I see entries in the OSSEC log that shows the process starting, but
every time I do a ps -ef | grep remoted, nothing is running. I edited
the internal_options.conf file and set remoted.debug=2, but when I
restarted the services, I'm not seeing anything in ossec.log except
for the "2009/12/05 14:34:35 ossec-remoted: INFO: Started (pid:
7671)." messages. There isn't anything to indicate that there was a
crash or that the service stopped.
I saw one post that said sometimes the service will stop if it has
nothing to do, so I added some allowed some network ranges as follows:
<remote>
<connection>secure</connection>
<port>1514</port>
<local_ip>192.168.2.229</local_ip>
<allowed-ips>192.168.0.0/16</allowed-ips>
<allowed-ips>10.0.0.0/8</allowed-ips>
</remote>
The service still won't run. We *really* need to get this working as
soon as humanly possible.
Thx.
Craig
On Dec 5, 7:40 am, "[email protected]" <[email protected]> wrote:
> Is ossec-remoted running? I think that is the process that listens for
> connections (I don't have access to anything at the moment so I can't check).
> If not try running it in debug mode.
> dan
>
> Sent from my Nokia phone
>
> -----Original Message-----
> From: Mundus
> Sent: 12/04/2009 9:15:59 PM
> Subject: [ossec-list] Re: Agents not reporting in
>
> I manually added the following lines two the remote stanza:
>
> <remote>
> <connection>secure</connection>
> <port>1514</port>
> <local_ip>192.168.2.229</local_ip>
> </remote>
>
> I restarted the OSSEC services and still there is nothing listening on
> UDP 1514 anywhere on the system. There are no errors in the
> ossec.log. The OSSEC instance is configured to be a "server".
>
> Can anyone help me with this?
>
> Thx.
>
> Craig
>
> On Dec 3, 6:07 pm, "Craig Merchant" <[email protected]> wrote:
> > I'm using the OSSEC component that is part of the OSSIM distribution. I
> > see the following services running:
>
> > ossec 3113 1 0 17:37 ? 00:00:02
> > /var/ossec/bin/ossec-analysisd
>
> > root 3125 1 0 17:37 ? 00:00:00
> > /var/ossec/bin/ossec-logcollector
>
> > root 3130 1 0 17:37 ? 00:00:14
> > /var/ossec/bin/ossec-syscheckd
>
> > ossec 3134 1 0 17:37 ? 00:00:00
> > /var/ossec/bin/ossec-monitord
>
> > None of the agents that I have configured are reporting in.
>
> > When I do a netstat -an on the server, it doesn't show anything
> > listening on 1514.
>
> > This is the ossec.conf file:
>
> > <ossec_config>
>
> > <global>
>
> > <email_notification>no</email_notification>
>
> > </global>
>
> > <syscheck>
>
> > <!-- Frequency that syscheck is executed - default to every 6 hours
> > -->
>
> > <frequency>21600</frequency>
>
> > <!-- Directories to check (perform all possible verifications) -->
>
> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
>
> > <directories check_all="yes">/bin,/sbin</directories>
>
> > <!-- Files/directories to ignore -->
>
> > <ignore>/etc/mtab</ignore>
>
> > <ignore>/etc/mnttab</ignore>
>
> > <ignore>/etc/hosts.deny</ignore>
>
> > <ignore>/etc/mail/statistics</ignore>
>
> > <ignore>/etc/random-seed</ignore>
>
> > <ignore>/etc/adjtime</ignore>
>
> > <ignore>/etc/httpd/logs</ignore>
>
> > <ignore>/etc/utmpx</ignore>
>
> > <ignore>/etc/wtmpx</ignore>
>
> > <ignore>/etc/cups/certs</ignore>
>
> > <ignore>/etc/dumpdates</ignore>
>
> > <ignore>/etc/svc/volatile</ignore>
>
> > <!-- Windows files to ignore -->
>
> > <ignore>C:\WINDOWS/System32/LogFiles</ignore>
>
> > <ignore>C:\WINDOWS/Debug</ignore>
>
> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
>
> > <ignore>C:\WINDOWS/iis6.log</ignore>
>
> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
>
> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
>
> > <ignore>C:\WINDOWS/Prefetch</ignore>
>
> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
>
> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
>
> > <ignore>C:\WINDOWS/Temp</ignore>
>
> > <ignore>C:\WINDOWS/system32/config</ignore>
>
> > <ignore>C:\WINDOWS/system32/spool</ignore>
>
> > <ignore>C:\WINDOWS/system32/CatRoot</ignore>
>
> > </syscheck>
>
> > <rootcheck>
>
> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
