[ossec-list] OSSEC Agent Logs Showing Error

Arvind Lavania Fri, 16 Jun 2017 05:50:48 -0700

Hi,

I have installed OSSEC SERVER on Centos 6.9. everything is working as 
expected.


One error i am noticing in my logs from client server. client server is 
running on Centos 6.9

Details From OSSEC-Server/Manager

[root@al ~]# /var/ossec/bin/ossec-authd -v /var/ossec/etc/sslmanager.cert -d

2017/06/16 06:06:33 ossec-authd: DEBUG: Starting ...

2017/06/16 06:06:33 ossec-authd: INFO: Started (pid: 6097).

2017/06/16 06:06:33 ossec-authd: DEBUG: Peer verification requested.

2017/06/16 06:06:33 ossec-authd: DEBUG: Returning CTX for server.

2017/06/16 06:06:33 ossec-authd: Unable to bind to port 1515


[root@al ~]# tcpdump -i eth0 port 1515 -vv

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 
bytes

06:16:59.804739 IP (tos 0x10, ttl 64, id 31414, offset 0, flags [DF], proto 
TCP (6), length 60)

    10.24.211.130.56622 > x.x.x.37.ifor-protocol: Flags [S], cksum 0xfcd2 
(correct), seq 3432935783, win 17922, options [mss 8961,sackOK,TS val 
1444817 ecr 0,nop,wscale 6], length 0

06:16:59.804780 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP 
(6), length 60)

    10.24.211.37.ifor-protocol > 10.24.211.130.56622: Flags [S.], cksum 
0x27c1 (correct), seq 1407314966, ack 3432935784, win 17898, options [mss 
8961,sackOK,TS val 1348875 ecr 1444817,nop,wscale 7], length 0

06:16:59.805215 IP (tos 0x10, ttl 64, id 31415, offset 0, flags [DF], proto 
TCP (6), length 52)

    10.24.211.130.56622 > x.x.x.37.ifor-protocol: Flags [.], cksum 0xb8aa 
(correct), seq 1, ack 1, win 281, options [nop,nop,TS val 1444818 ecr 
1348875], length 0

06:17:02.704313 IP (tos 0x10, ttl 64, id 31416, offset 0, flags [DF], proto 
TCP (6), length 57)

    10.24.211.130.56622 > x.x.x.37.ifor-protocol: Flags [P.], cksum 0xa757 
(correct), seq 1:6, ack 1, win 281, options [nop,nop,TS val 1447717 ecr 
1348875], length 5

06:17:02.704397 IP (tos 0x0, ttl 64, id 31004, offset 0, flags [DF], proto 
TCP (6), length 52)

    10.24.211.37.ifor-protocol > x.x.x.130.56622: Flags [.], cksum 0xa28c 
(correct), seq 1, ack 6, win 140, options [nop,nop,TS val 1351774 ecr 
1447717], length 0

2017/06/16 06:17:02 ossec-authd: ERROR: SSL Error (-1)

140489331664744:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version 
number:s3_pkt.c:350:

06:17:02.713275 IP (tos 0x0, ttl 64, id 31005, offset 0, flags [DF], proto 
TCP (6), length 52)



[root@al ~]# netstat -tunlp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address               Foreign Address             
State 
      PID/Program name   

tcp        0      0 0.0.0.0:9654                0.0.0.0:*                   
LISTEN      5939/python         

tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   
LISTEN      1089/sshd           

tcp        0      0 127.0.0.1:25                0.0.0.0:*                   
LISTEN      1187/master         

tcp        0      0 :::1515                     :::*                        
LISTEN      6360/ossec-authd    

tcp        0      0 :::22                       :::*                        
LISTEN      1089/sshd           

tcp        0      0 ::1:25                      :::*                        
LISTEN      1187/master         

udp        0      0 0.0.0.0:68                  0.0.0.0:*                   
            829/dhclient        

udp        0      0 :::1514                     :::*                        
            6485/ossec-remoted  


[root@al ~]# lsof -P -c ossec-remoted

COMMAND    PID   USER   FD   TYPE             DEVICE SIZE/OFF   NODE NAME

ossec-rem 6485 ossecr  cwd    DIR              202,1     4096 401636 
/var/ossec

ossec-rem 6485 ossecr  rtd    DIR              202,1     4096 401636 
/var/ossec

ossec-rem 6485 ossecr  txt    REG              202,1   231568   6005 
/var/ossec/bin/ossec-remoted

ossec-rem 6485 ossecr  mem    REG              202,1    66432 264229 
/lib64/libnss_files-2.12.so

ossec-rem 6485 ossecr  mem    REG              202,1   122056 264206 
/lib64/libselinux.so.1

ossec-rem 6485 ossecr  mem    REG              202,1   111440 264239 
/lib64/libresolv-2.12.so

ossec-rem 6485 ossecr  mem    REG              202,1    10192 267113 
/lib64/libkeyutils.so.1.3

ossec-rem 6485 ossecr  mem    REG              202,1    43728 267126 
/lib64/libkrb5support.so.0.1

ossec-rem 6485 ossecr  mem    REG              202,1   174840 267122 
/lib64/libk5crypto.so.3.1

