The manual agent installation works perfectly and it even shows hids events /alarm for my host/PC .
On Oct 3, 2016 10:51 PM, "Pedro Sanchez" <[email protected]> wrote: > > Hi, > > I think this could be a connectivity issue, ossec-authd looks listening correctly, did you try to add the agent manually and check for 1514 connectivity? I am not sure if both server are able to communicate on a different way, try to use tcpdump on server side and telnet on other. > > Server: > >> tcpdump -i eth0 port 1515 -vv > > > Agent: > >> telnet server_ip 1515 > > > > Try to add it manually, if that works, we can keep going with ossec authd deployment. > > > On Mon, Oct 3, 2016 at 5:57 PM, Dodain Dodo <[email protected]> wrote: >> >> Hi Pedro, >> >> Thanks for replying. Sorry, I forgot to mention few details . Firstly I am using Alienvault USM .Secondly the ossec server is listening , so the server part is working, the prob i am getting is that agent/client isn't able to connect to the server on port 1515 and I am not able to find out why my agent isnt able to communicate with ossec server on port 1515. For that i even added port 1515 in iptables , Since agent isn't able to communicate so tcpdump on server shows 0 packets. >> >> tcp 0 0 0.0.0.0:1515 0.0.0.0:* LISTEN 5504/ossec-authd >> >> >> On Mon, Oct 3, 2016 at 1:21 PM, Pedro Sanchez <[email protected]> wrote: >>> >>> Hi Ali, >>> >>> Could you confirm that ossec-authd is running and listening on the sensor? You could use >>>> >>>> >>>> netstat -pna | grep 1515 >>> >>> >>> The expected output will be similar to: >>> >>>> tcp 0 0 0.0.0.0:1515 0.0.0.0:* LISTEN 9684/ossec-authd >>> >>> >>> It seems like you have some connectivity problems, be sure that the agent can actually access to 1515 port, you could use tcpdump at OSSEC Manager to listen for incoming packets to 1515 port: >>> >>>> root@ubuntu5:/var/ossec/etc# tcpdump -i eth0 port 1515 -vv >>>> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes >>>> 01:20:11.033864 IP (tos 0x0, ttl 128, id 22397, offset 0, flags [DF], proto TCP (6), length 52) >>>> 192.168.1.30.57495 > 192.168.1.10.1515: Flags [S], cksum 0x4748 (correct), seq 2326532896, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 >>>> 01:20:11.033931 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) >>>> 192.168.1.10.1515 > 192.168.1.30.57495: Flags [S.], cksum 0x839f (incorrect -> 0x141f), seq 3245350808, ack 2326532897, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 >>>> 01:20:11.034075 IP (tos 0x0, ttl 128, id 22398, offset 0, flags [DF], proto TCP (6), length 40) >>>> 192.168.1.30.57495 > 192.168.1.10.1515: Flags [.], cksum 0xbefc (correct), seq 1, ack 1, win 2053, length 0 >>>> 01:20:11.035593 IP (tos 0x0, ttl 128, id 22399, offset 0, flags [DF], proto TCP (6), length 203) >>>> 192.168.1.30.57495 > 192.168.1.10.1515: Flags [P.], cksum 0xeedb (correct), seq 1:164, ack 1, win 2053, length 163 >>>> 01:20:11.035668 IP (tos 0x0, ttl 64, id 37466, offset 0, flags [DF], proto TCP (6), length 40) >>> >>> >>> >>> Best regards, >>> >>> Pedro S. >>> >>> On Mon, Oct 3, 2016 at 10:03 AM, Ali Khan <[email protected]> wrote: >>>> >>>> Hi All, >>>> >>>> >>>> I am trying to use ossec agent-auth to auto agent key registration with ossec server. >>>> >>>> I did the followoing on server >>>> >>>> openssl genrsa -out /var/ossec/etc/sslmanager.key 2048 >>>> openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365 >>>> /var/ossec/bin/ossec-authd -p 1515 -i >/dev/null 2>&1 & >>>> add the following rule to /etc/ossim/firewall_include : >>>> -A INPUT –p tcp –-dport 1515 –j ACCEPT >>>> Run ossim-reconfig and then again started /var/ossec/bin/ossec-authd -p 1515 -i >/dev/null 2>&1 & and the process starts. >>>> >>>> >>>> However when i run ./agent-auth -m 192.168.10.246 -p 1515 on agent i get the following error : >>>> >>>> >>>> 2016/10/03 12:34:58 ossec-authd: INFO: Started (pid: 9656). >>>> 2016/10/03 12:34:58 ossec-authd: Unable to connect to 192.168.10.246:1515 >>>> >>>> Any kind of help would be appreciated. >>>> >>>> Looking forward to your reply . >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group. >>> To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/2Nhb2FDqLBU/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group. > To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
