Hi, SELINUX isn't enabled, we also looked at all the permissions and they appear fine.
We manually added an agent on the server and manually imported a fresh client key, then restarted the agent. It successfully added itself without using authd that we had success with in a different environment (done via Puppet using command agent-auth -m <server ip> -p <port>). Should we use port 1515, then 1514 when using this? Perhaps we're not adding the agents correctly? On Dec 16, 2015 10:37 AM, "lostinthetubez" <[email protected]> wrote: > Is selinux enabled? Long shot, I know. Regardless, OSSEC needs to be able > to access the client.keys file, both on the agent and the manager, before > it can communicate. If permissions and ownership aren’t the problem – > which, they look fine btw – then I don’t honestly know why it would be > complaining. You haven’t customized the users under which the services > start, have you? Compare a client.keys from a working agent with a > non-working agent. Perhaps there is a problem with the file format, > encoding, or non-printable characters. Can’t really think of anything else > at the moment. > > > > *From:* [email protected] [mailto:[email protected]] *On > Behalf Of *Jamey B > *Sent:* Tuesday, December 15, 2015 5:55 PM > *To:* [email protected] > *Subject:* RE: [ossec-list] Clients authenticate, but don't connect (Corp > env) > > > > Sorry about that, that's my local VirtualBox image that I use for testing. > OSSEC on the server with the client keys shows the same permissions as my > local VM. Could it be a local OS issue that the server is on? > > On Dec 15, 2015 10:18 AM, "lostinthetubez" <[email protected]> > wrote: > > Your commandline prompt indicates that this is not the same machine that > you were talking about in the previous post. Please look at the situation > on adr318, whatever that box is. > > > > *From:* [email protected] [mailto:[email protected]] *On > Behalf Of *Jamey B > *Sent:* Tuesday, December 15, 2015 7:06 AM > *To:* [email protected] > *Subject:* Re: [ossec-list] Clients authenticate, but don't connect (Corp > env) > > > > Hi lostinthetubez, > > > > Yes, the client.keys file exists on the server and the client has the > correct key. The permissions are as follows for /var/ossec/etc/: > > > > root@ccisprlx11 # ls -la ../etc/ > > total 136 > > dr-xr-x--- 3 root ossec 4096 Dec 14 17:23 . > > dr-xr-x--- 13 root ossec 4096 Dec 14 16:59 .. > > -r--r----- 1 root ossec 84 Dec 14 17:24 client.keys > > -r--r----- 1 root ossec 97786 Jun 10 2015 decoder.xml > > -r--r----- 1 root ossec 2842 Jun 10 2015 internal_options.conf > > -r--r----- 1 root ossec 3519 May 4 2010 localtime > > -r--r----- 1 root ossec 8360 Dec 14 16:59 ossec.conf > > -rw-r----- 1 root root 88 Dec 14 16:59 ossec-init.conf > > drwxrwx--- 2 root ossec 4096 Dec 14 16:59 shared > > > > > > > > Do you see anything odd with the permissions? > > > > > > > > > > On Mon, Dec 14, 2015 at 4:28 PM, lostinthetubez <[email protected]> > wrote: > > Looks like permissions or ownership are wrong on your client.keys file, > which would certainly explain the agent not being able to connect. I assume > you’ve checked that the client.keys file exists and contains the correct > information for the agent you are using as an example here? > > > > >> 2015/12/14 07:31:08 ossec-agentd(1103): ERROR: Unable to open file > '/etc/client.keys'. > > > > > > > > *From:* [email protected] [mailto:[email protected]] *On > Behalf Of *Jamey B > *Sent:* Monday, December 14, 2015 12:55 PM > *To:* [email protected] > *Subject:* Re: [ossec-list] Clients authenticate, but don't connect (Corp > env) > > > > Thanks for that, I think this is a bigger issue than I believed judging by > the read out below from one of the agents not connecting. Do you think the > command you provided will fix it? It seems the install or CONF file went > wonky during the install, but the agent has been reinstalled multiple times. > > > > > > > > > > root@adr318 # cat /var/ossec/logs/ossec.log > > 2015/12/14 07:30:51 ossec-authd: INFO: Started (pid: 3787). > > 2015/12/14 07:30:58 ossec-execd(1314): INFO: Shutdown received. Deleting > responses. > > 2015/12/14 07:30:58 ossec-execd(1225): INFO: SIGNAL Received. Exit > Cleaning... > > 2015/12/14 07:31:08 ossec-execd: INFO: Started (pid: 3875). > > 2015/12/14 07:31:08 ossec-agentd: INFO: Using notify time: 600 and max > time to reconnect: 1800 > > 2015/12/14 07:31:08 ossec-agentd(1410): INFO: Reading authentication keys > file. > > 2015/12/14 07:31:08 ossec-agentd(1103): ERROR: Unable to open file > '/etc/client.keys'. > > 2015/12/14 07:31:08 ossec-agentd(1750): ERROR: No remote connection > configured. Exiting. > > 2015/12/14 07:31:08 ossec-logcollector(1103): ERROR: Unable to open file > '/queue/ossec/.agent_info'. > > 2015/12/14 07:31:08 ossec-config(1756): ERROR: Duplicated directory given: > '/etc'. > > 2015/12/14 07:31:08 ossec-config(1756): ERROR: Duplicated directory given: > '/bin'. > > 2015/12/14 07:31:08 ossec-syscheckd(1103): ERROR: Unable to open file > '/queue/ossec/.agent_info'. > > 2015/12/14 07:31:08 ossec-syscheckd(1103): ERROR: Unable to open file > '/queue/ossec/.agent_info'. > > 2015/12/14 07:31:11 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 07:31:11 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 07:31:17 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 07:31:17 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > > 2015/12/14 07:31:19 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 07:31:19 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 07:31:32 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 07:31:32 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > > 2015/12/14 09:50:10 ossec-execd(1314): INFO: Shutdown received. Deleting > responses. > > 2015/12/14 09:50:10 ossec-execd(1225): INFO: SIGNAL Received. Exit > Cleaning... > > 2015/12/14 09:50:20 ossec-execd: INFO: Started (pid: 15169). > > 2015/12/14 09:50:20 ossec-agentd: INFO: Using notify time: 600 and max > time to reconnect: 1800 > > 2015/12/14 09:50:20 ossec-agentd(1410): INFO: Reading authentication keys > file. > > 2015/12/14 09:50:20 ossec-agentd(1103): ERROR: Unable to open file > '/etc/client.keys'. > > 2015/12/14 09:50:20 ossec-agentd(1750): ERROR: No remote connection > configured. Exiting. > > 2015/12/14 09:50:20 ossec-logcollector(1103): ERROR: Unable to open file > '/queue/ossec/.agent_info'. > > 2015/12/14 09:50:20 ossec-config(1756): ERROR: Duplicated directory given: > '/etc'. > > 2015/12/14 09:50:20 ossec-config(1756): ERROR: Duplicated directory given: > '/bin'. > > 2015/12/14 09:50:20 ossec-syscheckd(1103): ERROR: Unable to open file > '/queue/ossec/.agent_info'. > > 2015/12/14 09:50:20 ossec-syscheckd(1103): ERROR: Unable to open file > '/queue/ossec/.agent_info'. > > 2015/12/14 09:50:23 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 09:50:23 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 09:50:29 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 09:50:29 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > > 2015/12/14 09:50:31 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 09:50:31 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 09:50:44 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 09:50:44 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > > > > > > > > > > > > > > On Mon, Dec 14, 2015 at 2:41 PM, Santiago Bassett < > [email protected]> wrote: > > Try disabling counters. They lose synchronization specially when agents > are reinstalled. > > > > Edit /var/ossec/etc/internal_options.conf and set "remoted.verify_msg_id=0" > > > > Then restart ossec manager. > > > > > > > > On Mon, Dec 14, 2015 at 9:43 AM, Jamey B <[email protected]> wrote: > > Hi everyone, > > > > I'm in a corporate environment, the environment we are deploying OSSEC to > has around 1000 servers (I did the manual install and increased the agent > limit). The firewall is allowing all UDP and TCP ports to pass through for > our deployment. No traffic is being blocked to/from the OSSEC manager. > > > > We distributed OSSEC to an environment via Puppet and are able to get the > agents to grab a client key over port 1515, but they are having issues > connecting. A handful do eventually connect, but the majority don't, I > don't see them come up in the OSSEC logs but they do appear as inactive > agents. > > > > > > Any ideas as to why the majority of agents are not connecting, but do get > their keys? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/7u88Yy5W7Rk/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > Sincerely, > > James Bearden III > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/7u88Yy5W7Rk/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > Sincerely, > > James Bearden III > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/7u88Yy5W7Rk/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/7u88Yy5W7Rk/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
