Hmmm.... I was under the impression that it was port 514 based on this bit of the installation.
3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: So does it need both ports? Or is that only for remote syslog? So yeah... changing... the firewall to let 1514 through fixed things. :) Reading is fundamental I guess. Daniel Cid wrote: > > Hi Brian, > > On the last version we added some form of "established" connection > between the > server and agents. So, before it starts, the agent sends a > synchronization message > to the server and waits for an "ack" back. How are your firewall rules > configured? Do > they allow any traffic from the agent to server (udp port 1514) and > vice-versa? Note > that the port ossec uses is 1514, not 514 (it always were 1514). > > To troubleshoot your firewall, try the following: > > 1-stop the agent. > 2-Run tcpdump on the agent and tcpdump on the server: > # tcpdump -i interface udp port 1514 and host <agent_ip> > 3-Start the agent. > You should see something like that on both sides (if you don't, there > is a firewall > problem): > > 21:16:16.205580 agent_ip.port > server_ip.1514: udp 73 (DF) > 21:16:16.209441 server_ip.1514 > agent_ip.port: udp 73 > > You can also try the following (using netcat): > > 1-Stop server and agent. > 2-Start nc listener on server: > # nc -u -l 1514 > 3-Start nc client on agent: > # nc -u <server_ip> 1514 > 4- You should be able to send messages from one side to the other. If > this test > fails, there is a fw problem.. > > Hope it helps.. > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > On 9/28/06, Brian Avis <[EMAIL PROTECTED]> wrote: >> >> I just upgraded to v0.9.2 and now my Solaris Agent is not connecting to >> my Linux server. >> >> I checked the iptables on the server and it looks like the server should >> be able to communicate just fine on port 514. >> >> But when I go to the agent it shows this in the logs. >> >> >> 2006/09/28 10:20:42 ossec-agentd: Started (pid: 27260). >> 2006/09/28 10:20:42 ossec-agentd: Connecting to server (10.1.1.13:1514). >> 2006/09/28 10:20:45 ossec-syscheckd: Started (pid: 27268). >> 2006/09/28 10:20:49 ossec-logcollector(1950): Analyzing file: >> '/var/log/authlog'. >> 2006/09/28 10:20:49 ossec-logcollector(1950): Analyzing file: >> '/var/log/syslog'. >> 2006/09/28 10:20:49 ossec-logcollector: Started (pid: 27264). >> 2006/09/28 10:20:57 ossec-agentd(4101): Waiting for server reply (not >> started). >> 2006/09/28 10:21:13 ossec-agentd(4101): Waiting for server reply (not >> started). >> 2006/09/28 10:21:44 ossec-agentd(4101): Waiting for server reply (not >> started). >> 2006/09/28 10:22:30 ossec-agentd(4101): Waiting for server reply (not >> started). >> 2006/09/28 10:23:31 ossec-agentd(4101): Waiting for server reply (not >> started). >> 2006/09/28 10:24:47 ossec-agentd(4101): Waiting for server reply (not >> started). >> 2006/09/28 10:26:18 ossec-agentd(4101): Waiting for server reply (not >> started). >> 2006/09/28 10:28:05 ossec-agentd(4101): Waiting for server reply (not >> started). >> >> >> >> Was there a change in the new version on the port? Is there a typo? Why >> does it say Connecting to server (10.1.1.13:1514)? Or am I barking up >> the wrong tree here? >> >> >> >> -- >> Brian Avis >> SEARHC Medical Clinic >> Juneau, AK 99801 >> (907) 463-4049 >> Have a nice diurnal anomaly! >> > -- Brian Avis SEARHC Medical Clinic Juneau, AK 99801 (907) 463-4049 Have a nice diurnal anomaly!
