You need the "and" before port Sorry sent from my phone On Oct 13, 2014 8:59 PM, "David Masters" <[email protected]> wrote:
> The exact command I typed is was: > > tcpdump -i eth1 host xxx.xxx.xxx.xxx port 1514 > > No other ethernet ports are active on the machine. Did I miss something > when I typed it in? > > On Monday, October 13, 2014 7:43:23 PM UTC-5, Grant L wrote: >> >> I guessed at your eth interface >> >> the command is sound, I just dont know what your OS looks like >> >> SO >> >> tcpdump -i <replace this with the interface name, like eth0> host >> <replace this with the IP of the sending WIn7 platform> and port 1514 -vvv >> >> Make sense? >> >> Grant Leonard >> Castra Consulting, LLC <http://castraconsulting.com/#/> >> 919-949-4002 >> >> On Mon, Oct 13, 2014 at 8:32 PM, David Masters <[email protected]> >> wrote: >> >>> client is installed on Win7 machine with admin credentials (logged in as >>> domain admin and "ran as administrator" to install, group policy >>> installation runs under system credentials before login). >>> >>> tcpdump gives me a : syntax error on each IP address I have tried it on. >>> >>> >>> On Monday, October 13, 2014 6:18:08 PM UTC-5, Grant L wrote: >>>> >>>> Do this for about 5 non communicating servers at random. >>>> >>>> On the OSSEC-SERVER >>>> >>>> run 'tcpdump -i eth0 host <ip of server in question> port 1514' >>>> >>>> see if the connection even makes it to the server >>>> >>>> Also, note that OSSEC has to be installed as local admin or domain >>>> admin, else UAC kind of kills the application. >>>> >>>> Grant Leonard >>>> Castra Consulting, LLC <http://castraconsulting.com/#/> >>>> 919-949-4002 >>>> >>>> On Mon, Oct 13, 2014 at 6:55 PM, David Masters <[email protected] >>>> > wrote: >>>> >>>>> This is what we did last year.... >>>>> >>>>> Entered in the machines manually to the server to create the >>>>> account/key on the ossec server >>>>> once all of the machines were entered, we ran cat client.keys on the >>>>> ossec server, which reads/prints out all the keys to the screen >>>>> the session was being recorded to the putty.log (using putty to >>>>> connect to the ossec server) >>>>> the key list was copied from the putty.log (txt file) to a spreadsheet >>>>> this spreadsheet was used to manually enter each key into each >>>>> individual system when the agent was installed. >>>>> >>>>> This year we have roughly 2/3 again as many systems as we did last >>>>> year, so are trying to automate as much of this as possible. >>>>> We wrote a script that reads the computer names from a CSV to create >>>>> the machine accounts on the OSSEC server (utilizing manage_agents (which >>>>> we >>>>> wrote before it was found out that they had added that functionality to >>>>> the >>>>> 2.8.1 version). This creates the individual machine accounts. Then we >>>>> read the keys from the server (cat client.keys) just like we did last >>>>> year, >>>>> copying the keys from the putty.log file into a spreadsheet. I then copy >>>>> out those keys into individual text files named with the individual >>>>> computer name (ie: each line is a computer account/key which then gets >>>>> copied into its own text file named after itself and with the proper .keys >>>>> file format)(computer1.keys, computer2.keys, computer3.keys, etc). I have >>>>> a group policy that uninstalls any previous version of ossec agent, then >>>>> installs the current version (2.8), copies over the ossec.conf file with >>>>> the proper server info and copies over the computer name file into a >>>>> client.keys file on the machine (reads the machine name from the BIOS, >>>>> then >>>>> finds the proper computername.keys file and copies it over to that machine >>>>> into the ossec folder as client.keys, then starts the ossec agent. The >>>>> machine boots and the agent contains all the proper information except >>>>> that >>>>> it won't communicate with the server. The file structure is identical >>>>> with >>>>> a freshly installed local agent with the manually entered information, >>>>> except for the communication errors. >>>>> >>>>> Which part of that process is screwing me up? >>>>> >>>>> On Monday, October 13, 2014 5:31:09 PM UTC-5, >>>>> [email protected] wrote: >>>>>> >>>>>> David >>>>>> >>>>>> You wrote -- "The key