how I learned to embrace this page [http://ossec-docs.readthedocs.org/en/latest/faq/unexpected.html] and the magic of tcpdump.... now i'm trying to prove the firewall colleague wrong and that he has to take a closer look in order to troubleshoot this...
accordingly to the tcpdump on the agent: the agent is trying to send something to the master.... it sending something (i even looked at it in wireshark....) but the information is pretty 'empty'... it doesn't really say much. accordingly to the tcpdump on the master: NOTHING is received, 0 bytes...nada! hence the request must be lost somewhere on the way.... and i've also run a tcp dump on the master listening for an agent within the same network segment (the same VLAN) so there is defniitely no firewall inbetween. and of course I see traffic there....lots of traffic. it's no surprise to me, because according to the ossec.log this agent has successfully connected to the master.... but somehow i needed to present some facts to the firewall colleague...after all facts don't lie, and neither does the DOCS page :) a thousand thanks to whoever wrote that page!! :) Am Montag, 28. September 2015 14:38:19 UTC+2 schrieb dan (ddpbsd): > > On Mon, Sep 28, 2015 at 2:46 AM, theresa mic-snare > <rockpr...@gmail.com <javascript:>> wrote: > > hi guys, > > > > I have a problem with the agentd not being able to connect to the ossec > > master on a couple of machines (linux and solaris) > > > > 2015/09/28 08:34:26 ossec-agentd(4101): WARN: Waiting for server reply > (not > > started). Tried: '1.2.3.4'. > > 2015/09/28 08:34:28 ossec-agentd: INFO: Trying to connect to server > > (1.2.3.4:1514). > > 2015/09/28 08:34:28 ossec-agentd: INFO: Using IPv4 for: 1.2.3.4 . > > 2015/09/28 08:34:49 ossec-agentd(4101): WARN: Waiting for server reply > (not > > started). Tried: '1.2.3.4'. > > 2015/09/28 08:35:09 ossec-agentd: INFO: Trying to connect to server > > (1.2.3.4:1514). > > 2015/09/28 08:35:09 ossec-agentd: INFO: Using IPv4 for: 1.2.3.4 . > > 2015/09/28 08:35:11 ossec-syscheckd: INFO: Starting syscheck scan > > (forwarding database). > > 2015/09/28 08:35:11 ossec-syscheckd: WARN: Process locked. Waiting for > > permission... > > 2015/09/28 08:35:30 ossec-agentd(4101): WARN: Waiting for server reply > (not > > started). Tried: '1.2.3.4'. > > > > the following processes are running on the agent: > > root 25538 1 0 08:34:05 ? 0:00 > > /var/ossec/bin/ossec-logcollector > > root 25530 1 0 08:34:05 ? 0:00 > > /var/ossec/bin/ossec-execd > > root 25542 1 0 08:34:05 ? 0:00 > > /var/ossec/bin/ossec-syscheckd > > ossec 25534 1 0 08:34:05 ? 0:00 > > /var/ossec/bin/ossec-agentd > > > > > > the master is not "actively" blocking the requests, e.g by iptables or > the > > like. > > for the master I'm using the ossec virtual appliance by the way. > > > > i have one agent successfully connected, which is in the same VLAN as > the > > master. > > > > i talked to my colleague who's managing the firewall, he said he doesn't > see > > any drops.... > > > > do you have any ideas, what could be causing the unsuccessful attempts?! > > > > Set the manager to debug mode (/var/ossec/bin/ossec-control enable > debug), restart the processes, and look at the ossec.log for errors. > Make sure the agent's IP address that was entered into manage_agents > is where the packets appear to be coming from (no NAT in between). > I guess make sure the packets are making it to the manager. > > > > thanks, > > theresa > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
