Found it , cant believe I overlooked this ....... My client.keys file had the wrong ownership after changing it to ossec it started right up.
Thanks for your help On Saturday, August 2, 2014 5:25:49 PM UTC+2, Santiago Bassett wrote: > > As well, in case it helps, these is what I got in a new agent installation > (which is working as I would expect). > > root@ip-10-0-0-242:/home/admin# dpkg -l | grep ossec > > ii ossec-hids-agent 2.8-1wheezy amd64 > OSSEC Agent - Host Based Intrusion Detection System > > > root@ip-10-0-0-242:/home/admin# service ossec status > > ossec-logcollector is running... > > ossec-syscheckd is running... > > ossec-agentd is running... > > ossec-execd is running... > > > root@ip-10-0-0-242:/home/admin# ps aux | grep ossec > > root 2600 0.0 0.0 12560 504 ? S 15:10 0:00 > /var/ossec/bin/ossec-execd > > ossec 2604 0.1 0.1 12848 928 ? S 15:10 0:00 > /var/ossec/bin/ossec-agentd > > root 2608 0.0 0.0 4300 516 ? S 15:10 0:00 > /var/ossec/bin/ossec-logcollector > > root 2611 0.6 0.1 4624 800 ? S 15:10 0:01 > /var/ossec/bin/ossec-syscheckd > > > root@ip-10-0-0-242:/home/admin# cat /etc/debian_version > > 7.2 > > > On Sat, Aug 2, 2014 at 8:23 AM, Santiago Bassett <[email protected] > <javascript:>> wrote: > >> Hi Jelle, >> >> ossec-hids-agent package should be the only one you need. Not sure why >> you are getting these errors. >> >> The process to connect an agent to a server requires you to: >> >> - Run /var/ossec/bin/manage_agents and import the key from the server. >> - Edit /var/ossec/etc/ossec.conf and set the server-ip variable. >> - Restart ossec-hids (service ossec restart) >> >> Of course, previously to these steps, you would also need to add a new >> agent on the manager (your OSSIM system in this case). You can also use >> manage_agents for this (or do it from the GUI). >> >> If you already did this and it doesn't work, lets try to figure out what >> the issue is. Please if possible let me know what Debian version you are >> using. As well please double check that ossec-remoted process is running on >> the server. >> >> The output of these commands would help: >> >> ps aux | grep ossec (both for the agent and your ossim box, the manager) >> dpkg -l | grep -i ossec >> service ossec status >> cat /etc/debian_version >> >> Thank you, >> >> Santiago. >> >> >> >> >> >> >> >> On Sat, Aug 2, 2014 at 2:02 AM, Jelle B. <[email protected] <javascript:> >> > wrote: >> >>> Hi all, >>> >>> I have this issue which seems to normally be server related but I might >>> be wrong I. >>> >>> I am trying to setup a collection of Debian host to connect with agent >>> to my OSSIM appliance. >>> >>> Now with my wfirst test host I run into a problem, as I will have to >>> redistribute the software via puppet I want to use the dibian repository >>> and as such I thought installing the ossec-hids-agent package would install >>> all I would need except the client key but then ... >>> >>> lab_webfarm [[email protected] etc]# service ossec start >>> Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)... >>> Deleting PID file '/var/ossec/var/run/ossec-logcollector-20693.pid' not >>> used... >>> Deleting PID file '/var/ossec/var/run/ossec-agentd-20689.pid' not used... >>> ossec-execd already running... >>> 2014/08/02 10:59:55 ossec-agentd: INFO: Using notify time: 600 and max >>> time to reconnect: 1800 >>> Started ossec-agentd... >>> 2014/08/02 10:59:55 ossec-logcollector: DEBUG: Starting ... >>> Started ossec-logcollector... >>> 2014/08/02 10:59:55 ossec-syscheckd: DEBUG: Starting ... >>> 2014/08/02 10:59:55 ossec-rootcheck: DEBUG: Starting ... >>> 2014/08/02 10:59:55 ossec-rootcheck: Starting queue ... >>> 2014/08/02 10:59:58 ossec-syscheckd(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2014/08/02 10:59:58 ossec-rootcheck(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2014/08/02 11:00:06 ossec-syscheckd(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2014/08/02 11:00:06 ossec-rootcheck(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2014/08/02 11:00:19 ossec-syscheckd(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2014/08/02 11:00:19 ossec-rootcheck(1211): ERROR: Unable to access >>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>> ossec-syscheckd did not start >>> lab_webfarm [[email protected] etc]# service ossec status >>> ossec-logcollector: Process 20732 not used by ossec, removing .. >>> ossec-logcollector not running... >>> ossec-syscheckd not running... >>> ossec-agentd: Process 20728 not used by ossec, removing .. >>> ossec-agentd not running... >>> ossec-execd is running... >>> lab_webfarm [[email protected] etc]# >>> >>> I assume I am missing something , do I need the ossec-hids package >>> aswell , and if so why is it not installed as a dependency to >>> ossec-hids-agent ;-) >>> >>> Any help and pointers in teh right direction would be helpfull. >>> >>> Regards, >>> J. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected] <javascript:>. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
