Is ossec-remoted running? I think that is the process that listens for
connections (I don't have access to anything at the moment so I can't check).
If not try running it in debug mode.
dan
Sent from my Nokia phone
-----Original Message-----
From: Mundus
Sent: 12/04/2009 9:15:59 PM
Subject: [ossec-list] Re: Agents not reporting in
I manually added the following lines two the remote stanza:
<remote>
<connection>secure</connection>
<port>1514</port>
<local_ip>192.168.2.229</local_ip>
</remote>
I restarted the OSSEC services and still there is nothing listening on
UDP 1514 anywhere on the system. There are no errors in the
ossec.log. The OSSEC instance is configured to be a "server".
Can anyone help me with this?
Thx.
Craig
On Dec 3, 6:07 pm, "Craig Merchant" <[email protected]> wrote:
> I'm using the OSSEC component that is part of the OSSIM distribution. I
> see the following services running:
>
> ossec 3113 1 0 17:37 ? 00:00:02
> /var/ossec/bin/ossec-analysisd
>
> root 3125 1 0 17:37 ? 00:00:00
> /var/ossec/bin/ossec-logcollector
>
> root 3130 1 0 17:37 ? 00:00:14
> /var/ossec/bin/ossec-syscheckd
>
> ossec 3134 1 0 17:37 ? 00:00:00
> /var/ossec/bin/ossec-monitord
>
> None of the agents that I have configured are reporting in.
>
> When I do a netstat -an on the server, it doesn't show anything
> listening on 1514.
>
> This is the ossec.conf file:
>
> <ossec_config>
>
> <global>
>
> <email_notification>no</email_notification>
>
> </global>
>
> <syscheck>
>
> <!-- Frequency that syscheck is executed - default to every 6 hours
> -->
>
> <frequency>21600</frequency>
>
> <!-- Directories to check (perform all possible verifications) -->
>
> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
>
> <directories check_all="yes">/bin,/sbin</directories>
>
> <!-- Files/directories to ignore -->
>
> <ignore>/etc/mtab</ignore>
>
> <ignore>/etc/mnttab</ignore>
>
> <ignore>/etc/hosts.deny</ignore>
>
> <ignore>/etc/mail/statistics</ignore>
>
> <ignore>/etc/random-seed</ignore>
>
> <ignore>/etc/adjtime</ignore>
>
> <ignore>/etc/httpd/logs</ignore>
>
> <ignore>/etc/utmpx</ignore>
>
> <ignore>/etc/wtmpx</ignore>
>
> <ignore>/etc/cups/certs</ignore>
>
> <ignore>/etc/dumpdates</ignore>
>
> <ignore>/etc/svc/volatile</ignore>
>
> <!-- Windows files to ignore -->
>
> <ignore>C:\WINDOWS/System32/LogFiles</ignore>
>
> <ignore>C:\WINDOWS/Debug</ignore>
>
> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
>
> <ignore>C:\WINDOWS/iis6.log</ignore>
>
> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
>
> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
>
> <ignore>C:\WINDOWS/Prefetch</ignore>
>
> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
>
> <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
>
> <ignore>C:\WINDOWS/Temp</ignore>
>
> <ignore>C:\WINDOWS/system32/config</ignore>
>
> <ignore>C:\WINDOWS/system32/spool</ignore>
>
> <ignore>C:\WINDOWS/system32/CatRoot</ignore>
>
> </syscheck>
>
> <rootcheck>
>
> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
>
> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_troj
> ans>
>
> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
>
> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_aud
> it>
>
> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit
>
>
>
> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audi
> t>
>
> </rootcheck>
>
> <active-response>
>
> <disabled>yes</disabled>
>
> </active-response>
>
> <remote>
