Hi Pedro,
Thanks for replying. Sorry, I forgot to mention few details . Firstly I am
using Alienvault USM .Secondly the ossec server is listening , so the
server part is working, the prob i am getting is that agent/client isn't
able to connect to the server on port 1515 and I am not able to find out
why my agent isnt able to communicate with ossec server on port 1515. For
that i even added port 1515 in iptables , Since agent isn't able to
communicate so tcpdump on server shows 0 packets.
tcp 0 0 0.0.0.0:1515 0.0.0.0:* LISTEN
5504/ossec-authd
On Mon, Oct 3, 2016 at 1:21 PM, Pedro Sanchez <[email protected]> wrote:
> Hi Ali,
>
> Could you confirm that ossec-authd is running and listening on the sensor?
> You could use
>
>>
>> netstat -pna | grep 1515
>
>
> The expected output will be similar to:
>
> tcp 0 0 0.0.0.0:1515 0.0.0.0:*
>> LISTEN 9684/ossec-authd
>
>
> It seems like you have some connectivity problems, be sure that the agent
> can actually access to 1515 port, you could use tcpdump at OSSEC Manager to
> listen for incoming packets to 1515 port:
>
> root@ubuntu5:/var/ossec/etc# *tcpdump -i eth0 port 1515 -vv*
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
>> 65535 bytes01:20:11.033864 IP (tos 0x0, ttl 128, id 22397, offset 0, flags
>> [DF], proto TCP (6), length 52) 192.168.1.30.57495 > 192.168.1.10.1515:
>> Flags [S], cksum 0x4748 (correct), seq 2326532896, win 8192, options [mss
>> 1460,nop,wscale 8,nop,nop,sackOK], length 001:20:11.033931 IP (tos 0x0, ttl
>> 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
>> 192.168.1.10.1515 > 192.168.1.30.57495: Flags [S.], cksum 0x839f (incorrect
>> -> 0x141f), seq 3245350808, ack 2326532897, win 29200, options [mss
>> 1460,nop,nop,sackOK,nop,wscale 7], length 001:20:11.034075 IP (tos 0x0, ttl
>> 128, id 22398, offset 0, flags [DF], proto TCP (6), length 40)
>> 192.168.1.30.57495 > 192.168.1.10.1515: Flags [.], cksum 0xbefc (correct),
>> seq 1, ack 1, win 2053, length 001:20:11.035593 IP (tos 0x0, ttl 128, id
>> 22399, offset 0, flags [DF], proto TCP (6), length 203)
>> 192.168.1.30.57495 > 192.168.1.10.1515: Flags [P.], cksum 0xeedb (correct),
>> seq 1:164, ack 1, win 2053, length 16301:20:11.035668 IP (tos 0x0, ttl 64,
>> id 37466, offset 0, flags [DF], proto TCP (6), length 40)*
>
>
>
> Best regards,
>
> Pedro S.
>
> On Mon, Oct 3, 2016 at 10:03 AM, Ali Khan <[email protected]> wrote:
>
>> Hi All,
>>
>>
>> I am trying to use ossec agent-auth to auto agent key registration with
>> ossec server.
>>
>> I did the followoing on server
>>
>>
>> 1. *openssl genrsa -out /var/ossec/etc/sslmanager.key 2048*
>> 2. *openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out
>> /var/ossec/etc/sslmanager.cert -days 365*
>> 3. */var/ossec/bin/ossec-authd -p 1515 -i >/dev/null 2>&1 &*
>> 4. add the following rule to /etc/ossim/firewall_include :
>> 5. *-A INPUT –p tcp –-dport 1515 –j ACCEPT*
>> 6. *Run ossim-reconfig and then again started
>> **/var/ossec/bin/ossec-authd
>> -p 1515 -i >/dev/null 2>&1 & and the process starts.*
>>
>>
>>
>> * However when i run ./agent-auth -m 192.168.10.246 -p 1515 **on
>> agent i get the following error :*
>>
>>
>>
>> *2016/10/03 12:34:58 ossec-authd: INFO: Started (pid: 9656).2016/10/03
>> 12:34:58 ossec-authd: Unable to connect to 192.168.10.246:1515
>> <http://192.168.10.246:1515>*
>> Any kind of help would be appreciated.
>>
>> Looking forward to your reply .
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/ossec-list/2Nhb2FDqLBU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
