Yes, each agent has a 1 unique IP and both are listed correctly in manage_agents.
The agent log output was from agent 002. However, the same logs appear in agent 001. The tcpdump was from the manager. I don't believe I need syslog and secure. I just went with the defaults and then have been trying suggestions found in the list and online. I had not tried debug. Here is the output: 2012/01/19 13:06:56 2 : rule:502, level 3, timeout: 0 2012/01/19 13:06:56 2 : rule:503, level 3, timeout: 0 2012/01/19 13:06:56 2 : rule:504, level 3, timeout: 0 2012/01/19 13:06:56 2 : rule:591, level 3, timeout: 0 2012/01/19 13:06:56 1 : rule:509, level 0, timeout: 0 2012/01/19 13:06:56 2 : rule:510, level 7, timeout: 0 2012/01/19 13:06:56 3 : rule:511, level 0, timeout: 0 2012/01/19 13:06:56 3 : rule:515, level 0, timeout: 0 2012/01/19 13:06:56 3 : rule:513, level 9, timeout: 0 2012/01/19 13:06:56 3 : rule:512, level 3, timeout: 0 2012/01/19 13:06:56 3 : rule:516, level 3, timeout: 0 2012/01/19 13:06:56 3 : rule:514, level 2, timeout: 0 2012/01/19 13:06:56 4 : rule:518, level 9, timeout: 0 2012/01/19 13:06:56 1 : rule:554, level 0, timeout: 0 2012/01/19 13:06:56 1 : rule:580, level 8, timeout: 0 2012/01/19 13:06:56 1 : rule:581, level 8, timeout: 0 2012/01/19 13:06:56 1 : rule:550, level 7, timeout: 0 2012/01/19 13:06:56 1 : rule:551, level 7, timeout: 0 2012/01/19 13:06:56 1 : rule:552, level 7, timeout: 0 2012/01/19 13:06:56 1 : rule:553, level 7, timeout: 0 2012/01/19 13:06:56 ossec-analysisd: INFO: Total rules enabled: '1250' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: '/etc/svc/volatile' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/System32/LogFiles' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Debug' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/WindowsUpdate.log' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/iis6.log' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/wbem/Logs' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/wbem/Repository' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Prefetch' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/SoftwareDistribution' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Temp' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/config' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/spool' 2012/01/19 13:06:56 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/CatRoot' 2012/01/19 13:06:56 ossec-analysisd: INFO: Chrooted to directory: /home/var/ossec, using user: ossec 2012/01/19 13:06:56 ossec-analysisd: INFO: White listing IP: '127.0.0.1' 2012/01/19 13:06:56 ossec-analysisd: INFO: White listing IP: 'x.x.x.x' 2012/01/19 13:06:56 ossec-analysisd: INFO: White listing IP: 'x.x.x.x' 2012/01/19 13:06:56 ossec-analysisd: INFO: White listing IP: 'x.x.0.2' 2012/01/19 13:06:56 ossec-analysisd: INFO: White listing IP: 'x.x.1.2' 2012/01/19 13:06:56 ossec-analysisd: INFO: 5 IPs in the white list for active response. 2012/01/19 13:06:56 ossec-analysisd: INFO: White listing Hostname: 'localhost.localdomain' 2012/01/19 13:06:56 ossec-analysisd: INFO: 1 Hostname(s) in the white list for active response. 2012/01/19 13:06:56 ossec-analysisd: INFO: Started (pid: 26001). 2012/01/19 13:06:56 ossec-analysisd: SyscheckInit completed. 2012/01/19 13:06:56 ossec-analysisd: RootcheckInit completed. 2012/01/19 13:06:56 ossec-analysisd: OS_CreateEventList completed. 2012/01/19 13:06:56 ossec-analysisd: DEBUG: FTSInit completed. 2012/01/19 13:06:56 ossec-remoted: INFO: (unix_domain) Maximum send buffer set to: '114688'. 2012/01/19 13:06:56 ossec-remoted: INFO: (unix_domain) Maximum send buffer set to: '114688'. 2012/01/19 13:06:56 ossec-remoted(4111): INFO: Maximum number of agents allowed: '256'. 