>
> <connection>secure</connection>
>
> </remote>
>
> <alerts>
>
> <log_alert_level>1</log_alert_level>
>
> </alerts>
>
> <!-- Files to monitor (localfiles) -->
>
> <localfile>
>
> <log_format>syslog</log_format>
>
> <location>/var/log/messages</location>
>
> </localfile>
>
> <localfile>
>
> <log_format>syslog</log_format>
>
> <location>/var/log/auth.log</location>
>
> </localfile>
>
> <localfile>
>
> <log_format>syslog</log_format>
>
> <location>/var/log/syslog</location>
>
> </localfile>
>
> <localfile>
>
> <log_format>syslog</log_format>
>
> <location>/var/log/mail.info</location>
>
> </localfile>
>
> <localfile>
>
> <log_format>syslog</log_format>
>
> <location>/var/log/dpkg.log</location>
>
> </localfile>
>
> <localfile>
>
> <log_format>apache</log_format>
>
> <location>/var/log/apache2/error.log</location>
>
> </localfile>
>
> <localfile>
>
> <log_format>apache</log_format>
>
> <location>/var/log/apache2/access.log</location>
>
> </localfile>
>
> </ossec_config>
>
> <ossec_config> <!-- rules global entry -->
>
> </ossec_config> <!-- rules global entry -->
>
> <ossec_config> <!-- rules global entry -->
>
> </ossec_config> <!-- rules global entry -->
>
> <ossec_config> <!-- rules global entry -->
>
> <rules>
>
> <include>rules_config.xml</include>
>
> <include>pam_rules.xml</include>
>
> <include>sshd_rules.xml</include>
>
> <include>telnetd_rules.xml</include>
>
> <include>syslog_rules.xml</include>
>
> <include>arpwatch_rules.xml</include>
>
> <include>symantec-av_rules.xml</include>
>
> <include>symantec-ws_rules.xml</include>
>
> <include>pix_rules.xml</include>
>
> <include>named_rules.xml</include>
>
> <include>smbd_rules.xml</include>
>
> <include>vsftpd_rules.xml</include>
>
> <include>pure-ftpd_rules.xml</include>
>
> <include>proftpd_rules.xml</include>
>
> <include>ms_ftpd_rules.xml</include>
>
> <include>ftpd_rules.xml</include>
>
> <include>hordeimp_rules.xml</include>
>
> <include>vpopmail_rules.xml</include>
>
> <include>vmpop3d_rules.xml</include>
>
> <include>courier_rules.xml</include>
>
> <include>web_rules.xml</include>
>
> <include>apache_rules.xml</include>
>
> <include>mysql_rules.xml</include>
>
> <include>postgresql_rules.xml</include>
>
> <include>ids_rules.xml</include>
>
> <include>squid_rules.xml</include>
>
> <include>firewall_rules.xml</include>
>
> <include>cisco-ios_rules.xml</include>
>
> <include>netscreenfw_rules.xml</include>
>
> <include>sonicwall_rules.xml</include>
>
> <include>postfix_rules.xml</include>
>
> <include>sendmail_rules.xml</include>
>
> <include>imapd_rules.xml</include>
>
> <include>mailscanner_rules.xml</include>
>
> <include>ms-exchange_rules.xml</include>
>
> <include>racoon_rules.xml</include>
>
> <include>vpn_concentrator_rules.xml</include>
>
> <include>spamd_rules.xml</include>
>
> <include>msauth_rules.xml</include>
>
> <include>mcafee_av_rules.xml</include>
>
> <!-- <include>policy_rules.xml</include> -->
>
> <include>zeus_rules.xml</include>
>
> <include>solaris_bsm_rules.xml</include>
>
> <include>vmware_rules.xml</include>
>
> <include>ossec_rules.xml</include>
>
> <include>attack_rules.xml</include>
>
> <include>local_rules.xml</include>
>
> </rules>
>
> </ossec_config> <!-- rules global entry -->
>
> This is the ossec-init.conf file:
>
> DIRECTORY="/var/ossec"
>
> VERSION="v2.0"
>
> DATE="Mon Mar 2 12:57:41 GMT-1 2009"
>
> TYPE="server"
>
> Any idea what I'm doing wrong here?
>
> Thanks.
>
> Craig
