On Mon, Jan 10, 2011 at 3:02 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Mon, Jan 10, 2011 at 5:48 PM, Billy McCarthy <bi...@tripitinc.com>
> wrote:
> >
> >
> > On Mon, Jan 10, 2011 at 2:15 PM, dan (ddp) <ddp...@gmail.com> wrote:
> >>
> >> Is ossec-remoted running on the manager?
> >> After adding the agent through the manage_agents application, did you
> >> restart the OSSEC processes on the manager?
> >> Are there any error messages on the manager that might be useful in
> >> troubleshooting this?
> >
> > Remoted is definitely running on the manager and i've restarted all of
> the
> > ossec process on that machine a few times. No error messages on the
> > manager. I even tried killing remoted and starting up with '-f -d'
> options
> > and didn't see anything at all, despite being able to see traffic on that
> > machine arriving at port 1514.
> >
> > I've removed the packages from the client machine and have reinstalled
> via
> > the tarball. I have also tried running remoted on 514, instead of 1514.
> > Still not able to get the client to connect.
> >
>
> How do you know the agent hasn't connected? Just the error messages on
> the agent side?
>
Yes, I keep seeing the following messages in the client's ossec.log
2011/01/10 22:52:13 ossec-agentd: INFO: Trying to connect to server (
10.24.161.142:1514).
2011/01/10 22:52:34 ossec-agentd(4101): WARN: Waiting for server reply (not
started). Tried: '10.24.161.142'.
> Are there multiple IP addresses on the manager? Is ossec-remoted
> binding to the correct one?
>
Is there udp traffic going from the manager:1514 to the agent?
> Can you post the <remote> section of the manager's ossec.conf?
> Obfuscate any IP addresses you don't want to be public. :)
>
I don't see any kind of traffic from the manager to the agent machine. I
just added the 'allowed-ips' and 'local_ip' lines to ossec.conf in hopes of
convincing it to work, with no success.
<remote>
<connection>secure</connection>
<allowed-ips>10.24.161.137</allowed-ips>
<local_ip>10.24.161.142</local_ip>
</remote>
--
Billy McCarthy
Site Operations Engineer
http://www.tripit.com
