Hi, I just run some test on Wazuh 1.1.1 version and agent-auth is running properly.
If you want to take a deeper look into it going into C code, you can review this file: os auth main client <https://github.com/wazuh/ossec-wazuh/blob/master/src/os_auth/main-client.c#L271> The error you are getting is strictly related to TCP connection. On Tue, Oct 4, 2016 at 4:07 PM, Dodain Dodo <[email protected]> wrote: > HI Pedro , > > I have already done all these things .Your and mine netstat results are > same. 1515 is in listening state and 1514 is also there. Sorry since > its(1514) a udp port so how can it be in listening mode. My bad. > > udp 0 0 0.0.0.0:1514 0.0.0.0:* > 27560/ossec-remoted > tcp 0 0 0.0.0.0:1515 0.0.0.0:* > LISTEN 5504/ossec-authd > > So we are back at where we started. Server end is fine and ossec agent is > sending logs on 1514 but 1515 although in listening state is not able to > make connection with ossec server. Is your agent-auth working fine ? > */var/ossec/bin/agent-auth > -m x.x.x.x -p 1515* > > Moreover I was interested in reading source code for agent-auth , to see > if i can find a workaround . :) . > > > > On Tue, Oct 4, 2016 at 1:49 PM, Pedro S <[email protected]> wrote: > >> Hi again, >> >> I don't really understand how it works if you don't have any OSSEC >> listening to 1514, maybe you are mistaken the hosts. On my labs if I run >> >> *netstat -tunlp* >> >> >> The output for OSSEC will be: >> >> >>> *udp 0 0 0.0.0.0:1514 <http://0.0.0.0:1514> >>> 0.0.0.0:* 14287/ossec-remoted**tcp 0 >>> 0 0.0.0.0:1515 <http://0.0.0.0:1515> 0.0.0.0:* >>> LISTEN 9684/ossec-authd* >> >> >> Another tool for analysis is "traceroute", you can see how many jumps and >> how are you getting to the OSSEC manager destination. >> Debian: apt-get install traceroute >> >> *traceroute your_ossec_server* >> >> >> >> Hope it helps, I am sorry I am not being so helpful but I don't really >> know your network so.. I am not sure what could be happening there : D >> >> >> On Tuesday, October 4, 2016 at 9:25:46 AM UTC+2, Ali Khan wrote: >> >>> These are the listening ports on server >>> Proto Recv-Q Send-Q Local Address Foreign Address >>> State >>> tcp 0 0 127.0.0.1:25 0.0.0.0:* >>> LISTEN >>> tcp 0 0 0.0.0.0:443 0.0.0.0:* >>> LISTEN >>> tcp 0 0 0.0.0.0:40001 0.0.0.0:* >>> LISTEN >>> tcp 0 0 0.0.0.0:40002 0.0.0.0:* >>> LISTEN >>> tcp 0 0 0.0.0.0:514 0.0.0.0:* >>> LISTEN >>> tcp 0 0 0.0.0.0:40003 0.0.0.0:* >>> LISTEN >>> tcp 0 0 0.0.0.0:40004 0.0.0.0:* >>> LISTEN >>> tcp 0 0 0.0.0.0:25672 0.0.0.0:* >>> LISTEN >>> tcp 0 0 127.0.0.1:40009 0.0.0.0:* >>> LISTEN >>> tcp 0 0 127.0.0.1:27017 0.0.0.0:* >>> LISTEN >>> tcp 0 0 0.0.0.0:3306 0.0.0.0:* >>> LISTEN >>> tcp 0 0 0.0.0.0:40011 0.0.0.0:* >>> LISTEN >>> tcp 0 0 0.0.0.0:1515 0.0.0.0:* >>> LISTEN >>> tcp 0 0 127.0.0.1:6379 0.0.0.0:* >>> LISTEN >>> tcp 0 0 127.0.0.1:11211 0.0.0.0:* >>> LISTEN >>> tcp 0 0 0.0.0.0:6380 0.0.0.0:* >>> LISTEN >>> tcp 0 0 0.0.0.0:9390 0.0.0.0:* >>> LISTEN >>> tcp 0 0 0.0.0.0:9391 0.0.0.0:* >>> LISTEN >>> tcp 0 0 0.0.0.0:80 0.0.0.0:* >>> LISTEN >>> tcp 0 0 127.0.0.1:28017 0.0.0.0:* >>> LISTEN >>> tcp 0 0 0.0.0.0:4369 0.0.0.0:* >>> LISTEN >>> tcp 0 0 0.0.0.0:22 0.0.0.0:* >>> LISTEN >>> tcp6 0 0 :::3128 :::* >>> LISTEN >>> tcp6 0 0 :::514 :::* >>> LISTEN >>> tcp6 0 0 :::40005 :::* >>> LISTEN >>> tcp6 0 0 :::40006 :::* >>> LISTEN >>> tcp6 0 0 :::5672 :::* >>> LISTEN >>> tcp6 0 0 :::6380 :::* >>> LISTEN >>> tcp6 0 0 :::22 :::* >>> LISTEN >>> >>> Now 1515 is in listening state and is also allowed in iptables but I am >>> not