On Fri, Aug 31, 2018 at 9:53 AM Don_Johny <[email protected]> wrote: > > Hello, i have problem connecting agents. I installed Ossec on Ubuntu Server > 16.04 Virtual machines, Added an agents ( with IP and any) extracted key, but > when i see agents list i got only. "No agent avalibale. Could anyone know > whats the issue Here are my logs from machines.Any help is > apprecitated,thanks in advance
Make sure the firewall on the OSSEC server is allowing traffic in on UDP 1514. Restart the OSSEC server in debug mode (`/var/ossec/bin/ossec-control enable debug && /var/ossec/bin/ossec-control restart`). Check the logs when the agent is trying to connect. Use tcpdump to see if the agent's connection attempts are making it to the server. If so, does the server reply? > Log file from server : > 2018/08/31 13:07:57 ossec-analysisd: INFO: White listing IP: ' > 2018/08/31 13:07:57 ossec-analysisd: INFO: 7 IPs in the white list for active > response. > 2018/08/31 13:07:57 ossec-analysisd: INFO: White listing Hostname: '::1' > 2018/08/31 13:07:57 ossec-analysisd: INFO: 1 Hostname(s) in the white list > for active response. > 2018/08/31 13:07:57 ossec-analysisd: INFO: Started (pid: 5794). > 2018/08/31 13:07:58 ossec-monitord: INFO: Started (pid: 5813). > 2018/08/31 13:07:58 ossec-remoted(4111): INFO: Maximum number of agents > allowed: '16384'. > 2018/08/31 13:07:58 ossec-remoted(1410): INFO: Reading authentication keys > file. > 2018/08/31 13:07:58 ossec-remoted: INFO: No previous counter available for > 'sv2'. > 2018/08/31 13:07:58 ossec-remoted: INFO: Assigning counter for agent sv2: > '0:0'. > 2018/08/31 13:07:58 ossec-remoted: INFO: No previous sender counter. > 2018/08/31 13:07:58 ossec-remoted: INFO: Assigning sender counter: 0:0 > 2018/08/31 13:08:00 ossec-analysisd: INFO: Connected to '/queue/alerts/ar' > (active-response queue) > 2018/08/31 13:08:00 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' > (exec queue) > 2018/08/31 13:08:02 ossec-syscheckd: INFO: Started (pid: 5810). > 2018/08/31 13:08:02 ossec-rootcheck: INFO: Started (pid: 5810). > > 2018/08/31 13:08:03 ossec-logcollector: INFO: Started (pid: 5799). > 2018/08/31 13:08:22 INFO: Connected to 127.0.1.1 at address 127.0.1.1, port 25 > 2018/08/31 13:09:04 ossec-syscheckd: INFO: Starting syscheck scan (forwarding > database). > 2018/08/31 13:09:04 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2018/08/31 13:09:04 ossec-syscheckd: INFO: Initializing real time file > monitoring (not started). > 2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File not available, > ignoring it: '/var/log/messages'. > 2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File not available, > ignoring it: '/var/log/secure'. > 2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File not available, > ignoring it: '/var/log/xferlog'. > 2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File not available, > ignoring it: '/var/log/maillog'. > 2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File not available, > ignoring it: '/var/www/logs/access_log'. > 2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File not available, > ignoring it: '/var/www/logs/error_log'. > 2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File not available, > ignoring it: '/var/log/exim_mainlog'. > 2018/08/31 13:13:21 ossec-syscheckd(1124): ERROR: Could not rename file > '/usr/bin/vmware-user' to > '/var/ossec/queue/diff/local/usr/bin/vmware-user/last-entry' due to [(2)-(No > such file or directory)]. > > Log from agent : > > 2018/08/31 12:34:46 ossec-execd: INFO: Started (pid: 10201). > 2018/08/31 12:34:46 ossec-agentd: INFO: Using notify time: 600 and max time > to $ > 2018/08/31 12:34:46 ossec-agentd(1410): INFO: Reading authentication keys > file. > 2018/08/31 12:34:46 ossec-agentd: INFO: Started (pid: 10205). > 2018/08/31 12:34:46 ossec-agentd: INFO: Server 1: 157.97.106.107 > 2018/08/31 12:34:46 ossec-agentd: INFO: Trying to connect to server > 157.97.106.$ > 2018/08/31 12:34:46 INFO: Connected to 157.97.106.107 at address > 157.97.106.107$ > 2018/08/31 12:34:46 rootcheck: System audit file not configured. > 2018/08/31 13:08:26 ossec-agentd(4101): WARN: Waiting for server reply (not > started). Tried: '157.97.106.107'. > 2018/08/31 13:08:28 ossec-agentd: INFO: Trying to connect to server > 157.97.106.107, port 1514. > 2018/08/31 13:08:28 INFO: Connected to 157.97.106.107 at address > 157.97.106.107, port 1514 > 2018/08/31 13:08:49 ossec-agentd(4101): WARN: Waiting for server reply (not > started). Tried: '157.97.106.107'. > 2018/08/31 13:09:09 ossec-agentd: INFO: Trying to connect to server > 157.97.106.107, port 1514. > 2018/08/31 13:09:09 INFO: Connected to 157.97.106.107 at address > 157.97.106.107, port 1514 > 2018/08/31 13:09:11 ossec-syscheckd: INFO: Starting syscheck scan (forwarding > database). > 2018/08/31 13:09:11 ossec-syscheckd: WARN: Process locked. Waiting for > permission... > 2018/08/31 13:09:30 ossec-agentd(4101): WARN: Waiting for server reply (not > started). Tried: '157.97.106.107'. > 2018/08/31 13:10:08 ossec-agentd: INFO: Trying to connect to server > 157.97.106.107, port 1514. > 2018/08/31 13:10:08 INFO: Connected to 157.97.106.107 at address > 157.97.106.107, port 1514 > 2018/08/31 13:10:21 ossec-logcollector: WARN: Process locked. Waiting for > permission... > 2018/08/31 13:10:29 ossec-agentd(4101): WARN: Waiting for server reply (not > started). Tried: '157.97.106.107'. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
