Thanks Daniel for getting back to me on this - I'll start populating this thread with dumps and logs that are applicable rather than the entire logs. Does it matter that I'm hosting this box with a VM session? Right now I have five agents connected and only this single one is giving me problems. Here's the tcpdump from the server side:
13:25:25.626127 IP (tos 0x0, ttl 126, id 10408, offset 0, flags [none], proto UDP (17), length 106) sparelaptop6.domain.com.1138 > domainutil.fujitsu-dtcns: UDP, length 78 13:25:26.621599 IP (tos 0x0, ttl 126, id 10409, offset 0, flags [none], proto UDP (17), length 130) sparelaptop6.domain.com.1138 > domainutil.fujitsu-dtcns: UDP, length 102 13:25:26.624528 IP (tos 0x0, ttl 126, id 10410, offset 0, flags [none], proto UDP (17), length 162) sparelaptop6.domain.com.1138 > domainutil.fujitsu-dtcns: UDP, length 134 13:25:26.627400 IP (tos 0x0, ttl 126, id 10411, offset 0, flags [none], proto UDP (17), length 178) sparelaptop6.domain.com.1138 > domainutil.fujitsu-dtcns: UDP, length 150 13:25:26.638710 IP (tos 0x0, ttl 126, id 10412, offset 0, flags [none], proto UDP (17), length 466) sparelaptop6.domain.com.1138 > domainutil.fujitsu-dtcns: UDP, length 438 Here's the last mention of the troubled host (laptop6) in the ossec.log-note there is nothing listed for today even though I restarted the agent several times: 2008/12/30 13:37:32 ossec-remoted(1409): INFO: Authentication file changed. Updating. 2008/12/30 13:37:33 ossec-remoted(1410): INFO: Reading authentication keys file. 2008/12/30 13:37:33 ossec-remoted: INFO: Assigning counter for agent aswwin: '42:4194'. 2008/12/30 13:37:33 ossec-remoted: INFO: Assigning counter for agent awtestwin: '35:5254'. 2008/12/30 13:37:33 ossec-remoted: INFO: Assigning counter for agent Colleen: '2:8546'. 2008/12/30 13:37:33 ossec-remoted: INFO: Assigning counter for agent aswlin: '1:5359'. 2008/12/30 13:37:33 ossec-remoted: INFO: Assigning counter for agent laptop6: '0:4663'. 2008/12/30 13:37:33 ossec-remoted: INFO: Assigning sender counter: 3:4496 2008/12/30 14:56:15 ossec-remoted(1409): INFO: Authentication file changed. Updating. 2008/12/30 14:56:16 ossec-remoted(1410): INFO: Reading authentication keys file. 2008/12/30 14:56:16 ossec-remoted: INFO: Assigning counter for agent aswwin: '42:4194'. 2008/12/30 14:56:16 ossec-remoted: INFO: Assigning counter for agent awtestwin: '35:5254'. 2008/12/30 14:56:16 ossec-remoted: INFO: Assigning counter for agent Colleen: '2:8546'. 2008/12/30 14:56:16 ossec-remoted: INFO: Assigning counter for agent aswlin: '1:5391'. 2008/12/30 14:56:16 ossec-remoted: INFO: Assigning counter for agent laptop9: '0:3847'. 2008/12/30 14:56:16 ossec-remoted: INFO: Assigning sender counter: 3:5036 Working to recreate the problem tonight. Thanks A On Jan 2, 10:57 am, "Daniel Cid" <[email protected]> wrote: > Hi, > > This is a strange issue for sure. Is there anything on the server's > ossec.log? Do you > see any reply (via tcpdump) from the server to the agent on the server's > system? > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Wed, Dec 31, 2008 at 9:33 AM, <[email protected]> wrote: > > > A couple more tests performed yesterday- > > 1. Reinstalled the agent, deleted then added a new agent on the server > > (used the same name which may be causing a problem - any thoughts on > > this?) > > 2. Still see the udp outbound on the agent laptop and the inbound on > > the server but no connection > > 3. Added yet another test laptop and it works correctly - will test > > the VPN connection tonight then bring the laptop back into the network > > to see if I can repeat the issue. > > > On Dec 29, 3:28 pm, [email protected] wrote: > >> I couldn't find anything on the subject so I'm posting - I apologize > >> in advance if this has already been covered. > > >> Background Info > >> 1. I have a SLES 10 server running the ossec server and the ossec-wui > >> - all systems are running currently > >> 2. I have successfully tested with Windows & Linux agents > >> 3. I currently have it reporting via smtp to a notification email addr > >> - works well > >> 4. I have yet to configure the server for MySQL but it's in the plans > > >> Now to the problem: > >> 1. I have several laptops that I'm currently testing for the agent - > >> they are all Windows XP laptops > >> 2. I saw the info about configuring for firewall/DHCP so I configured > >> the laptops & the server for 10.0.0.0/8, exported the keys and > >> imported them on the agents. Worked perfectly > >> 3. Our VPN connections drop us into a 192.168.X.X range, posing a > >> different issue - so, I deleted the agent from the server and rebuilt > >> the agent using 0.0.0.0/0. I exported the key and the agent connected > >> from our 10.X.X.X network just fine. > >> 4. Last night, I logged in through vpn from that laptop and the agent > >> connected just fine again. I monitored through the server and > >> reviewed the logs on the agent - worked great! > >> 5. Problem: Today I brought the laptop back into the 10.X.X.X network > >> and it won't connect. > > >> Things I've tried: > >> 1. I can ping the 10.X.X.X server from the laptop > >> 2. I can ssh to the 10.X.X.X server from the laptop > >> 3. I checked the logs on the agent, and it shows: WARN: Waiting for > >> the server to reply > >> 4. I did a packet capture on the agent and see the outbound udp > >> attempt to port 1514 > >> 5. I did a tcpdump on the server and see the udp port 1514 traffic > >> 6. I've re-exported the keys > >> 7. I've restarted the service on the server and the agent about 25,000 > >> times in different orders > >> 8. I've killed some of my test agents elsewhere on the network to see > >> if that was causing the issue - no change > >> 9. Many other things but didn't want to create a massive dissertation > >> here (too late)...thoughts?
