On Tue, Aug 12, 2014 at 3:45 PM, Andreas Fantides <[email protected]> wrote: > Hi again Dan, > > Cheers for helping me out with this. I was indeed prompted for a password > after the HP advertisement, however I input the correct password and it > still timed out. > > Everything switch side is configured properly so this has to be a config > issue within Ossec. I'll give -d a try tomorrow and see what info it gives, > I'd say it roughly times out after about 20 seconds but can't be sure. >
Did you try the ssh command I provided? > Any chance you could screenshot your the configuration for ossec.conf, > ssh.exp and ssh_generic_diff? I know it's a pain but perhaps I have > something missing as my passlist file looks like you suggest. > No, screenshots are horrible. I also didn't add anything to my ossec.conf, I just ran things manually to see if they worked. The other files are default because I had no reason to change them. > Thanks again :) > > On Tuesday, 12 August 2014 16:54:30 UTC+1, dan (ddpbsd) wrote: >> >> On Tue, Aug 12, 2014 at 11:36 AM, dan (ddp) <[email protected]> wrote: >> > On Tue, Aug 12, 2014 at 11:22 AM, Andreas Fantides >> > <[email protected]> wrote: >> >> Hi Dan, >> >> >> >> I run the test and can see that it logs onto the HP Switch and you get >> >> the >> >> same message displayed that you would if you used PuTTy to connect, >> >> however >> >> it then seems to kick you out and ask for the password again?...... >> >> >> >> I've attached another screenshot. >> >> >> > >> > Did you try typing the password in? If so, it doesn't look like it's >> > catching the password prompt properly, the timeout happens because >> > there is no authentication taking place and the ssh connection times >> > out. Could you get rid of the HP advertisement to see if that helps? >> > You can also add the "-d" flag to expect to see if that provides more >> > useful information. >> > >> >> I just setup a linux box to look similar (same advertisement, the >> prompt looks basically the same). It works fine for me. Make sure your >> /var/ossec/agentlessd/.passlist looks something like: >> [email protected]|YEsTaS87| >> >> If you run `ssh [email protected] "show config"` do you get the >> output you expect (after typing in the password)? >> >> About how long does it take to timeout? >> >> > >> >> >> >> >> >> On Tuesday, 12 August 2014 14:44:21 UTC+1, dan (ddpbsd) wrote: >> >>> >> >>> On Tue, Aug 12, 2014 at 9:40 AM, Andreas Fantides >> >>> <[email protected]> wrote: >> >>> > Hi Dan, >> >>> > >> >>> > I have moved all of Ossec to the /var/ossec directory and confirmed >> >>> > that >> >>> > everything is started, working and reporting, but am still having no >> >>> > luck >> >>> > with agentless. >> >>> > >> >>> > I have tried your command and received the output in the attachment. >> >>> > Any >> >>> > ideas? >> >>> > >> >>> >> >>> >> >>> Try `expect agentless/ssh_generic_diff HOST` or something like that. >> >>> I thinkn that's what you wanted to run. >> >>> >> >>> > Many thanks >> >>> > Andreas >> >>> > >> >>> > >> >>> > On Tuesday, 12 August 2014 13:33:42 UTC+1, Andreas Fantides wrote: >> >>> >> >> >>> >> Cheers Dan, I think you might be on to something here, I'll test >> >>> >> and >> >>> >> report back.... >> >>> >> >> >>> >> On Tuesday, 12 August 2014 12:11:27 UTC+1, dan (ddpbsd) wrote: >> >>> >>> >> >>> >>> On Tue, Aug 12, 2014 at 6:54 AM, Andreas Fantides >> >>> >>> <[email protected]> wrote: >> >>> >>> > Hi Dan, and thanks for the information. How do I run manually >> >>> >>> > though? >> >>> >>> > >> >>> >>> >> >>> >>> `cd /var/ossec && expect agentless/script` >> >>> >>> >> >>> >>> I think it expects to be run from /var/ossec. >> >>> >>> >> >>> >>> > I have attached my expect script and can't see anything wrong, >> >>> >>> > but >> >>> >>> > was >> >>> >>> > wondering if anyone could take a look? >> >>> >>> > >> >>> >>> > Cheers. >> >>> >>> > >> >>> >>> > >> >>> >>> > On Monday, 11 August 2014 17:49:28 UTC+1, dan (ddpbsd) wrote: >> >>> >>> >> >> >>> >>> >> On Sun, Aug 10, 2014 at 9:20 AM, Andreas Fantides >> >>> >>> >> <[email protected]> wrote: >> >>> >>> >> > I've been really struggling to get agentless monitoring set >> >>> >>> >> > up >> >>> >>> >> > and >> >>> >>> >> > working >> >>> >>> >> > with HP Procurve 2524 switches. >> >>> >>> >> > >> >>> >>> >> > I have done the following: >> >>> >>> >> > >> >>> >>> >> > · Enabled agentless on the Ossec server. >> >>> >>> >> > >> >>> >>> >> > · Registered the switch using a password like this >> >>> >>> >> > [email protected] Password (I am assuming that you place >> >>> >>> >> > the >> >>> >>> >> > user/login >> >>> >>> >> > name to ssh into the switch before the @, and the password is >> >>> >>> >> > the >> >>> >>> >> > ssh >> >>> >>> >> > password) >> >>> >>> >> > >> >>> >>> >> > · Set Ossec config for ssh_generic_diff, with >> >>> >>> >> > [email protected] as >> >>> >>> >> > the host, argument is show config >> >>> >>> >> > >> >>> >>> >> > · I have enabled logging to my server on the switch >> >>> >>> >> > >> >>> >>> >> > · Added my server as an ip-authorised manager on the >> >>> >>> >> > switch >> >>> >>> >> > >> >>> >>> >> > · Enabled ssh on the switch (can PuTTy in) >> >>> >>> >> > >> >>> >>> >> > Yet after all this agentless doesn't want to work and in the >> >>> >>> >> > ossec.log >> >>> >>> >> > it >> >>> >>> >> > says test passed for ssh_generic_diff, but then shows that >> >>> >>> >> > agentless >> >>> >>> >> > times >> >>> >>> >> > out and wont connect to the switch. >> >>> >>> >> > >> >>> >>> >> > Can anyone help? >> >>> >>> >> > >> >>> >>> >> >> >>> >>> >> Try running it manually. I'm guessing the login doesn't quite >> >>> >>> >> look >> >>> >>> >> the >> >>> >>> >> way "expect" expects. >> >>> >>> >> I don't know a whole lot about it, but I think the list could >> >>> >>> >> help >> >>> >>> >> to >> >>> >>> >> get it working. Knowing what the SSH login looks like, and what >> >>> >>> >> commands you need run would help. >> >>> >>> >> >> >>> >>> >> > -- >> >>> >>> >> > >> >>> >>> >> > --- >> >>> >>> >> > You received this message because you are subscribed to the >> >>> >>> >> > Google >> >>> >>> >> > Groups >> >>> >>> >> > "ossec-list" group. >> >>> >>> >> > To unsubscribe from this group and stop receiving emails from >> >>> >>> >> > it, >> >>> >>> >> > send >> >>> >>> >> > an >> >>> >>> >> > email to [email protected]. >> >>> >>> >> > For more options, visit https://groups.google.com/d/optout. >> >>> >>> > >> >>> >>> > -- >> >>> >>> > >> >>> >>> > --- >> >>> >>> > You received this message because you are subscribed to the >> >>> >>> > Google >> >>> >>> > Groups >> >>> >>> > "ossec-list" group. >> >>> >>> > To unsubscribe from this group and stop receiving emails from >> >>> >>> > it, >> >>> >>> > send >> >>> >>> > an >> >>> >>> > email to [email protected]. >> >>> >>> > For more options, visit https://groups.google.com/d/optout. >> >>> > >> >>> > -- >> >>> > >> >>> > --- >> >>> > You received this message because you are subscribed to the Google >> >>> > Groups >> >>> > "ossec-list" group. >> >>> > To unsubscribe from this group and stop receiving emails from it, >> >>> > send >> >>> > an >> >>> > email to [email protected]. >> >>> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to [email protected]. >> >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