ossec-rem 6485 ossecr  mem    REG              202,1    14664 264654 
/lib64/libcom_err.so.2.1

ossec-rem 6485 ossecr  mem    REG              202,1   946048 267124 
/lib64/libkrb5.so.3.3

ossec-rem 6485 ossecr  mem    REG              202,1   277704 267118 
/lib64/libgssapi_krb5.so.2.2

ossec-rem 6485 ossecr  mem    REG              202,1  1924768 264213 
/lib64/libc-2.12.so

ossec-rem 6485 ossecr  mem    REG              202,1  1971488 267162 
/usr/lib64/libcrypto.so.1.0.1e

ossec-rem 6485 ossecr  mem    REG              202,1   443416 267164 
/usr/lib64/libssl.so.1.0.1e

ossec-rem 6485 ossecr  mem    REG              202,1    44472 264241 
/lib64/librt-2.12.so

ossec-rem 6485 ossecr  mem    REG              202,1    88600 264623 
/lib64/libz.so.1.2.3

ossec-rem 6485 ossecr  mem    REG              202,1    20024 264219 
/lib64/libdl-2.12.so

ossec-rem 6485 ossecr  mem    REG              202,1   218880 280017 
/usr/lib64/libGeoIP.so.1.6.9

ossec-rem 6485 ossecr  mem    REG              202,1   143280 264237 
/lib64/libpthread-2.12.so

ossec-rem 6485 ossecr  mem    REG              202,1   596864 264221 
/lib64/libm-2.12.so

ossec-rem 6485 ossecr  mem    REG              202,1   159232 264193 
/lib64/ld-2.12.so

ossec-rem 6485 ossecr    0u   CHR                1,3      0t0   3923 
/dev/null

ossec-rem 6485 ossecr    1u   CHR                1,3      0t0   3923 
/dev/null

ossec-rem 6485 ossecr    2u   CHR                1,3      0t0   3923 
/dev/null

ossec-rem 6485 ossecr    3u  IPv6             576376      0t0    UDP *:1514 

ossec-rem 6485 ossecr    4u  unix 0xffff88007bfe0780      0t0 576379 
/queue/alerts/ar

ossec-rem 6485 ossecr    5u  unix 0xffff88007bfe0b00      0t0 576399 socket

ossec-rem 6485 ossecr    6u   REG              202,1        7   6196 
/var/ossec/queue/rids/1024

ossec-rem 6485 ossecr    7u   REG              202,1        6   6217 
/var/ossec/queue/rids/sender_counter


[root@al ~]#  lsof -P -a -i -c ossec-remoted

COMMAND    PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

ossec-rem 6485 ossecr    3u  IPv6 576376      0t0  UDP *:1514 


[root@al ~]# ps aux | grep oss

root      5939  0.0  0.5 254816  9672 pts/0    Sl   06:05   0:00 
/usr/bin/python /opt/auto-ossec/auto_server.py

root     16049  0.0  0.1  44188  2840 pts/0    S    06:33   0:00 
/var/ossec/bin/ossec-authd -p 1515

ossecm   16157  0.0  0.0  46200   916 ?        S    06:33   0:00 
/var/ossec/bin/ossec-maild

root     16160  0.0  0.0  46692   888 ?        S    06:33   0:00 
/var/ossec/bin/ossec-execd

ossec    16165  0.0  0.1  45872  2836 ?        S    06:33   0:00 
/var/ossec/bin/ossec-analysisd

root     16169  0.0  0.0  42040   904 ?        S    06:33   0:00 
/var/ossec/bin/ossec-logcollector

root     16175  0.5  0.0  42640  1716 ?        S    06:33   0:03 
/var/ossec/bin/ossec-syscheckd

ossec    16178  0.0  0.0  44224   880 ?        S    06:33   0:00 
/var/ossec/bin/ossec-monitord

root     16396  0.0  0.0 103328   876 pts/0    S+   06:44   0:00 grep oss
Here is the information from Agent-Server

2017/06/16 06:35:11 ossec-agentd(1218): ERROR: Unable to send message to 
'server'.

2017/06/16 06:35:12 ossec-agentd(4101): WARN: Waiting for server reply (not 
started). Tried: 'ossec-server.al'.

2017/06/16 06:35:14 ossec-agentd: INFO: Trying to connect to server 
ossec-server.al, port 1514.

2017/06/16 06:35:14 INFO: Connected to ossec-server.al at address x.x.x.37, 
port 1514

2017/06/16 06:35:24 ossec-agentd(1218): ERROR: Unable to send message to 
'server'.

2017/06/16 06:35:36 ossec-agentd(1218): ERROR: Unable to send message to 
'server'.


One more interesting thing i am noticing whenever i am hitting telnet from 
my agent server

[root@al-a ~]# telnet ossec-server.al 1515

Trying x.x.x.37...

Connected to ossec-server.al.

Escape character is '^]'.  


OSSEC SERVER/Manager showing this:

[root@x.x.x-37 ~]# 2017/06/16 06:15:03 ossec-authd: ERROR: SSL Error (-1)

1404891111664744:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version 
number:s3_pkt.c:350:


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC Agent Logs Showing Error

Reply via email to