2.8.45 on RHEL5 Server at 10.0.130.70; agent at 10.0.130.74. Agent log says
[root@yamaguchi logs]# tail ossec.log 2014/08/07 18:00:22 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.0.130.70'. 2014/08/07 18:01:36 ossec-agentd: INFO: Trying to connect to server (10.0.130.70:1514). 2014/08/07 18:01:36 ossec-agentd: INFO: Using IPv4 for: 10.0.130.70 . 2014/08/07 18:01:57 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.0.130.70'. 2014/08/07 18:03:29 ossec-agentd: INFO: Trying to connect to server (10.0.130.70:1514). 2014/08/07 18:03:29 ossec-agentd: INFO: Using IPv4 for: 10.0.130.70 . 2014/08/07 18:03:50 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.0.130.70'. 2014/08/07 18:05:40 ossec-agentd: INFO: Trying to connect to server (10.0.130.70:1514). 2014/08/07 18:05:40 ossec-agentd: INFO: Using IPv4 for: 10.0.130.70 . 2014/08/07 18:06:01 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.0.130.70'. and no entries at all in server ossec.log, which says 'firewall', right? But... root@saratoga logs)# tcpdump -nn udp and host 10.0.130.74 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 18:10:21.922766 IP 10.0.130.74.51730 > 10.0.130.70.1514: UDP, length 73 18:10:27.923241 IP 10.0.130.74.51730 > 10.0.130.70.1514: UDP, length 73 18:10:31.923833 IP 10.0.130.74.51730 > 10.0.130.70.1514: UDP, length 73 18:10:36.924107 IP 10.0.130.74.51730 > 10.0.130.70.1514: UDP, length 73 Packets coming in, but the server isn't responding. And absolutely nothing in the log, and I mean nothing. So I crank remoted up to 2: root@saratoga logs)# grep remoted.debug ../etc/internal_options.conf remoted.debug=2 and restart: root@saratoga logs)# grep remoted.debug ../etc/internal_options.conf remoted.debug=2 root@saratoga logs)# /etc/init.d/ossec start Starting OSSEC: 2014/08/07 18:14:53 ossec-remoted: DEBUG: Starting ... grte [ OK ] root@saratoga logs)# tail -f ossec.log 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'. 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/httpd/access_log'. 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/tomcat5/catalina.out'. 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/httpd/error_log'. 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/httpd/mrepo-access_log'. 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/httpd/mrepo-error_log'. 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/httpd/ssl_access_log'. 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/httpd/ssl_error_log'. 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/httpd/ssl_request_log'. 2014/08/07 18:14:59 ossec-logcollector: INFO: Started (pid: 2793). 2014/08/07 18:16:00 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2014/08/07 18:16:00 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). and.... that's all. No logging. Tried this with an agent that list-agents is showing as active, and tcpdump shows them shaking hands and playing nicely: root@saratoga logs)# tcpdump -nn udp and host 10.0.130.80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 18:22:00.189102 IP 10.0.130.80.56547 > 10.0.130.70.1514: UDP, length 73 18:22:00.197843 IP 10.0.130.70.1514 > 10.0.130.80.56547: UDP, length 73 18:22:01.191213 IP 10.0.130.80.56547 > 10.0.130.70.1514: UDP, length 105 18:22:01.191703 IP 10.0.130.80.56547 > 10.0.130.70.1514: UDP, length 137 18:22:01.192152 IP 10.0.130.80.56547 > 10.0.130.70.1514: UDP, length 153 18:22:01.198877 IP 10.0.130.80.56547 > 10.0.130.70.1514: UDP, length 713 18:22:01.199373 IP 10.0.130.70.1514 > 10.0.130.80.56547: UDP, length 73 18:22:42.240830 IP 10.0.130.80.56547 > 10.0.130.70.1514: UDP, length 137 and yet after that restart - nothing at all written into ossec.log: root@saratoga logs)# tail ossec.log 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/tomcat5/catalina.out'. 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/httpd/error_log'. 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/httpd/mrepo-access_log'. 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/httpd/mrepo-error_log'. 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/httpd/ssl_access_log'. 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/httpd/ssl_error_log'. 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/httpd/ssl_request_log'. 2014/08/07 18:14:59 ossec-logcollector: INFO: Started (pid: 2793). 2014/08/07 18:16:00 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2014/08/07 18:16:00 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). Log permissions are rw-r--r-- 1 ossec ossec 8159 Aug 7 18:26 ossec.log and any pointers appreciated - hard to debug a problem if I can't see logs. Thanks.... -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
