Below is snippet from logs.. 2014/04/10 09:08:52 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'. 2014/04/10 09:08:52 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'. 2014/04/10 09:08:52 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'. 2014/04/10 09:08:52 ossec-logcollector: INFO: Started (pid: 11777). 2014/04/10 09:09:07 ossec-agentd: INFO: Unable to connect to the active response queue (disabled). 2014/04/10 09:09:22 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2014/04/10 09:09:28 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '3.144.193.45'. 2014/04/10 09:09:30 ossec-agentd: INFO: Trying to connect to server (3.144.193.45:1514). 2014/04/10 09:09:51 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '3.144.193.45'. 2014/04/10 09:10:11 ossec-agentd: INFO: Trying to connect to server (3.144.193.45:1514). 2014/04/10 09:10:32 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '3.144.193.45'. 2014/04/10 09:10:48 ossec-logcollector(1225): INFO: SIGNAL Received. Exit Cleaning... 2014/04/10 09:10:48 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit Cleaning... 2014/04/10 09:10:48 ossec-agentd(1225): INFO: SIGNAL Received. Exit Cleaning...
On Thursday, 10 April 2014 11:05:15 UTC-4, Binet, Valere (NIH/NIA/IRP) [C] wrote: > > What do the logs say? > They should be in /var/ossec/logs > > Valère Binet [C] > IT Security Administrator > Kelly Government Solutions On-Site at the NIH > NIH / NIA / IRP > Tel : 410 558 8013 > mailto: bin...@nia.nih.gov <javascript:> > > > NCTS performance comments and survey at: > https://niairpkiosk.irp.nia.nih.gov/content/ncts-user-survey > > On Apr 10, 2014, at 9:43 AM, Devendra Agarwal > <devendra...@gmail.com<javascript:> > <mailto:devendra...@gmail.com <javascript:>>> wrote: > > Hi Santiago, > > Thanks for the response. The system does have 2 IPs. I have verified with > netstat that ossec binds to correct IP. There is no communication shown in > the output of tcpdump on either IPs. In every case it fails, that server > has NIC bonding (teaming) setup. I am wondering if I need to do anything > else to configure ossec to accommodate NIC bonding. > > > > On Wednesday, 9 April 2014 21:26:15 UTC-4, Santiago Bassett wrote: > Hi Devendra, > > does your system have multiple IP addresses? Is there any other agent > connected to the server? > > I have experienced issues with systems running multiple IP addresses. If > that is the case I would recommend to check with tcpdump which is the one > that the agent uses to send data to the server, and be sure it matches the > one configured for the agent. > > I hope it helps > > > > On Wed, Apr 9, 2014 at 1:29 PM, Devendra Agarwal > <devendra...@gmail.com<javascript:>> > wrote: > I installed ossec-hids-2.4.1 agent on a server running on Red Hat Linux > 5.4. The agent is not communicating. Other agents are fine. It seems if I > hace NIC bonding setup, this isue happens. Is there any known issue with > ossec if there is NIC bonding setup? > > 2014/04/09 16:23:28 ossec-agentd: INFO: Trying to connect to server ( > 3.144.193.45:1514<http://3.144.193.45:1514/>). > 2014/04/09 16:23:49 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: '3.144.193.45'. > 2014/04/09 16:24:27 ossec-agentd: INFO: Trying to connect to server ( > 3.144.193.45:1514<http://3.144.193.45:1514/>). > 2014/04/09 16:24:48 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: '3.144.193.45'. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com<javascript:>. > For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com <javascript:><mailto: > ossec-list+unsubscr...@googlegroups.com <javascript:>>. > For more options, visit https://groups.google.com/d/optout. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
