Sorry, You didn't give us much to go on. Did you create a new key for this agent? Yes, new keys were generated on the rasperrby for the agents
Did you install it? I used the install.sh method of the installation tar.gz Did you restart the OSSEC processes after adding the key? Yes, Restart or ossec and restart of the system Are you sure there's no firewall on the OSSEC manager blocking the traffic? Correct, Iptables is flushed, the firewall before let the ossec communication pass (as I receive the data with the same rule on the old system) Are there any logs from the manager's ossec.log file that might hint at the problem? No, there is only the no indication. I included the full log: 2015/10/15 15:42:17 ossec-testrule: INFO: Reading local decoder file. 2015/10/15 15:42:18 ossec-testrule: INFO: Started (pid: 5575). 2015/10/15 15:42:18 ossec-maild: INFO: Started (pid: 5587). 2015/10/15 15:42:18 ossec-execd: INFO: Started (pid: 5591). 2015/10/15 15:42:18 ossec-remoted: INFO: Started (pid: 5603). 2015/10/15 15:42:18 ossec-remoted: INFO: Started (pid: 5605). 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading local decoder file. 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'symantec-ws_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'pure-ftpd_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'roundcube_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'wordpress_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'cimserver_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'vmpop3d_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'courier_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'web_appsec_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'apache_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'nginx_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'php_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'postgresql_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'cisco-ios_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'sonicwall_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'sendmail_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'mailscanner_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'dovecot_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'ms-exchange_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'racoon_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'vpn_concentrator_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'spamd_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'msauth_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'mcafee_av_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'trend-osce_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'ms-se_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'zeus_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'solaris_bsm_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'vmware_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'ms_dhcp_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'asterisk_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'attack_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'openbsd_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'clam_av_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'dropbear_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: 'local_rules.xml' 2015/10/15 15:42:18 ossec-analysisd: INFO: Total rules enabled: '1310' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/svc/volatile' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/System32/LogFiles' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Debug' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/WindowsUpdate.log' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/iis6.log' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/wbem/Logs' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/wbem/Repository' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Prefetch' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/SoftwareDistribution' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Temp' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/config' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/spool' 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/CatRoot' 2015/10/15 15:42:18 ossec-analysisd: INFO: White listing IP: '127.0.0.1' 2015/10/15 15:42:18 ossec-analysisd: INFO: White listing IP: '10.23.23.123' 2015/10/15 15:42:18 ossec-analysisd: INFO: 2 IPs in the white list for active response. 2015/10/15 15:42:18 ossec-analysisd: INFO: White listing Hostname: 'localhost.localdomain' 2015/10/15 15:42:18 ossec-analysisd: INFO: 1 Hostname(s) in the white list for active response. 2015/10/15 15:42:18 ossec-analysisd: INFO: Started (pid: 5595). 2015/10/15 15:42:19 ossec-remoted(4111): INFO: Maximum number of agents allowed: '256'. 2015/10/15 15:42:19 ossec-remoted(1410): INFO: Reading authentication keys file. 2015/10/15 15:42:19 ossec-remoted: INFO: Assigning counter for agent hal: '7:3538'. 2015/10/15 15:42:19 ossec-remoted: INFO: Assigning sender counter: 0:102 2015/10/15 15:42:19 ossec-monitord: INFO: Started (pid: 5614). 2015/10/15 15:42:21 ossec-analysisd: INFO: Connected to '/queue/alerts/ar' (active-response queue) 2015/10/15 15:42:21 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' (exec queue) 2015/10/15 15:42:23 ossec-syscheckd: INFO: Started (pid: 5610). 2015/10/15 15:42:23 ossec-rootcheck: INFO: Started (pid: 5610). 2015/10/15 15:42:23 ossec-syscheckd: INFO: Monitoring directory: '/etc'. 2015/10/15 15:42:23 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'. 2015/10/15 15:42:23 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'. 2015/10/15 15:42:23 ossec-syscheckd: INFO: Monitoring directory: '/bin'. 2015/10/15 15:42:23 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. 2015/10/15 15:42:24 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/auth.log'. 2015/10/15 15:42:24 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/syslog'. 2015/10/15 15:42:24 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/dpkg.log'. 2015/10/15 15:42:24 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/apache2/error.log'. 2015/10/15 15:42:24 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/apache2/access.log'. 2015/10/15 15:42:24 ossec-logcollector: INFO: Monitoring output of command(360): df -h 2015/10/15 15:42:24 ossec-logcollector: INFO: Monitoring full output of command(360): netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort 2015/10/15 15:42:24 ossec-logcollector: INFO: Monitoring full output of command(360): last -n 5 2015/10/15 15:42:24 ossec-logcollector: INFO: Started (pid: 5599). Am Donnerstag, 15. Oktober 2015 14:52:51 UTC+2 schrieb dan (ddpbsd): > > On Thu, Oct 15, 2015 at 8:49 AM, Jedi Meister <foob...@gmail.com > <javascript:>> wrote: > > Hi, > > > > I'm currently migrating OSSEC from Ubuntu 14.04 (x64) to an Raspeberry > Pi2 > > running Ubuntu 14.04 (arm). As there is no binary build, I build up > > everything from the source. I copy over the running config from the > Ubuntu > > host to the Raspberry. > > > > When I start OSSEC, Agents can not connect to OSSEC. > > > > I search the list and found something similar at: > > https://www.mail-archive.com/ossec-list@googlegroups.com/msg09198.html > > > > There was the case that the agents can not connect to the Rethat system > but > > to a cent os system in the same network. > > > > It's the same here. Firewall is open and agents sends data: > > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > > listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes > > > > 14:46:42.590610 IP static.xx.xx.xx.xx > 10.23.23.2.1514: UDP, length 441 > > > > > > Log files: > > 2015/10/15 14:29:38 ossec-remoted(4111): INFO: Maximum number of agents > > allowed: '256'. > > 2015/10/15 14:29:38 ossec-remoted(1410): INFO: Reading authentication > keys > > file. > > 2015/10/15 14:29:38 ossec-monitord: INFO: Started (pid: 32534). > > 2015/10/15 14:29:40 ossec-analysisd: INFO: Connected to > '/queue/alerts/ar' > > (active-response queue) > > 2015/10/15 14:29:40 ossec-analysisd: INFO: Connected to > > '/queue/alerts/execq' (exec queue) > > 2015/10/15 14:29:42 ossec-syscheckd: INFO: Started (pid: 32527). > > 2015/10/15 14:29:42 ossec-rootcheck: INFO: Started (pid: 32527). > > > > Any ideas what could be the cause of the server not accepting > connections? > > The same setup, same config is running fine on the intel ubuntu. > > > > You didn't give us much to go on. Did you create a new key for this agent? > Did you install it? > Did you restart the OSSEC processes after adding the key? > Are you sure there's no firewall on the OSSEC manager blocking the > traffic? > Are there any logs from the manager's ossec.log file that might hint > at the problem? > > > Brgs > > Daniel > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
