Hi, I started over with the ossec-hids-2.8.3-3. I have been able to get the database working correctly, but I think my agents are messed up. I ran the ossec batch manager to recreate the keys and I ran /var/ossec/bin/manage_agents -i new key on each of the servers I want to monitor. I have restarted the ossec processes on both the clients and the ossec server but I dont seem to be getting any connections from the clients. on the client side I see:
2016/12/13 14:39:29 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.xx.xx.71'. 2016/12/13 14:39:31 ossec-agentd: INFO: Trying to connect to server (10.xx.xx.71:1514). 2016/12/13 14:39:31 ossec-agentd: INFO: Using IPv4 for: 10.xx.xx.71 . And I am not seeing any connections on the server side, but I see the port is open: [root@OSSEC ossec]# netstat -an | grep 1514 udp 0 0 0.0.0.0:1514 0.0.0.0:* I checked with our network guy to see if there is a problem there and he confirmed that we arent blocking the port or anything. Sean On Monday, December 12, 2016 at 5:37:10 PM UTC-7, jose wrote: > > Hi Sean, > > What rpm are you using? wazuh-manager-1.1.1-3 or ossec-hids-2.8.3-3? > > Regards > ----------------------- > Jose Luis Ruiz > Wazuh Inc. > jo...@wazuh.com <javascript:> > > On December 12, 2016 at 5:25:41 PM, Sean Roe (sea...@gmail.com > <javascript:>) wrote: > > Hi all, > > I have installed the ossec server using the Wazuh rpms and it is running > well. I have 20 servers sending data too it and they are working great. I > would like to write the data out to a mysql database and was wondering what > the right procedure would be. Do I uninstall the rpm first then compile > from source? Or is the an option to enable the database from the rpm > install? The reason I would like this is to use the old web gui so I can > show the management types "Look we can see quickly what has changed and > when". I eventually want to integrate with our splunk server but this > seemed like a nice way to show filesystem changes quickly. > > Thanks, > Sean > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
