I’m pulling my hair out here. I have a new install of ossec server
and it is working great. I’ve incorporated the webui and splunk and
that is all working great. However, I can not get any agents
connecting. I have tried just about every solution I could find and I
am still getting nowhere.
Here is the relevant log portions from the agents:
ossec-agent(4101): WARN: Waiting for server reply (not started).
Tried: 'x.x.x.1'.
On the server here are the relevant log portions for ossec-remoted:
ossec.log:2012/01/18 15:40:18 ossec-remoted: INFO: Started (pid:
8606).
ossec.log:2012/01/18 15:40:18 ossec-remoted: INFO: Started (pid:
8608).
ossec.log:2012/01/18 15:40:18 ossec-remoted: Remote syslog allowed
from: 'x.x.0.0/24'
ossec.log:2012/01/18 15:40:18 ossec-remoted: Remote syslog allowed
from: 'x.x.1.2'
ossec.log:2012/01/18 15:40:18 ossec-remoted: INFO: Started (pid:
8607).
ossec.log:2012/01/18 15:40:19 ossec-remoted(4111): INFO: Maximum
number of agents allowed: '256'.
ossec.log:2012/01/18 15:40:19 ossec-remoted(1410): INFO: Reading
authentication keys file.
ossec.log:2012/01/18 15:40:19 ossec-remoted: INFO: No previous counter
available for 'agent001'.
ossec.log:2012/01/18 15:40:19 ossec-remoted: INFO: Assigning counter
for agent agent001: '0:0'.
ossec.log:2012/01/18 15:40:19 ossec-remoted: INFO: No previous sender
counter.
ossec.log:2012/01/18 15:40:19 ossec-remoted: INFO: Assigning sender
counter: 0:0
ossec.log:2012/01/18 15:56:49 ossec-remoted(1213): WARN: Message from
127.0.0.1 not allowed.
Tcpdump data shows traffic from agents to server, but no server
response.
# tcpdump -ni eth0 port 1514
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535
bytes
08:15:15.627737 IP x.x.1.2.4476 > x.x.x.1.1514: UDP, length 73
08:15:21.628234 IP x.x.1.2.4476 > x.x.x.1.1514: UDP, length 73
08:15:25.628378 IP x.x.1.2.4476 > x.x.x.1.1514: UDP, length 73
08:15:30.628481 IP x.x.1.2.4476 > x.x.x.1.1514: UDP, length 73
08:15:36.628707 IP x.x.1.2.4476 > x.x.x.1.1514: UDP, length 73
Netstat output shows remoted to binded to 1514:
8608/ossec-remoted
udp 0 0 *:syslog
*:*
8607/ossec-remoted
udp 0 0 *:39324
*:*
Iptables is open on port 1514 in and all out ports are open. I also
turned iptables off altogether and still no traffic from the ossec
server to the agents:
# iptables –L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp
dpt:syslog
ACCEPT tcp -- anywhere anywhere tcp dpt:
8089
…
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere limit:
avg 3/min burst 5 LOG level warning tcp-options ip-options prefix
"SFW2-FWD-ILL-ROUTING "
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Here are the lines in the conf for the agent IPs:
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list> x.x.x.8</white_list>
<white_list> x.x.x.10</white_list>
<white_list> x.x.x.10</white_list>
<white_list> x.x.1.2</white_list>
</global>
<remote>
<connection>syslog</connection>
<allowed-ips>x.x.0.0/24</allowed-ips>
<allowed-ips>x.x.1.2</allowed-ips>
</remote>
<remote>
<connection>secure</connection>
</remote>
I am not behind any NAT and I am not using any firewalls on the
agents, though I see no traffic even being sent from the server to the
agents, so I am relatively sure that isn’t a problem anyway.
Any help would be much appreciated!
James