files I am creating are being created directly >>>>>> from the spreadsheet" >>>>>> >>>>>> You are not creating the keys yourself are you? >>>>>> >>>>>> when you run manage-agents and add a new agent, a key gets put into >>>>>> client.keys, that key is associated with the hostname of the sending >>>>>> device >>>>>> and can only be used one. >>>>>> >>>>>> You don't have to have an IP of the remote agent, you can use "any" >>>>>> instead of 1.1.1.1 in case IP overlap is occuring. >>>>>> >>>>>> I have to ask, port 1514 is accessible from the Windows servers in >>>>>> question, right? They can actually send UDP 1514 packets to the >>>>>> Ossec-server? >>>>>> >>>>>> The scripts we wrote literally just loop through a csv file of >>>>>> "ip,hostname" and create the placeholder in manage-agent, then map a >>>>>> share >>>>>> connection to the target, move the agent over and attempt to run the >>>>>> agent >>>>>> with the creds provided and I don't do batches larger than 100 at a time >>>>>> just to make sure the ossec-server is keeping up. >>>>>> >>>>>> Has any of this helped you sir? >>>>>> >>>>>> On Monday, October 13, 2014 3:47:12 PM UTC-4, David Masters wrote: >>>>>>> >>>>>>> I am acquiring the keys originally from the server (cat client.keys) >>>>>>> then copying that information directly from the putty.log file into a >>>>>>> spreadsheet. The key files I am creating are being created directly >>>>>>> from >>>>>>> the spreadsheet. I manually verify the information in the keys file >>>>>>> before >>>>>>> it is copied down to the computer. Same with the ossec.conf file...it >>>>>>> was >>>>>>> copied originally from a machine that was communicating properly with >>>>>>> the >>>>>>> server. >>>>>>> >>>>>>> If you guys know of any scripts or automation help you can offer, I >>>>>>> would be most appreciative. I've been banging my head against a wall on >>>>>>> this one. >>>>>>> >>>>>>> On Monday, October 13, 2014 12:30:10 PM UTC-5, LostInThe Tubez wrote: >>>>>>>> >>>>>>>> Many people have created an automated deployment script >>>>>>>> successfully, so no need to worry there. How are you exporting the >>>>>>>> agent >>>>>>>> keys from the manager? More to the point, WHICH key are you using in >>>>>>>> your >>>>>>>> group policy script? If you really are using the same key that you >>>>>>>> would >>>>>>>> use in the GUI, as you state, then that’s the problem. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Here’s an exercise to illustrate the point: manually install an >>>>>>>> agent, such that it is communicating with the manager successfully. >>>>>>>> Open >>>>>>>> client.keys on the agent and look at the key. Now compare that key to >>>>>>>> the >>>>>>>> one in /var/ossec/etc/client.keys on the manager. They should be the >>>>>>>> same. >>>>>>>> When manually shuffling keys about using scripts, there is no need to >>>>>>>> extract the key using manage_agents. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> *From:* [email protected] [mailto:[email protected]] >>>>>>>> *On Behalf Of *David Masters >>>>>>>> *Sent:* Monday, October 13, 2014 9:19 AM >>>>>>>> *To:* [email protected] >>>>>>>> *Subject:* Re: [ossec-list] Windows agents not connecting to OSSEC >>>>>>>> server >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> The whole purpose of this exercise is to not have to go to each >>>>>>>> individual machine to input the key and configuration. We have over >>>>>>>> 3000 >>>>>>>> machines so that really is just not feasible. If the key & server is >>>>>>>> input >>>>>>>> manually when the software is installed it works fine. When the key >>>>>>>> file >>>>>>>> and config file are pushed out over the network (containing the exact >>>>>>>> same >>>>>>>> information that would have been input manually), it does not. This >>>>>>>> would >>>>>>>> be to the same machine, same configuration, no changes between manual >>>>>>>> input >>>>>>>> and pushed input. (except that it is not done manually). >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> If this is not possible, I would like to know this as soon as >>>>>>>> possible so that we can find a different solution for our IPS/IDS/FIM >>>>>>>> system. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Thank you. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Monday, October 13, 2014 10:33:59 AM UTC-5, dan (ddpbsd) wrote: >>>>>>>> >>>>>>>> On Mon, Oct 13, 2014 at 11:21 AM, David Masters >>>>>>>> <[email protected]> wrote: >>>>>>>> > 2014/10/13 10:19:11 ossec-remoted(1403): ERROR: Incorrectly >>>>>>>> formated message >>>>>>>> > from 'any'. >>>>>>>> > 2014/10/13 10:19:13 ossec-remoted(1408): ERROR: Invalid ID for >>>>>>>> the source >>>>>>>> > ip: '10.50.107.21'. >>>>>>>> >>>>>>>> Try readding the key to one of these agents manually (not one of >>>>>>>> the >>>>>>>> "any" agents, but the ones with the IP address specifically). >>>>>>>> >>>>>>>> > 2014/10/13 10:19:16 ossec-remoted(1408): ERROR: Invalid ID for >>>>>>>> the source >>>>>>>> > ip: '10.50.107.20'. >>>>>>>> > 2014/10/13 10:19:16 ossec-remoted(1403): ERROR: Incorrectly >>>>>>>> formated message >>>>>>>> > from 'any'. >>>>>>>> > 2014/10/13 10:19:17 ossec-remoted(1408): ERROR: Invalid ID for >>>>>>>> the source >>>>>>>> > ip: '10.50.107.21'. >>>>>>>> > 2014/10/13 10:19:22 ossec-remoted(1408): ERROR: Invalid ID for >>>>>>>> the source >>>>>>>> > ip: '10.50.107.20'. >>>>>>>> > 2014/10/13 10:19:22 ossec-remoted(1403): ERROR: Incorrectly >>>>>>>> formated message >>>>>>>> > from 'any'. >>>>>>>> > 2014/10/13 10:19:22 ossec-remoted(1408): ERROR: Invalid ID for >>>>>>>> the source >>>>>>>> > ip: '10.50.107.21'. >>>>>>>> > 2014/10/13 10:19:28 ossec-remoted(1408): ERROR: Invalid ID for >>>>>>>> the source >>>>>>>> > ip: '10.50.107.21'. >>>>>>>> > 2014/10/13 10:19:54 ossec-remoted(1408): ERROR: Invalid ID for >>>>>>>> the source >>>>>>>> > ip: '10.50.111.64'. >>>>>>>> > >>>>>>>> > On Monday, October 13, 2014 7:52:05 AM UTC-5, >>>>>>>> [email protected] >>>>>>>> > wrote: >>>>>>>> >> >>>>>>>> >> Assuming agent key and IP are distinct for each server, please >>>>>>>> put the >>>>>>>> >> ossec-control into debug on the server and look for errors such >>>>>>>> as "not >>>>>>>> >> allowed" and so forth >>>>>>>> >> >>>>>>>> >> On Monday, October 13, 2014 8:04:41 AM UTC-4, Antonio Querubin >>>>>>>> wrote: >>>>>>>> >>> >>>>>>>> >>> On Sun, 12 Oct 2014, David Masters wrote: >>>>>>>> >>> >>>>>>>> >>> > Ok...here is the log file from a freshly installed agent >>>>>>>> (shutdown >>>>>>>> >>> > ossec >>>>>>>> >>> > server, removed all rid files, no rid files on agent system, >>>>>>>> manually >>>>>>>> >>> > entererd key and server address): >>>>>>>> >>> >>>>>>>> >>> > This is the log file from same machine after pushing out key >>>>>>>> >>> > file/ossec.conf file and deleting rid files (no change to any >>>>>>>> other >>>>>>>> >>> > part of >>>>>>>> >>> > the machine or configuration): >>>>>>>> >>> >>>>>>>> >>> > Verified all information in both files was exactly the same >>>>>>>> as before >>>>>>>> >>> > and >>>>>>>> >>> > files in rids directory were deleted before service was >>>>>>>> restarted. >>>>>>>> >>> >>>>>>>> >>> > Any ideas? >>>>>>>> >>> >>>>>>>> >>> Did you remove the corresponding rids file on the server? >>>>>>>> >>> >>>>>>>> >>> Antonio Querubin >>>>>>>> >>> e-mail: [email protected] >>>>>>>> >>> xmpp: [email protected] >>>>>>>> > >>>>>>>> > -- >>>>>>>> > >>>>>>>> > --- >>>>>>>> > You received this message because you are subscribed to the >>>>>>>> Google Groups >>>>>>>> > "ossec-list" group. >>>>>>>> > To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an >>>>>>>> > email to [email protected]. >>>>>>>> > For more options, visit https://groups.google.com/d/optout. >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> --- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "ossec-list" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>> >>>>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to a topic in the >>>>> Google Groups "ossec-list" group. >>>>> To unsubscribe from this topic, visit https://groups.google.com/d/to >>>>> pic/ossec-list/Zmfag8ajU3s/unsubscribe. >>>>> To unsubscribe from this group and all its topics, send an email to >>>>> [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>> >>> --- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "ossec-list" group. >>> To unsubscribe from this topic, visit https://groups.google.com/d/ >>> topic/ossec-list/Zmfag8ajU3s/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/Zmfag8ajU3s/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
