Fixed by making ossec.log 777, which I don't like much - but it at least lets me see where the problem is. Continued in another topic...
On Thursday, August 7, 2014 6:30:39 PM UTC-4, Tim Boyer wrote: > > 2.8.45 on RHEL5 > > Server at 10.0.130.70; agent at 10.0.130.74. Agent log says > > [root@yamaguchi logs]# tail ossec.log > 2014/08/07 18:00:22 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: '10.0.130.70'. > 2014/08/07 18:01:36 ossec-agentd: INFO: Trying to connect to server ( > 10.0.130.70:1514). > 2014/08/07 18:01:36 ossec-agentd: INFO: Using IPv4 for: 10.0.130.70 . > 2014/08/07 18:01:57 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: '10.0.130.70'. > 2014/08/07 18:03:29 ossec-agentd: INFO: Trying to connect to server ( > 10.0.130.70:1514). > 2014/08/07 18:03:29 ossec-agentd: INFO: Using IPv4 for: 10.0.130.70 . > 2014/08/07 18:03:50 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: '10.0.130.70'. > 2014/08/07 18:05:40 ossec-agentd: INFO: Trying to connect to server ( > 10.0.130.70:1514). > 2014/08/07 18:05:40 ossec-agentd: INFO: Using IPv4 for: 10.0.130.70 . > 2014/08/07 18:06:01 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: '10.0.130.70'. > > and no entries at all in server ossec.log, which says 'firewall', right? > But... > > root@saratoga logs)# tcpdump -nn udp and host 10.0.130.74 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes > 18:10:21.922766 IP 10.0.130.74.51730 > 10.0.130.70.1514: UDP, length 73 > 18:10:27.923241 IP 10.0.130.74.51730 > 10.0.130.70.1514: UDP, length 73 > 18:10:31.923833 IP 10.0.130.74.51730 > 10.0.130.70.1514: UDP, length 73 > 18:10:36.924107 IP 10.0.130.74.51730 > 10.0.130.70.1514: UDP, length 73 > > Packets coming in, but the server isn't responding. And absolutely > nothing in the log, and I mean nothing. So I crank remoted up to 2: > > root@saratoga logs)# grep remoted.debug ../etc/internal_options.conf > remoted.debug=2 > > and restart: > > root@saratoga logs)# grep remoted.debug ../etc/internal_options.conf > remoted.debug=2 > root@saratoga logs)# /etc/init.d/ossec start > Starting OSSEC: 2014/08/07 18:14:53 ossec-remoted: DEBUG: Starting ... > grte [ OK ] > root@saratoga logs)# tail -f ossec.log > 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/maillog'. > 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/httpd/access_log'. > 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/tomcat5/catalina.out'. > 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/httpd/error_log'. > 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/httpd/mrepo-access_log'. > 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/httpd/mrepo-error_log'. > 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/httpd/ssl_access_log'. > 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/httpd/ssl_error_log'. > 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/httpd/ssl_request_log'. > 2014/08/07 18:14:59 ossec-logcollector: INFO: Started (pid: 2793). > 2014/08/07 18:16:00 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2014/08/07 18:16:00 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > > and.... that's all. No logging. > > Tried this with an agent that list-agents is showing as active, and > tcpdump shows them shaking hands and playing nicely: > > root@saratoga logs)# tcpdump -nn udp and host 10.0.130.80 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes > 18:22:00.189102 IP 10.0.130.80.56547 > 10.0.130.70.1514: UDP, length 73 > 18:22:00.197843 IP 10.0.130.70.1514 > 10.0.130.80.56547: UDP, length 73 > 18:22:01.191213 IP 10.0.130.80.56547 > 10.0.130.70.1514: UDP, length > 105 > 18:22:01.191703 IP 10.0.130.80.56547 > 10.0.130.70.1514: UDP, length > 137 > 18:22:01.192152 IP 10.0.130.80.56547 > 10.0.130.70.1514: UDP, length > 153 > 18:22:01.198877 IP 10.0.130.80.56547 > 10.0.130.70.1514: UDP, length > 713 > 18:22:01.199373 IP 10.0.130.70.1514 > 10.0.130.80.56547: UDP, length 73 > 18:22:42.240830 IP 10.0.130.80.56547 > 10.0.130.70.1514: UDP, length > 137 > > and yet after that restart - nothing at all written into ossec.log: > > root@saratoga logs)# tail ossec.log > 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/tomcat5/catalina.out'. > 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/httpd/error_log'. > 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/httpd/mrepo-access_log'. > 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/httpd/mrepo-error_log'. > 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/httpd/ssl_access_log'. > 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/httpd/ssl_error_log'. > 2014/08/07 18:14:59 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/httpd/ssl_request_log'. > 2014/08/07 18:14:59 ossec-logcollector: INFO: Started (pid: 2793). > 2014/08/07 18:16:00 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2014/08/07 18:16:00 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > > > Log permissions are > > rw-r--r-- 1 ossec ossec 8159 Aug 7 18:26 ossec.log > > and any pointers appreciated - hard to debug a problem if I can't see > logs. Thanks.... > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
