Hi, I think this could be a connectivity issue, ossec-authd looks listening correctly, did you try to add the agent manually and check for 1514 connectivity? I am not sure if both server are able to communicate on a different way, try to use tcpdump on server side and telnet on other.
Server: *tcpdump -i eth0 port 1515 -vv* Agent: *telnet server_ip 1515* Try to add it manually, if that works, we can keep going with ossec authd deployment. On Mon, Oct 3, 2016 at 5:57 PM, Dodain Dodo <[email protected]> wrote: > Hi Pedro, > > Thanks for replying. Sorry, I forgot to mention few details . Firstly I > am using Alienvault USM .Secondly the ossec server is listening , so the > server part is working, the prob i am getting is that agent/client isn't > able to connect to the server on port 1515 and I am not able to find out > why my agent isnt able to communicate with ossec server on port 1515. For > that i even added port 1515 in iptables , Since agent isn't able to > communicate so tcpdump on server shows 0 packets. > > tcp 0 0 0.0.0.0:1515 0.0.0.0:* > LISTEN 5504/ossec-authd > > > On Mon, Oct 3, 2016 at 1:21 PM, Pedro Sanchez <[email protected]> wrote: > >> Hi Ali, >> >> Could you confirm that ossec-authd is running and listening on the >> sensor? You could use >> >>> >>> netstat -pna | grep 1515 >> >> >> The expected output will be similar to: >> >> tcp 0 0 0.0.0.0:1515 0.0.0.0:* >>> LISTEN 9684/ossec-authd >> >> >> It seems like you have some connectivity problems, be sure that the agent >> can actually access to 1515 port, you could use tcpdump at OSSEC Manager to >> listen for incoming packets to 1515 port: >> >> root@ubuntu5:/var/ossec/etc# *tcpdump -i eth0 port 1515 -vv* >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> *tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size >>> 65535 bytes01:20:11.033864 IP (tos 0x0, ttl 128, id 22397, offset 0, flags >>> [DF], proto TCP (6), length 52) 192.168.1.30.57495 > 192.168.1.10.1515: >>> Flags [S], cksum 0x4748 (correct), seq 2326532896, win 8192, options [mss >>> 1460,nop,wscale 8,nop,nop,sackOK], length 001:20:11.033931 IP (tos 0x0, ttl >>> 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) >>> 192.168.1.10.1515 > 192.168.1.30.57495: Flags [S.], cksum 0x839f (incorrect >>> -> 0x141f), seq 3245350808, ack 2326532897, win 29200, options [mss >>> 1460,nop,nop,sackOK,nop,wscale 7], length 001:20:11.034075 IP (tos 0x0, ttl >>> 128, id 22398, offset 0, flags [DF], proto TCP (6), length 40) >>> 192.168.1.30.57495 > 192.168.1.10.1515: Flags [.], cksum 0xbefc (correct), >>> seq 1, ack 1, win 2053, length 001:20:11.035593 IP (tos 0x0, ttl 128, id >>> 22399, offset 0, flags [DF], proto TCP (6), length 203) >>> 192.168.1.30.57495 > 192.168.1.10.1515: Flags [P.], cksum 0xeedb (correct), >>> seq 1:164, ack 1, win 2053, length 16301:20:11.035668 IP (tos 0x0, ttl 64, >>> id 37466, offset 0, flags [DF], proto TCP (6), length 40)* >> >> >> >> Best regards, >> >> Pedro S. >> >> On Mon, Oct 3, 2016 at 10:03 AM, Ali Khan <[email protected]> >> wrote: >> >>> Hi All, >>> >>> >>> I am trying to use ossec agent-auth to auto agent key registration with >>> ossec server. >>> >>> I did the followoing on server >>> >>> >>> 1. *openssl genrsa -out /var/ossec/etc/sslmanager.key 2048* >>> 2. *openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out >>> /var/ossec/etc/sslmanager.cert -days 365* >>> 3. */var/ossec/bin/ossec-authd -p 1515 -i >/dev/null 2>&1 &* >>> 4. add the following rule to /etc/ossim/firewall_include : >>> 5. *-A INPUT –p tcp –-dport 1515 –j ACCEPT* >>> 6. *Run ossim-reconfig and then again started >>> **/var/ossec/bin/ossec-authd >>> -p 1515 -i >/dev/null 2>&1 & and the process starts.* >>> >>> >>> >>> * However when i run ./agent-auth -m 192.168.10.246 -p 1515 **on >>> agent i get the following error :* >>> >>> >>> >>> *2016/10/03 12:34:58 ossec-authd: INFO: Started (pid: 9656).2016/10/03 >>> 12:34:58 ossec-authd: Unable to connect to 192.168.10.246:1515 >>> <http://192.168.10.246:1515>* >>> Any kind of help would be appreciated. >>> >>> Looking forward to your reply . >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit https://groups.google.com/d/to >> pic/ossec-list/2Nhb2FDqLBU/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
