Could you check on the server with tcpdump if there is any traffic sent from the agent and, in case there is, what IP is being used? I know you did it with Netstat but there could be other factors involved (maybe firewalls...)
On Thu, Apr 10, 2014 at 8:05 AM, Binet, Valere (NIH/NIA/IRP) [C] < bin...@nia.nih.gov> wrote: > What do the logs say? > They should be in /var/ossec/logs > > Valère Binet [C] > IT Security Administrator > Kelly Government Solutions On-Site at the NIH > NIH / NIA / IRP > Tel : 410 558 8013 > mailto: bin...@nia.nih.gov > > > NCTS performance comments and survey at: > https://niairpkiosk.irp.nia.nih.gov/content/ncts-user-survey > > On Apr 10, 2014, at 9:43 AM, Devendra Agarwal <devendra.agra...@gmail.com > <mailto:devendra.agra...@gmail.com>> wrote: > > Hi Santiago, > > Thanks for the response. The system does have 2 IPs. I have verified with > netstat that ossec binds to correct IP. There is no communication shown in > the output of tcpdump on either IPs. In every case it fails, that server > has NIC bonding (teaming) setup. I am wondering if I need to do anything > else to configure ossec to accommodate NIC bonding. > > > > On Wednesday, 9 April 2014 21:26:15 UTC-4, Santiago Bassett wrote: > Hi Devendra, > > does your system have multiple IP addresses? Is there any other agent > connected to the server? > > I have experienced issues with systems running multiple IP addresses. If > that is the case I would recommend to check with tcpdump which is the one > that the agent uses to send data to the server, and be sure it matches the > one configured for the agent. > > I hope it helps > > > > On Wed, Apr 9, 2014 at 1:29 PM, Devendra Agarwal > <devendra...@gmail.com<javascript:>> > wrote: > I installed ossec-hids-2.4.1 agent on a server running on Red Hat Linux > 5.4. The agent is not communicating. Other agents are fine. It seems if I > hace NIC bonding setup, this isue happens. Is there any known issue with > ossec if there is NIC bonding setup? > > 2014/04/09 16:23:28 ossec-agentd: INFO: Trying to connect to server ( > 3.144.193.45:1514<http://3.144.193.45:1514/>). > 2014/04/09 16:23:49 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: '3.144.193.45'. > 2014/04/09 16:24:27 ossec-agentd: INFO: Trying to connect to server ( > 3.144.193.45:1514<http://3.144.193.45:1514/>). > 2014/04/09 16:24:48 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: '3.144.193.45'. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com<javascript:>. > For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com<mailto: > ossec-list+unsubscr...@googlegroups.com>. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.