in the past. > >> Best wishes.... >> Colin >> >> >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] >> On Behalf Of dan (ddp) >> Sent: 21 November 2014 16:22 >> To: [email protected] >> Subject: Re: [ossec-list] Cant Get it Working >> >> On Fri, Nov 21, 2014 at 11:11 AM, Colin Bruce <[email protected]> >> wrote: >>> Dear Dan, >>> >>> >>> >>> Thanks for the reply. Sadly the answer to each of your questions is >>> yes. I just double checked to make sure. >>> >>> >> >> Does the manager respond to the packets? >> Try turning debug on on the manager (`/var/ossec/bin/ossec-control enable >> debug && /var/ossec/bin/ossec-control restart`), and check the logs for more >> information. >> >> >>> >>> As a last attempt I am going to delete everything and start again. >>> After that I think I'll give up. >>> >> Good luck >> >>> >>> >>> Best wishes... >>> >>> Colin >>> >>> >>> >>> From: [email protected] >>> [mailto:[email protected]] >>> On Behalf Of dan (ddp) >>> Sent: 21 November 2014 16:00 >>> To: [email protected] >>> Subject: Re: [ossec-list] Cant Get it Working >>> >>> >>> >>> >>> On Nov 21, 2014 10:46 AM, "Colin Bruce" <[email protected]> wrote: >>>> >>>> Hi, >>>> >>>> >>>> >>>> I have been trying to get this to work for a couple of months now >>>> and have got absolutely nowhere. I see lots of people with questions >>>> which suggests that they have it running. I just don't understand >>>> what I am doing wrong, >>>> >>>> >>>> >>>> I've started again untarred the file ossec-hids-2.8.1.tar.gz, run >>>> install.sh using all the defaults and whe I run it I do get a >>>> notification by e-mail that it has started. However, the log file includes: >>>> >>>> >>>> >>>> >>>> >>>> Why is the socket not available? Surely if it is required it should >>>> either be in the install.sh or documented somewhere. >>>> >>>> >>>> >>>> I've installed two agents - one on a windows server and one on a >>>> Linux server. Neither of them connect to the ossec server. On both I get >>>> this: >>>> >>>> >>>> >>>> >>>> >>>> The log on the ossec server shows absolutely no attempt to connect >>>> from anywhere. It just ignores everything. All the servers are on >>>> the same network 192.168.30.0/24 and I've given them keys. There is >>>> no firewall of any kind between the servers and all other communications >>>> works fine. >>>> >>>> >>>> >>>> This is an absolutely out of the box install with no configuration >>>> other than what install.sh does and it doesn't work. >>>> >>>> >>>> >>>> Does anyone have any idea what is wrong or even where to look. >>>> >>>> >>> >>> Is ossec-remoted working? >>> Are udp packets making it to the manager? >>> Are the keys and ips for the agents unique? >>> Did you restart the manager's ossec processes after adding the agents? >>> Are you sure you gave each agent the correct key? >>> >>>> >>>> Best wishes.... >>>> >>>> Colin >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>> send an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