2012/01/19 13:06:56 ossec-remoted(1410): INFO: Reading authentication keys file. 2012/01/19 13:06:56 ossec-remoted: DEBUG: OS_StartCounter. 2012/01/19 13:06:56 ossec-remoted: OS_StartCounter: keysize: 2 2012/01/19 13:06:56 ossec-remoted: INFO: No previous counter available for 'park-1H8FNJH'. 2012/01/19 13:06:56 ossec-remoted: INFO: Assigning counter for agent agent001: '0:0'. 2012/01/19 13:06:56 ossec-remoted: INFO: No previous counter available for 'agent002'. 2012/01/19 13:06:56 ossec-remoted: INFO: Assigning counter for agent GQ125Q1: '0:0'. 2012/01/19 13:06:56 ossec-remoted: INFO: No previous sender counter. 2012/01/19 13:06:56 ossec-remoted: INFO: Assigning sender counter: 0:0 2012/01/19 13:06:56 ossec-remoted: DEBUG: OS_StartCounter completed. 2012/01/19 13:06:57 ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set to: '114688'. 2012/01/19 13:06:57 ossec-monitord: DEBUG: Starting ... 2012/01/19 13:06:57 ossec-monitord: INFO: Chrooted to directory: /home/var/ossec, using user: ossec 2012/01/19 13:06:57 ossec-monitord: INFO: Started (pid: 26022). 2012/01/19 13:06:59 ossec-analysisd: INFO: (unix_domain) Maximum send buffer set to: '114688'. 2012/01/19 13:06:59 ossec-analysisd: INFO: Connected to '/queue/alerts/ar' (active-response queue) 2012/01/19 13:06:59 ossec-analysisd: INFO: (unix_domain) Maximum send buffer set to: '114688'. 2012/01/19 13:06:59 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' (exec queue) 2012/01/19 13:06:59 ossec-analysisd: DEBUG: Active response Init completed. 2012/01/19 13:06:59 ossec-analysisd: DEBUG: Startup completed. Waiting for new messages.. 2012/01/19 13:07:01 ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set to: '114688'. 2012/01/19 13:07:01 ossec-syscheckd: INFO: Started (pid: 26018). 2012/01/19 13:07:01 ossec-rootcheck: INFO: Started (pid: 26018). 2012/01/19 13:07:01 ossec-syscheckd: INFO: Monitoring directory: '/etc'. 2012/01/19 13:07:01 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'. 2012/01/19 13:07:01 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'. 2012/01/19 13:07:01 ossec-syscheckd: INFO: Monitoring directory: '/bin'. 2012/01/19 13:07:01 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. 2012/01/19 13:07:01 ossec-logcollector: INFO: (unix_domain) Maximum send buffer set to: '114688'. 2012/01/19 13:07:01 ossec-logcollector: DEBUG: Entering LogCollectorStart(). 2012/01/19 13:07:01 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'. 2012/01/19 13:07:01 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/mail.info'. 2012/01/19 13:07:01 ossec-logcollector: INFO: Started (pid: 26005). 2012/01/19 13:07:07 ossec-monitord: INFO: (unix_domain) Maximum send buffer set to: '114688'. 2012/01/19 13:07:13 ossec-syscheckd: Setting SCHED_BATCH returned: 0 2012/01/19 13:08:03 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2012/01/19 13:08:03 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). -----Original Message----- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, January 19, 2012 1:02 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: 'x.x.x.1'. There are a bunch of examples of this in the archives. Does each agent have a unique IP? Is the unique IP correctly setup in manage_agents on the manager? Does each agent have only 1 IP? Or is the correct IP the one communicating with the manager? More below. On Thu, Jan 19, 2012 at 10:25 AM, kcjames <kcja...