able to telnet it. Moreover when I do manual agent key registration ,it >>> works perfectly. I even checked by doing some fail login attempts and those >>> login attempts were shown on AV dashboard by HIDS after I did manual key >>> registration, but when i netstat, 1514 it isnt being shown as listening >>> state. Now all these things contradict each other, and I myself dont know >>> whats happening here.Neither 1515 nor 1514 can be telnet , bufail login >>> attempts on the system for which I did manual registration is being shown >>> on the dashboard and Ossec uses 15154 for this purpose but 1514 cant be >>> telnet and isnt in listening state , and when I run nmap none of these >>> ports are open . >>> >>> >>> >>> On Mon, Oct 3, 2016 at 10:58 PM, Dodain Dodo <[email protected]> >>> wrote: >>> >>>> The manual agent installation works perfectly and it even shows hids >>>> events /alarm for my host/PC . >>>> >>>> On Oct 3, 2016 10:51 PM, "Pedro Sanchez" <[email protected]> wrote: >>>> > >>>> > Hi, >>>> > >>>> > I think this could be a connectivity issue, ossec-authd looks >>>> listening correctly, did you try to add the agent manually and check for >>>> 1514 connectivity? I am not sure if both server are able to communicate on >>>> a different way, try to use tcpdump on server side and telnet on other. >>>> > >>>> > Server: >>>> > >>>> >> tcpdump -i eth0 port 1515 -vv >>>> > >>>> > >>>> > Agent: >>>> > >>>> >> telnet server_ip 1515 >>>> > >>>> > >>>> > >>>> > Try to add it manually, if that works, we can keep going with ossec >>>> authd deployment. >>>> > >>>> > >>>> > On Mon, Oct 3, 2016 at 5:57 PM, Dodain Dodo <[email protected]> >>>> wrote: >>>> >> >>>> >> Hi Pedro, >>>> >> >>>> >> Thanks for replying. Sorry, I forgot to mention few details . >>>> Firstly I am using Alienvault USM .Secondly the ossec server is listening >>>> , so the server part is working, the prob i am getting is that agent/client >>>> isn't able to connect to the server on port 1515 and I am not able to find >>>> out why my agent isnt able to communicate with ossec server on port 1515. >>>> For that i even added port 1515 in iptables , Since agent isn't able to >>>> communicate so tcpdump on server shows 0 packets. >>>> >> >>>> >> tcp 0 0 0.0.0.0:1515 0.0.0.0:* >>>> LISTEN 5504/ossec-authd >>>> >> >>>> >> >>>> >> On Mon, Oct 3, 2016 at 1:21 PM, Pedro Sanchez <[email protected]> >>>> wrote: >>>> >>> >>>> >>> Hi Ali, >>>> >>> >>>> >>> Could you confirm that ossec-authd is running and listening on the >>>> sensor? You could use >>>> >>>> >>>> >>>> >>>> >>>> netstat -pna | grep 1515 >>>> >>> >>>> >>> >>>> >>> The expected output will be similar to: >>>> >>> >>>> >>>> tcp 0 0 0.0.0.0:1515 0.0.0.0:* >>>> LISTEN 9684/ossec-authd >>>> >>> >>>> >>> >>>> >>> It seems like you have some connectivity problems, be sure that the >>>> agent can actually access to 1515 port, you could use tcpdump at OSSEC >>>> Manager to listen for incoming packets to 1515 port: >>>> >>> >>>> >>>> root@ubuntu5:/var/ossec/etc# tcpdump -i eth0 port 1515 -vv >>>> >>>> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture >>>> size 65535 bytes >>>> >>>> 01:20:11.033864 IP (tos 0x0, ttl 128, id 22397, offset 0, flags >>>> [DF], proto TCP (6), length 52) >>>> >>>> 192.168.1.30.57495 > 192.168.1.10.1515: Flags [S], cksum >>>> 0x4748 (correct), seq 2326532896, win 8192, options [mss 1460,nop,wscale >>>> 8,nop,nop,sackOK], length 0 >>>> >>>> 01:20:11.033931 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], >>>> proto TCP (6), length 52) >>>> >>>> 