On Fri, Dec 3, 2010 at 10:52 AM, <cheesy4po...@cox.net> wrote: >> Watch the manager's logs while restarting the agent's process. It might >> provide a clue. >> >> Also make sure the manager's processes were restarted after the client was >> added, and make sure the client was configured on the manager with a unique >> IP address. > > Okay, I restarted the manager and then the agents. Still can't communicate > and I don't see anything in the server logs about it: > > 2010/12/03 09:30:24 ossec-rootcheck: DEBUG: Going into check_rc_dev > 2010/12/03 09:30:24 ossec-rootcheck: DEBUG: Starting on check_rc_dev > 2010/12/03 09:30:24 ossec-rootcheck: DEBUG: Going into check_rc_sys > 2010/12/03 09:30:24 ossec-rootcheck: DEBUG: Starting on check_rc_sys > 2010/12/03 09:30:26 ossec-rootcheck: DEBUG: Going into check_rc_pids > 2010/12/03 09:49:29 ossec-rootcheck: DEBUG: Going into check_rc_ports > 2010/12/03 09:50:02 ossec-rootcheck: DEBUG: Going into check_open_ports > 2010/12/03 09:50:02 ossec-rootcheck: DEBUG: Going into check_rc_if > 2010/12/03 09:50:02 ossec-rootcheck: DEBUG: Completed with all checks. > 2010/12/03 09:50:07 ossec-rootcheck: INFO: Ending rootcheck scan. > 2010/12/03 09:50:07 ossec-rootcheck: DEBUG: Leaving run_rk_check > > > The client packets are definitely getting thru, as the command "tcpdump -ni > eth2 port 1514" shows activity after restarting the agent. I have also > turned off the windows firewall, which didn't help. >
Is the traffic going in both directions? Do the agents have multiple IP addresses? Are they using the correct IP address? Does the manager have multiple IP addresses? Is it using the correct one? Does the <remote> section in the ossec.conf on the manager configured to use the secure method? > The agents are configured as so: > > **************************************** > * OSSEC HIDS v2.5.1 Agent manager. * > * The following options are available: * > **************************************** > (A)dd an agent (A). > (E)xtract key for an agent (E). > (L)ist already added agents (L). > (R)emove an agent (R). > (Q)uit. > Choose your action: A,E,L,R or Q: l > > Available agents: > ID: 001, Name: wombat.xyz.local, IP: 10.21.4.112 > ID: 002, Name: skywarp.xyz.local, IP: 10.21.4.114 > > > Thanks, > Scott >