@gmail.com> wrote: > I'm pulling my hair out here. I have a new install of ossec server > and it is working great. I've incorporated the webui and splunk and > that is all working great. However, I can not get any agents > connecting. I have tried just about every solution I could find and I > am still getting nowhere. > > > > Here is the relevant log portions from the agents: > > > Which agent is this from? > ossec-agent(4101): WARN: Waiting for server reply (not started). > Tried: 'x.x.x.1'. > > > > On the server here are the relevant log portions for ossec-remoted: > > ossec.log:2012/01/18 15:40:18 ossec-remoted: INFO: Started (pid: > 8606). > > ossec.log:2012/01/18 15:40:18 ossec-remoted: INFO: Started (pid: > 8608). > > ossec.log:2012/01/18 15:40:18 ossec-remoted: Remote syslog allowed > from: 'x.x.0.0/24' > > ossec.log:2012/01/18 15:40:18 ossec-remoted: Remote syslog allowed > from: 'x.x.1.2' > > ossec.log:2012/01/18 15:40:18 ossec-remoted: INFO: Started (pid: > 8607). > > ossec.log:2012/01/18 15:40:19 ossec-remoted(4111): INFO: Maximum > number of agents allowed: '256'. > > ossec.log:2012/01/18 15:40:19 ossec-remoted(1410): INFO: Reading > authentication keys file. > > ossec.log:2012/01/18 15:40:19 ossec-remoted: INFO: No previous counter > available for 'agent001'. > > ossec.log:2012/01/18 15:40:19 ossec-remoted: INFO: Assigning counter > for agent agent001: '0:0'. > > ossec.log:2012/01/18 15:40:19 ossec-remoted: INFO: No previous sender > counter. > > ossec.log:2012/01/18 15:40:19 ossec-remoted: INFO: Assigning sender > counter: 0:0 > > ossec.log:2012/01/18 15:56:49 ossec-remoted(1213): WARN: Message from > 127.0.0.1 not allowed. > That's interesting, I wonder what's trying to communicate on loopback. Did you try turning on debug mode on the manager? `/var/ossec/bin/ossec-control enable debug && /var/ossec/bin/ossec-control restart` > > > Tcpdump data shows traffic from agents to server, but no server > response. > > > Did you do the dump on the agent or the manager? > # tcpdump -ni eth0 port 1514 > > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > > listening on eth0, link-type EN10MB (Ethernet), capture size 65535 > bytes > > 08:15:15.627737 IP x.x.1.2.4476 > x.x.x.1.1514: UDP, length 73 > > 08:15:21.628234 IP x.x.1.2.4476 > x.x.x.1.1514: UDP, length 73 > > 08:15:25.628378 IP x.x.1.2.4476 > x.x.x.1.1514: UDP, length 73 > > 08:15:30.628481 IP x.x.1.2.4476 > x.x.x.1.1514: UDP, length 73 > > 08:15:36.628707 IP x.x.1.2.4476 > x.x.x.1.1514: UDP, length 73 > > > > > > Netstat output shows remoted to binded to 1514: > > > > 8608/ossec-remoted > > udp 0 0 *:syslog > *:* > > 8607/ossec-remoted > > udp 0 0 *:39324 > *:* > > Iptables is open on port 1514 in and all out ports are open. I also > turned iptables off altogether and still no traffic from the ossec > server to the agents: > > # iptables -L > Chain INPUT (policy DROP) > target prot opt source destination > ACCEPT udp -- anywhere anywhere udp > dpt:syslog > ACCEPT tcp -- anywhere anywhere tcp dpt: > 8089 > ... > Chain FORWARD (policy DROP) > target prot opt source destination > LOG all -- anywhere anywhere limit: > avg 3/min burst 5 LOG level warning tcp-options ip-options prefix > "SFW2-FWD-ILL-ROUTING " > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > ACCEPT all -- anywhere anywhere > > Here are the lines in the conf for the agent IPs: > > <global> > <white_list>127.0.0.1</white_list> > <white_list>^localhost.localdomain$</white_list> > <white_list> x.x.x.8</white_list> > <white_list> x.x.x.10</white_list> > <white_list> x.x.x.10</white_list> > <white_list> x.x.1.2</white_list> > </global> > Do you need both syslog and secure options? > <remote> > <connection>syslog</connection> > <allowed-ips>x.x.0.0/24</allowed-ips> > <allowed-ips>x.x.1.2</allowed-ips> > </remote> > > <remote> > <connection>secure</connection> > </remote> > > I am not behind any NAT and I am not using any firewalls on the > agents, though I see no traffic even being sent from the server to the > agents, so I am relatively sure that isn't a problem anyway. > > Any help would be much appreciated! > > James > >