192.168.1.10.1515 > 192.168.1.30.57495: Flags [S.], cksum >>>> 0x839f (incorrect -> 0x141f), seq 3245350808, ack 2326532897, win 29200, >>>> options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 >>>> >>>> 01:20:11.034075 IP (tos 0x0, ttl 128, id 22398, offset 0, flags >>>> [DF], proto TCP (6), length 40) >>>> >>>> 192.168.1.30.57495 > 192.168.1.10.1515: Flags [.], cksum >>>> 0xbefc (correct), seq 1, ack 1, win 2053, length 0 >>>> >>>> 01:20:11.035593 IP (tos 0x0, ttl 128, id 22399, offset 0, flags >>>> [DF], proto TCP (6), length 203) >>>> >>>> 192.168.1.30.57495 > 192.168.1.10.1515: Flags [P.], cksum >>>> 0xeedb (correct), seq 1:164, ack 1, win 2053, length 163 >>>> >>>> 01:20:11.035668 IP (tos 0x0, ttl 64, id 37466, offset 0, flags >>>> [DF], proto TCP (6), length 40) >>>> >>> >>>> >>> >>>> >>> >>>> >>> Best regards, >>>> >>> >>>> >>> Pedro S. >>>> >>> >>>> >>> On Mon, Oct 3, 2016 at 10:03 AM, Ali Khan <[email protected]> >>>> wrote: >>>> >>>> >>>> >>>> Hi All, >>>> >>>> >>>> >>>> >>>> >>>> I am trying to use ossec agent-auth to auto agent key >>>> registration with ossec server. >>>> >>>> >>>> >>>> I did the followoing on server >>>> >>>> >>>> >>>> openssl genrsa -out /var/ossec/etc/sslmanager.key 2048 >>>> >>>> openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out >>>> /var/ossec/etc/sslmanager.cert -days 365 >>>> >>>> /var/ossec/bin/ossec-authd -p 1515 -i >/dev/null 2>&1 & >>>> >>>> add the following rule to /etc/ossim/firewall_include : >>>> >>>> -A INPUT –p tcp –-dport 1515 –j ACCEPT >>>> >>>> Run ossim-reconfig and then again started >>>> /var/ossec/bin/ossec-authd -p 1515 -i >/dev/null 2>&1 & and the process >>>> starts. >>>> >>>> >>>> >>>> >>>> >>>> However when i run ./agent-auth -m 192.168.10.246 -p 1515 on >>>> agent i get the following error : >>>> >>>> >>>> >>>> >>>> >>>> 2016/10/03 12:34:58 ossec-authd: INFO: Started (pid: 9656). >>>> >>>> 2016/10/03 12:34:58 ossec-authd: Unable to connect to >>>> 192.168.10.246:1515 >>>> >>>> >>>> >>>> Any kind of help would be appreciated. >>>> >>>> >>>> >>>> Looking forward to your reply . >>>> >>>> >>>> >>>> -- >>>> >>>> >>>> >>>> --- >>>> >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> >>>> To unsubscribe from this group and stop receiving emails from it, >>>> send an email to [email protected]. >>>> >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>>> >>> >>>> >>> -- >>>> >>> >>>> >>> --- >>>> >>> You received this message because you are subscribed to a topic in >>>> the Google Groups "ossec-list" group. >>>> >>> To unsubscribe from this topic, visit >>>> https://groups.google.com/d/topic/ossec-list/2Nhb2FDqLBU/unsubscribe. >>>> >>> To unsubscribe from this group and all its topics, send an email to >>>> [email protected]. >>>> >>> For more options, visit https://groups.google.com/d/optout. >>>> >> >>>> >> >>>> >> -- >>>> >> >>>> >> --- >>>> >> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> >> To unsubscribe from this group and stop receiving emails from it, >>>> send an email to [email protected]. >>>> >> For more options, visit https://groups.google.com/d/optout. >>>> > >>>> > >>>> > -- >>>> > >>>> > --- >>>> > You received this message because you are subscribed to a topic in >>>> the Google Groups "ossec-list" group. >>>> > To unsubscribe from this topic, visit https://groups.google.com/d/to >>>> pic/ossec >>>> >>> >>> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit https://groups.google.com/d/to >> pic/ossec-list/2Nhb2FDqLBU/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
