On Mon, Jan 10, 2011 at 6:15 PM, Billy McCarthy <bi...@tripitinc.com> wrote: > > > On Mon, Jan 10, 2011 at 3:02 PM, dan (ddp) <ddp...@gmail.com> wrote: >> >> On Mon, Jan 10, 2011 at 5:48 PM, Billy McCarthy <bi...@tripitinc.com> >> wrote: >> > >> > >> > On Mon, Jan 10, 2011 at 2:15 PM, dan (ddp) <ddp...@gmail.com> wrote: >> >> >> >> Is ossec-remoted running on the manager? >> >> After adding the agent through the manage_agents application, did you >> >> restart the OSSEC processes on the manager? >> >> Are there any error messages on the manager that might be useful in >> >> troubleshooting this? >> > >> > Remoted is definitely running on the manager and i've restarted all of >> > the >> > ossec process on that machine a few times. No error messages on the >> > manager. I even tried killing remoted and starting up with '-f -d' >> > options >> > and didn't see anything at all, despite being able to see traffic on >> > that >> > machine arriving at port 1514. >> > >> > I've removed the packages from the client machine and have reinstalled >> > via >> > the tarball. I have also tried running remoted on 514, instead of 1514. >> > Still not able to get the client to connect. >> > >> >> How do you know the agent hasn't connected? Just the error messages on >> the agent side? > > Yes, I keep seeing the following messages in the client's ossec.log > 2011/01/10 22:52:13 ossec-agentd: INFO: Trying to connect to server > (10.24.161.142:1514). > 2011/01/10 22:52:34 ossec-agentd(4101): WARN: Waiting for server reply (not > started). Tried: '10.24.161.142'. > > >> >> Are there multiple IP addresses on the manager? Is ossec-remoted >> binding to the correct one? >> >> >> Is there udp traffic going from the manager:1514 to the agent? >> Can you post the <remote> section of the manager's ossec.conf? >> Obfuscate any IP addresses you don't want to be public. :) > > I don't see any kind of traffic from the manager to the agent machine. I > just added the 'allowed-ips' and 'local_ip' lines to ossec.conf in hopes of > convincing it to work, with no success. > > <remote> > <connection>secure</connection> > <allowed-ips>10.24.161.137</allowed-ips> > <local_ip>10.24.161.142</local_ip> > </remote> > >
<allowed-ips> is only necessary for syslog connection types. It's very odd that there's no logs in the manager's ossec.log that relate to this agent. Is iptables turned off, or did you add a hole for UDP 1514 into the ruleset? The only thing I can think off right now are deleting the agent and re-adding it via manage_agents on the manager (make sure you re-export the key and re-import it into the agent). > > -- > Billy McCarthy > Site Operations Engineer > http://www.tripit.com > >