As well, in case it helps, these is what I got in a new agent installation (which is working as I would expect).
root@ip-10-0-0-242:/home/admin# dpkg -l | grep ossec ii ossec-hids-agent 2.8-1wheezy amd64 OSSEC Agent - Host Based Intrusion Detection System root@ip-10-0-0-242:/home/admin# service ossec status ossec-logcollector is running... ossec-syscheckd is running... ossec-agentd is running... ossec-execd is running... root@ip-10-0-0-242:/home/admin# ps aux | grep ossec root 2600 0.0 0.0 12560 504 ? S 15:10 0:00 /var/ossec/bin/ossec-execd ossec 2604 0.1 0.1 12848 928 ? S 15:10 0:00 /var/ossec/bin/ossec-agentd root 2608 0.0 0.0 4300 516 ? S 15:10 0:00 /var/ossec/bin/ossec-logcollector root 2611 0.6 0.1 4624 800 ? S 15:10 0:01 /var/ossec/bin/ossec-syscheckd root@ip-10-0-0-242:/home/admin# cat /etc/debian_version 7.2 On Sat, Aug 2, 2014 at 8:23 AM, Santiago Bassett <[email protected] > wrote: > Hi Jelle, > > ossec-hids-agent package should be the only one you need. Not sure why you > are getting these errors. > > The process to connect an agent to a server requires you to: > > - Run /var/ossec/bin/manage_agents and import the key from the server. > - Edit /var/ossec/etc/ossec.conf and set the server-ip variable. > - Restart ossec-hids (service ossec restart) > > Of course, previously to these steps, you would also need to add a new > agent on the manager (your OSSIM system in this case). You can also use > manage_agents for this (or do it from the GUI). > > If you already did this and it doesn't work, lets try to figure out what > the issue is. Please if possible let me know what Debian version you are > using. As well please double check that ossec-remoted process is running on > the server. > > The output of these commands would help: > > ps aux | grep ossec (both for the agent and your ossim box, the manager) > dpkg -l | grep -i ossec > service ossec status > cat /etc/debian_version > > Thank you, > > Santiago. > > > > > > > > On Sat, Aug 2, 2014 at 2:02 AM, Jelle B. <[email protected]> wrote: > >> Hi all, >> >> I have this issue which seems to normally be server related but I might >> be wrong I. >> >> I am trying to setup a collection of Debian host to connect with agent to >> my OSSIM appliance. >> >> Now with my wfirst test host I run into a problem, as I will have to >> redistribute the software via puppet I want to use the dibian repository >> and as such I thought installing the ossec-hids-agent package would install >> all I would need except the client key but then ... >> >> lab_webfarm [[email protected] etc]# service ossec start >> Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)... >> Deleting PID file '/var/ossec/var/run/ossec-logcollector-20693.pid' not >> used... >> Deleting PID file '/var/ossec/var/run/ossec-agentd-20689.pid' not used... >> ossec-execd already running... >> 2014/08/02 10:59:55 ossec-agentd: INFO: Using notify time: 600 and max >> time to reconnect: 1800 >> Started ossec-agentd... >> 2014/08/02 10:59:55 ossec-logcollector: DEBUG: Starting ... >> Started ossec-logcollector... >> 2014/08/02 10:59:55 ossec-syscheckd: DEBUG: Starting ... >> 2014/08/02 10:59:55 ossec-rootcheck: DEBUG: Starting ... >> 2014/08/02 10:59:55 ossec-rootcheck: Starting queue ... >> 2014/08/02 10:59:58 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2014/08/02 10:59:58 ossec-rootcheck(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2014/08/02 11:00:06 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2014/08/02 11:00:06 ossec-rootcheck(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2014/08/02 11:00:19 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2014/08/02 11:00:19 ossec-rootcheck(1211): ERROR: Unable to access queue: >> '/var/ossec/queue/ossec/queue'. Giving up.. >> ossec-syscheckd did not start >> lab_webfarm [[email protected] etc]# service ossec status >> ossec-logcollector: Process 20732 not used by ossec, removing .. >> ossec-logcollector not running... >> ossec-syscheckd not running... >> ossec-agentd: Process 20728 not used by ossec, removing .. >> ossec-agentd not running... >> ossec-execd is running... >> lab_webfarm [[email protected] etc]# >> >> I assume I am missing something , do I need the ossec-hids package aswell >> , and if so why is it not installed as a dependency to ossec-hids-agent ;-) >> >> Any help and pointers in teh right direction would be helpfull. >> >> Regards, >> J. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
