Hi Vipin, Prior to connect to the manager, agents must be registered onto it. For example, let the manager's IP be 1.1.1.1 and the agent's IP be 2.2.2.2.
In first place, use /var/ossec/bin/manage_agents to add an agent. Choose an arbitrary name for it, then you'll be asked for the agent's IP. If the agent's IP will always be the same (2.2.2.2), write it; else, if the agent's IP is dynamic or can change, write "*any*" as the IP. The manager will reject an agent if its IP doesn't match with the registered IP (unless it is "any"). When the agent is registered, use the option E (at manage_agents) to extract the agent's key. After, go to the agent and run /var/ossec/bin/manage_agents, in this cas you'll see that there's no option to add an agent but you can import (option I) a key. Select that option and paste the key that you extracted from the manager. You can get more information about agents management at: http://ossec-docs.readthedocs.io/en/latest/manual/agent/agent-management.html . Now, restart the manager (in order to reload the agents' keys) and the agent. You should get a message at the log such: 2016/11/07 10:55:27 ossec-agentd(4102): INFO: Connected to the server (1.1.1.1:1514). The manager should trigger this alert: ** Alert 1478512792.55161: mail - ossec,pci_dss_10.6.1, 2016 Nov 07 10:59:52 (CentOS) 2.2.2.2->ossec Rule: 501 (level 3) -> 'New ossec agent connected.' ossec: Agent started: 'CentOS->2.2.2.2'. A common error is that the agent was no registered with the proper IP, or the key is not correctly imported into the agent. In this case, the manager's log would print messages like: 2016/11/07 10:28:18 ossec-remoted(1403): ERROR: Incorrectly formated message from 'any'. or: 2016/11/07 10:59:06 ossec-remoted(1408): ERROR: Invalid ID 003 for the source ip: '2.2.2.2'. If you see those messages, check the previous steps. But if no message appears in the manager, packages may not be arriving to the server, so use tools such netstat or tcpdump to check your network. By default, OSSEC uses the port 1514/UDP. Hope it helps. Kind regards, Victor. On Saturday, November 5, 2016 at 10:24:25 AM UTC+1, vi...@acpl.com wrote: > > Hi, > > Can you help me with detailed information (Does the IP address of the > packets from this agent (as seen with tcpdump on the OSSEC server) match > the IP address in client.keys on the server). I am new to this product. > > Regards > Vipin Hooda > > On Tuesday, October 25, 2016 at 6:22:45 PM UTC+5:30, dan (ddpbsd) wrote: > >> On Tue, Oct 25, 2016 at 8:49 AM, <vi...@acpl.com> wrote: >> > Hi, >> > >> > Agent to server communication issue is occurring on multiple machines >> and >> > below logs are getting generated on client machine. We have requested >> > customer to check packet drop on firewall but according to customer >> there is >> > no packet drop on firewall for client machines. >> > >> > 2016/10/25 16:33:19 ossec-agent(4101): WARN: Waiting for server reply >> (not >> > started). Tried: 'x.x.x.x'. >> > 2016/10/25 17:00:03 ossec-agent: INFO: Trying to connect to server >> > (x.x.x.x:1514). >> > 2016/10/25 17:00:03 ossec-agent: INFO: Using IPv4 for: x.x.x.x >> > >> >> Are there any log messages related to this agent in the ossec.log on the >> server? >> Does the IP address of the packets from this agent (as seen with >> tcpdump on the OSSEC server) match the IP address in client.keys on >> the server? >> >> > Kindly help.. >> > >> > Regards >> > Vipin >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
