On Mon, Jan 10, 2011 at 2:15 PM, dan (ddp) <ddp...@gmail.com> wrote: > On Mon, Jan 10, 2011 at 4:57 PM, Billy McCarthy <bi...@tripitinc.com> > wrote: > > > > > > On Mon, Jan 10, 2011 at 11:45 AM, dan (ddp) <ddp...@gmail.com> wrote: > >> > >> Hi Billy, > >> > >> On Mon, Jan 10, 2011 at 12:55 PM, Billy McCarthy <bi...@tripitinc.com> > >> wrote: > >> > I've got Ossec up and running, using the RPMs provided by Atomicorp, > but > >> > cannot get agents to talk to the main server. When I run > >> > `manage_agents` on > >> > my main server it gives me the short menu, like you see on clients. I > >> > was > >> > able to create the client key on that server anyway and import it onto > >> > the > >> > client. If I run 'manage_agents -e 001' on the main server, though it > >> > says > >> > "2011/01/10 17:51:03 manage_agents: You can't export keys on an agent" > >> > > >> > >> It appears you've got the client/agent RPMs installed on the manager. > >> There appears to be an ossec-hids-server RPM available. > > > > I did have the ossec-hids-server package installed, though I've since > > removed the packages on that machine and just installed via the tarball. > > Still not able to get the client to connect. I've tried setting up new > > keys, and have turned on all of the debugging I can find, with no luck. > I > > can see traffic with tcpdump and have verified that iptables isn't > blocking > > anything. > > > > Is ossec-remoted running on the manager? > After adding the agent through the manage_agents application, did you > restart the OSSEC processes on the manager? > Are there any error messages on the manager that might be useful in > troubleshooting this? >
Remoted is definitely running on the manager and i've restarted all of the ossec process on that machine a few times. No error messages on the manager. I even tried killing remoted and starting up with '-f -d' options and didn't see anything at all, despite being able to see traffic on that machine arriving at port 1514. I've removed the packages from the client machine and have reinstalled via the tarball. I have also tried running remoted on 514, instead of 1514. Still not able to get the client to connect. > >> > >> > I've tried re-running the configure script, but can't seem to convince > >> > the > >> > main server that it's the manager. Have I missed something? I've > >> > verified > >> > that traffic is passing between the 2 machines via tcpdump. The > >> > client's > >> > ossec.log has lots of: > >> > 2011/01/09 09:59:42 ossec-agentd: INFO: Trying to connect to server > >> > (10.24.161.142:1514). > >> > 2011/01/09 10:00:03 ossec-agentd(4101): WARN: Waiting for server reply > >> > (not > >> > started). Tried: '10.24.161.142'. > >> > Which I figure is related to the main server not considering itself > the > >> > manager. > >> > > >> > thanks for the help. > >> > > >> > -- > >> > Billy McCarthy > >> > Site Operations Engineer > >> > http://www.tripit.com > >> > > >> > > > > > > > > > -- > > Billy McCarthy > > Site Operations Engineer > > http://www.tripit.com > > > > > -- Billy McCarthy Site Operations Engineer http://www.tripit.com
