On Thu, Dec 17, 2015 at 1:21 PM, Jamey B <[email protected]> wrote: > Hi, > > SELINUX isn't enabled, we also looked at all the permissions and they appear > fine. > > We manually added an agent on the server and manually imported a fresh > client key, then restarted the agent. It successfully added itself without > using authd that we had success with in a different environment (done via > Puppet using command agent-auth -m <server ip> -p <port>). Should we use > port 1515, then 1514 when using this? > > Perhaps we're not adding the agents correctly? >
agent-auth connects to an authd process. So the power used there should be the port authd is listening on. What happens if you use manage_agents on the server to add an agent and export the key. Then use manage_agents on the agent to import the key? > On Dec 16, 2015 10:37 AM, "lostinthetubez" <[email protected]> wrote: >> >> Is selinux enabled? Long shot, I know. Regardless, OSSEC needs to be able >> to access the client.keys file, both on the agent and the manager, before it >> can communicate. If permissions and ownership aren’t the problem – which, >> they look fine btw – then I don’t honestly know why it would be complaining. >> You haven’t customized the users under which the services start, have you? >> Compare a client.keys from a working agent with a non-working agent. Perhaps >> there is a problem with the file format, encoding, or non-printable >> characters. Can’t really think of anything else at the moment. >> >> >> >> From: [email protected] [mailto:[email protected]] On >> Behalf Of Jamey B >> Sent: Tuesday, December 15, 2015 5:55 PM >> To: [email protected] >> Subject: RE: [ossec-list] Clients authenticate, but don't connect (Corp >> env) >> >> >> >> Sorry about that, that's my local VirtualBox image that I use for testing. >> OSSEC on the server with the client keys shows the same permissions as my >> local VM. Could it be a local OS issue that the server is on? >> >> On Dec 15, 2015 10:18 AM, "lostinthetubez" <[email protected]> >> wrote: >> >> Your commandline prompt indicates that this is not the same machine that >> you were talking about in the previous post. Please look at the situation on >> adr318, whatever that box is. >> >> >> >> From: [email protected] [mailto:[email protected]] On >> Behalf Of Jamey B >> Sent: Tuesday, December 15, 2015 7:06 AM >> To: [email protected] >> Subject: Re: [ossec-list] Clients authenticate, but don't connect (Corp >> env) >> >> >> >> Hi lostinthetubez, >> >> >> >> Yes, the client.keys file exists on the server and the client has the >> correct key. The permissions are as follows for /var/ossec/etc/: >> >> >> >> root@ccisprlx11 # ls -la ../etc/ >> >> total 136 >> >> dr-xr-x--- 3 root ossec 4096 Dec 14 17:23 . >> >> dr-xr-x--- 13 root ossec 4096 Dec 14 16:59 .. >> >> -r--r----- 1 root ossec 84 Dec 14 17:24 client.keys >> >> -r--r----- 1 root ossec 97786 Jun 10 2015 decoder.xml >> >> -r--r----- 1 root ossec 2842 Jun 10 2015 internal_options.conf >> >> -r--r----- 1 root ossec 3519 May 4 2010 localtime >> >> -r--r----- 1 root ossec 8360 Dec 14 16:59 ossec.conf >> >> -rw-r----- 1 root root 88 Dec 14 16:59 ossec-init.conf >> >> drwxrwx--- 2 root ossec 4096 Dec 14 16:59 shared >> >> >> >> >> >> >> >> Do you see anything odd with the permissions? >> >> >> >> >> >> >> >> >> >> On Mon, Dec 14, 2015 at 4:28 PM, lostinthetubez <[email protected]> >> wrote: >> >> Looks like permissions or ownership are wrong on your client.keys file, >> which would certainly explain the agent not being able to connect. I assume >> you’ve checked that the client.keys file exists and contains the correct >> information for the agent you are using as an example here? >> >> >> >> >> 2015/12/14 07:31:08 ossec-agentd(1103): ERROR: Unable to open file >> >> '/etc/client.keys'. >> >> >> >> >> >> >> >> From: [email protected] [mailto:[email protected]] On >> Behalf Of Jamey B >> Sent: Monday, December 14, 2015 12:55 PM >> To: [email protected] >> Subject: Re: [ossec-list] Clients authenticate, but don't connect (Corp >> env) >> >> >> >> Thanks for that, I think this is a bigger issue than I believed judging by >> the read out below from one of the agents not connecting. Do you think the >> command you provided will fix it? It seems the install or CONF file went >> wonky during the install, but the agent has been reinstalled multiple times. >> >> >> >> >> >> >> >> >> >> root@adr318 # cat /var/ossec/logs/ossec.log >> >> 2015/12/14 07:30:51 ossec-authd: INFO: Started (pid: 3787). >> >> 2015/12/14 07:30:58 ossec-execd(1314): INFO: Shutdown received. Deleting >> responses. >> >> 2015/12/14 07:30:58 ossec-execd(1225): INFO: SIGNAL Received. Exit >> Cleaning... >> >> 2015/12/14 07:31:08 ossec-execd: INFO: Started (pid: 3875). >> >> 2015/12/14 07:31:08 ossec-agentd: INFO: Using notify time: 600 and max >> time to reconnect: 1800 >> >> 2015/12/14 07:31:08 ossec-agentd(1410): INFO: Reading authentication keys >> file. >> >> 2015/12/14 07:31:08 ossec-agentd(1103): ERROR: Unable to open file >> '/etc/client.keys'. >> >> 2015/12/14 07:31:08 ossec-agentd(1750): ERROR: No remote connection >> configured. Exiting. >> >> 2015/12/14 07:31:08 ossec-logcollector(1103): ERROR: Unable to open file >> '/queue/ossec/.agent_info'. >> >> 2015/12/14 07:31:08 ossec-config(1756): ERROR: Duplicated directory given: >> '/etc'. >> >> 2015/12/14 07:31:08 ossec-config(1756): ERROR: Duplicated directory given: >> '/bin'. >> >> 2015/12/14 07:31:08 ossec-syscheckd(1103): ERROR: Unable to open file >> '/queue/ossec/.agent_info'. >> >> 2015/12/14 07:31:08 ossec-syscheckd(1103): ERROR: Unable to open file >> '/queue/ossec/.agent_info'. >> >> 2015/12/14 07:31:11 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> >> 2015/12/14 07:31:11 ossec-rootcheck(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> >> 2015/12/14 07:31:17 ossec-logcollector(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> >> 2015/12/14 07:31:17 ossec-logcollector(1211): ERROR: Unable to access >> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >> >> 2015/12/14 07:31:19 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> >> 2015/12/14 07:31:19 ossec-rootcheck(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> >> 2015/12/14 07:31:32 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> >> 2015/12/14 07:31:32 ossec-rootcheck(1211): ERROR: Unable to access queue: >> '/var/ossec/queue/ossec/queue'. Giving up.. >> >> 2015/12/14 09:50:10 ossec-execd(1314): INFO: Shutdown received. Deleting >> responses. >> >> 2015/12/14 09:50:10 ossec-execd(1225): INFO: SIGNAL Received. Exit >> Cleaning... >> >> 2015/12/14 09:50:20 ossec-execd: INFO: Started (pid: 15169). >> >> 2015/12/14 09:50:20 ossec-agentd: INFO: Using notify time: 600 and max >> time to reconnect: 1800 >> >> 2015/12/14 09:50:20 ossec-agentd(1410): INFO: Reading authentication keys >> file. >> >> 2015/12/14 09:50:20 ossec-agentd(1103): ERROR: Unable to open file >> '/etc/client.keys'. >> >> 2015/12/14 09:50:20 ossec-agentd(1750): ERROR: No remote connection >> configured. Exiting. >> >> 2015/12/14 09:50:20 ossec-logcollector(1103): ERROR: Unable to open file >> '/queue/ossec/.agent_info'. >> >> 2015/12/14 09:50:20 ossec-config(1756): ERROR: Duplicated directory given: >> '/etc'. >> >> 2015/12/14 09:50:20 ossec-config(1756): ERROR: Duplicated directory given: >> '/bin'. >> >> 2015/12/14 09:50:20 ossec-syscheckd(1103): ERROR: Unable to open file >> '/queue/ossec/.agent_info'. >> >> 2015/12/14 09:50:20 ossec-syscheckd(1103): ERROR: Unable to open file >> '/queue/ossec/.agent_info'. >> >> 2015/12/14 09:50:23 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> >> 2015/12/14 09:50:23 ossec-rootcheck(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> >> 2015/12/14 09:50:29 ossec-logcollector(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> >> 2015/12/14 09:50:29 ossec-logcollector(1211): ERROR: Unable to access >> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >> >> 2015/12/14 09:50:31 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> >> 2015/12/14 09:50:31 ossec-rootcheck(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> >> 2015/12/14 09:50:44 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> >> 2015/12/14 09:50:44 ossec-rootcheck(1211): ERROR: Unable to access queue: >> '/var/ossec/queue/ossec/queue'. Giving up.. >> >> >> >> >> >> >> >> >> >> >> >> >> >> On Mon, Dec 14, 2015 at 2:41 PM, Santiago Bassett >> <[email protected]> wrote: >> >> Try disabling counters. They lose synchronization specially when agents >> are reinstalled. >> >> >> >> Edit /var/ossec/etc/internal_options.conf and set >> "remoted.verify_msg_id=0" >> >> >> >> Then restart ossec manager. >> >> >> >> >> >> >> >> On Mon, Dec 14, 2015 at 9:43 AM, Jamey B <[email protected]> wrote: >> >> Hi everyone, >> >> >> >> I'm in a corporate environment, the environment we are deploying OSSEC to >> has around 1000 servers (I did the manual install and increased the agent >> limit). The firewall is allowing all UDP and TCP ports to pass through for >> our deployment. No traffic is being blocked to/from the OSSEC manager. >> >> >> >> We distributed OSSEC to an environment via Puppet and are able to get the >> agents to grab a client key over port 1515, but they are having issues >> connecting. A handful do eventually connect, but the majority don't, I don't >> see them come up in the OSSEC logs but they do appear as inactive agents. >> >> >> >> >> >> Any ideas as to why the majority of agents are not connecting, but do get >> their keys? >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/7u88Yy5W7Rk/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> -- >> >> Sincerely, >> >> James Bearden III >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/7u88Yy5W7Rk/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> -- >> >> Sincerely, >> >> James Bearden III >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/7u88Yy5W7Rk/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/7u88Yy5W7Rk/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
