On Sat, Nov 22, 2014 at 10:19 PM, Colin Bruce <[email protected]> wrote: > > Dear Dan, > > I'm afraid I am beaten with this. I started all over again. I built a server > and ran it on the machine that it was built on with a Linux and Windows agent > on other servers. It all worked fine. I then ran the server on another > machine that it was not built on and once again the agents worked okay. > However, when I built the server with support for mysql and ran it on a > server that it was not built on, the Linux agent connected okay but the > windows agent will not. Here is a snip from the log file on the agent >
If you run it on the system you built it with mysql support on does everything work? I don't use the database stuff, so tracking down issues with that would be even more difficult. > I've checked and rechecked the key and restarted the server and agent > repeatedly but it is always the same. It just doesn't work with windows > agents. Here is a snippet from the server log file. > > > It shows that it read the keys file and knows about the windows agent (it is > FS-A) but no matter how many times I restart it the agent reports the > messages above and absolutely nothing appears in the log files on the server. > The keys are correct: I have compared them on the server and agent and there > is no difference. > > There is no firewall anywhere in this environment and the servers are all on > the same network. In fact they are all on the same server since they are > virtual servers running on a single host. > > By the way ossec-control stop doesn't stop ossec-dbd. It claims it is not > running when it clearly is. > > Best wishes.... > Colin > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: 21 November 2014 17:40 > To: [email protected] > Subject: Re: [ossec-list] Cant Get it Working > > On Fri, Nov 21, 2014 at 12:17 PM, Colin Bruce <[email protected]> wrote: > > Dear Dan, > > > > Thanks for the suggestion. I get a lot of information in the logs now and > > when I start one of the clients I get this in the file: > > > > ossec-remoted(1403): ERROR: Incorrectly formatted message from > > '192.168.30.221'. > > > > It is repeated many times. That is the address of the client. I have > > created key on the server using that address and installed it on the > > client. If fact I just did it again just to be sure. > > > > So it seems like something is wrong with the key. I haven't really seen any > complaints about this not working for anyone else. What SSH client/terminal > are you using? Perhaps you can visually compare the keys on the manager and > the agent. Also make sure the manager's ossec processes stopped. Stop them, > make sure they're stopped (`ps auxww | grep ossec` should probably be > enough), then start them again. I've seen that be the issue in the past. > > > Best wishes.... > > Colin > > > > > > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] > > On Behalf Of dan (ddp) > > Sent: 21 November 2014 16:22 > > To: [email protected] > > Subject: Re: [ossec-list] Cant Get it Working > > > > On Fri, Nov 21, 2014 at 11:11 AM, Colin Bruce <[email protected]> > > wrote: > >> Dear Dan, > >> > >> > >> > >> Thanks for the reply. Sadly the answer to each of your questions is > >> yes. I just double checked to make sure. > >> > >> > > > > Does the manager respond to the packets? > > Try turning debug on on the manager (`/var/ossec/bin/ossec-control enable > > debug && /var/ossec/bin/ossec-control restart`), and check the logs for > > more information. > > > > > >> > >> As a last attempt I am going to delete everything and start again. > >> After that I think I'll give up. > >> > > Good luck > > > >> > >> > >> Best wishes... > >> > >> Colin > >> > >> > >> > >> From: [email protected] > >> [mailto:[email protected]] > >> On Behalf Of dan (ddp) > >> Sent: 21 November 2014 16:00 > >> To: [email protected] > >> Subject: Re: [ossec-list] Cant Get it Working > >> > >> > >> > >> > >> On Nov 21, 2014 10:46 AM, "Colin Bruce" <[email protected]> wrote: > >>> > >>> Hi, > >>> > >>> > >>> > >>> I have been trying to get this to work for a couple of months now > >>> and have got absolutely nowhere. I see lots of people with questions > >>> which suggests that they have it running. I just don't understand > >>> what I am doing wrong, > >>> > >>> > >>> > >>> I've started again untarred the file ossec-hids-2.8.1.tar.gz, run > >>> install.sh using all the defaults and whe I run it I do get a > >>> notification by e-mail that it has started. However, the log file > >>> includes: > >>> > >>> > >>> > >>> > >>> > >>> Why is the socket not available? Surely if it is required it should > >>> either be in the install.sh or documented somewhere. > >>> > >>> > >>> > >>> I've installed two agents - one on a windows server and one on a > >>> Linux server. Neither of them connect to the ossec server. On both I get > >>> this: > >>> > >>> > >>> > >>> > >>> > >>> The log on the ossec server shows absolutely no attempt to connect > >>> from anywhere. It just ignores everything. All the servers are on > >>> the same network 192.168.30.0/24 and I've given them keys. There is > >>> no firewall of any kind between the servers and all other communications > >>> works fine. > >>> > >>> > >>> > >>> This is an absolutely out of the box install with no configuration > >>> other than what install.sh does and it doesn't work. > >>> > >>> > >>> > >>> Does anyone have any idea what is wrong or even where to look. > >>> > >>> > >> > >> Is ossec-remoted working? > >> Are udp packets making it to the manager? > >> Are the keys and ips for the agents unique? > >> Did you restart the manager's ossec processes after adding the agents? > >> Are you sure you gave each agent the correct key? > >> > >>> > >>> Best wishes.... > >>> > >>> Colin > >>> > >>> -- > >>> > >>> --- > >>> You received this message because you are subscribed to the Google > >>> Groups "ossec-list" group. > >>> To unsubscribe from this group and stop receiving emails from it, > >>> send an email to [email protected]. > >>> For more options, visit https://groups.google.com/d/optout. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > >> Groups "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, > >> send an email to [email protected]. > >> For more options, visit https://groups.google.com/d/optout. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > >> Groups "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, > >> send an email to [email protected]. > >> For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
