On Wed, Sep 27, 2017 at 10:11 AM, James Stallard <[email protected]> wrote: > Dan/Jeff - thanks for the quick response! I know this sounds like a rookie > problem, but I have run out of debugging tools: > > In summary: > 1) the pb. is with clients from other subnets, > 2) I DO have connectivity via udp1514 bi-directionally (confirmed by nc) - I > don't think any other ports are required for basic client/server > communication. Let me know if otherwise. > 3) I've extracted/added keys manually > 4) I've iptables turned off (have connectivity, but nonetheless) > 5) The only errors I see in the logs - client side - are 'waiting for server > to reply (not started).' > 6) No errors on server side - nothing revealed with debug on that was of any > use. > 7) bin/agent-control lists all the clients as Never Connected (except the > one on same subnet/VPC) > > So, strange... I have a server & around 15 clients working in another AWS > account - same chef cookbook. > Any idea how to see what's going on? > I'm running out of tools to debug this. >
Everything points to the server not seeing the messages from the agents. If the keys were wrong there would be an error in the server's ossec.log. If the IPs were wrong, there would be an error in the server's ossec.log. I guess you could try tracing the ossec-remoted process on the server, but that would output so much data it'd be tough to go through. > Jim. > The client side ossec-control doesn't take the enable debug option. > > > > Adding the debug flag > Le mercredi 27 septembre 2017 08:44:42 UTC-4, dan (ddpbsd) a écrit : >> >> On Tue, Sep 26, 2017 at 12:41 PM, James Stallard >> <[email protected]> wrote: >> > Help anyone: >> > OK, I'm at a loss >> > Running version: >> > # ./ossec-analysisd -V >> > OSSEC HIDS v2.8 - Trend Micro Inc. >> > CentOS release 6.7 (Final) >> > On AWS >> > >> > I've distributed the keys by hand via manage_agents >> > and confirmed there is UDP connectivity from agent to server & back: >> > >> > Connection to aaa.zz.yy.xx 1514 port [udp/fujitsu-dtcns] succeeded! >> > >> > Yet I am still getting:: WARN: Waiting for server reply (not started). >> > Tried: 'aaa.zz.yy.xx' >> > The IP@ and port # on the agent is correct (in ossec.conf *and* in >> > ossec.log) >> > >> > I do have one agent that connects - it's on the same VPC as the server, >> > so I >> > suspect a connectivity issue, but I can connect (at least via nc) so I >> > don't >> > get it. >> > >> > I also don't see anything in the logs that indicates a configuration >> > error- >> > including with the debug flag set. >> > >> > Any suggestions on debugging this one? >> > >> >> Enable debugging on the manager (`/var/ossec/bin/ossec-control enable >> debug && /var/ossec/bin/ossec-control restart`). >> Watch ossec.log to see if it complains. >> Make sure there are no firewalls blocking the traffic. >> >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