>
> > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_troj
> > ans>
>
> > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
>
> > <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_aud
> > it>
>
> > <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit
>
> > <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audi
> > t>
>
> > </rootcheck>
>
> > <active-response>
>
> > <disabled>yes</disabled>
>
> > </active-response>
>
> > <remote>
>
> > <connection>secure</connection>
>
> > </remote>
>
> > <alerts>
>
> > <log_alert_level>1</log_alert_level>
>
> > </alerts>
>
> > <!-- Files to monitor (localfiles) -->
>
> > <localfile>
>
> > <log_format>syslog</log_format>
>
> > <location>/var/log/messages</location>
>
> > </localfile>
>
> > <localfile>
>
> > <log_format>syslog</log_format>
>
> > <location>/var/log/auth.log</location>
>
> > </localfile>
>
> > <localfile>
>
> > <log_format>syslog</log_format>
>
> > <location>/var/log/syslog</location>
>
> > </localfile>
>
> > <localfile>
>
> > <log_format>syslog</log_format>
>
> > <location>/var/log/mail.info</location>
>
> > </localfile>
>
> > <localfile>
>
> > <log_format>syslog</log_format>
>
> > <location>/var/log/dpkg.log</location>
>
> > </localfile>
>
> > <localfile>
>
> > <log_format>apache</log_format>
>
> > <location>/var/log/apache2/error.log</location>
>
> > </localfile>
>
> > <localfile>
>
> > <log_format>apache</log_format>
>
> > <location>/var/log/apache2/access.log</location>
>
> > </localfile>
>
> > </ossec_config>
>
> > <ossec_config> <!-- rules global entry -->
>
> > </ossec_config> <!-- rules global entry -->
>
> > <ossec_config> <!-- rules global entry -->
>
> > </ossec_config> <!-- rules global entry -->
>
> > <ossec_config> <!-- rules global entry -->
>
> > <rules>
>
> > <include>rules_config.xml</include>
>
> > <include>pam_rules.xml</include>
>
> > <include>sshd_rules.xml</include>
>
> > <include>telnetd_rules.xml</include>
>
> > <include>syslog_rules.xml</include>
>
> > <include>arpwatch_rules.xml</include>
>
> > <include>symantec-av_rules.xml</include>
>
> > <include>symantec-ws_rules.xml</include>
>
> > <include>pix_rules.xml</include>
>
> > <include>named_rules.xml</include>
>
> > <include>smbd_rules.xml</include>
>
> > <include>vsftpd_rules.xml</include>
>
> > <include>pure-ftpd_rules.xml</include>
>
> > <include>proftpd_rules.xml</include>
>
> > <include>ms_ftpd_rules.xml</include>
>
> > <include>ftpd_rules.xml</include>
>
> > <include>hordeimp_rules.xml</include>
>
> > <include>vpopmail_rules.xml</include>
>
> > <include>vmpop3d_rules.xml</include>
>
> > <include>courier_rules.xml</include>
>
> > <include>web_rules.xml</include>
>
> > <include>apache_rules.xml</include>
>
> > <include>mysql_rules.xml</include>
>
> > <include>postgresql_rules.xml</include>
>
> > <include>ids_rules.xml</include>
>
> > <include>squid_rules.xml</include>
>
> > <include>firewall_rules.xml</include>
>
> > <include>cisco-ios_rules.xml</include>
>
> > <include>netscreenfw_rules.xml</include>
>
> > <include>sonicwall_rules.xml</include>
>
> > <include>postfix_rules.xml</include>
>
> > <include>sendmail_rules.xml</include>
>
> > <include>imapd_rules.xml</include>
>
> > <include>mailscanner_rules.xml</include>
>
> > <include>ms-exchange_rules.xml</include>
>
> > <include>racoon_rules.xml</include>
>
> > <include>vpn_concentrator_rules.xml</include>
>
> > <include>spamd_rules.xml</include>
>
> > <include>msauth_rules.xml</include>
>
> > <include>mcafee_av_rules.xml</include>
>
> > <!-- <include>policy_rules.xml</include> -->
>
> > <include>zeus_rules.xml</include>
>
> > <include>solaris_bsm_rules.xml</include>
>
> > <include>vmware_rules.xml</include>
>
> > <include>ossec_rules.xml</include>
>
> > <include>attack_rules.xml</include>
>
> > <include>local_rules.xml</include>
>
> > </rules>
>
> > </ossec_config> <!-- rules global entry -->
>
> > This is the ossec-init.conf file:
>
> > DIRECTORY="/var/ossec"
>
> > VERSION="v2.0"
>
> > DATE="Mon Mar 2 12:57:41 GMT-1 2009"
>
> > TYPE="server"
>
> > Any idea what I'm doing wrong here?
>
> > Thanks.
>
> > Craig
