Hey, I was wondering how you got the ossec agent to work on rpi, is there a guide to this? I am trying to get agent on my rpi2 model to work. Any help would be great.
Cheers :) On Thursday, October 15, 2015 at 9:50:38 AM UTC-4, Jedi Meister wrote: > > So, > > I rebuild the server with the SAME tar.gz file and restart it. > > Now i receive the alerts from the clients. > > ** Alert 1444916936.103875: - syslog,sshd,authentication_failed, > 2015 Oct 15 15:48:56 (hal) 78.46.76.44->/var/log/auth.log > Rule: 5716 (level 5) -> 'SSHD authentication failed.' > Src IP: 80.87.168.98 > User: itsolutions > Oct 15 15:48:55 hal sshd[21772]: Failed password for foobar from > 80.87.168.98 port 55976 ssh2 > > > VERY Strange. But anyway, it works now. > > Thanks for the help!! > > Am Donnerstag, 15. Oktober 2015 15:44:39 UTC+2 schrieb Jedi Meister: >> >> Sorry, >> >> You didn't give us much to go on. Did you create a new key for this >> agent? >> Yes, new keys were generated on the rasperrby for the agents >> >> >> Did you install it? >> I used the install.sh method of the installation tar.gz >> >> >> Did you restart the OSSEC processes after adding the key? >> Yes, Restart or ossec and restart of the system >> >> Are you sure there's no firewall on the OSSEC manager blocking the >> traffic? >> Correct, Iptables is flushed, the firewall before let the ossec >> communication pass (as I receive the data with the same rule on the old >> system) >> >> Are there any logs from the manager's ossec.log file that might hint >> at the problem? >> >> No, there is only the no indication. I included the full log: >> >> 2015/10/15 15:42:17 ossec-testrule: INFO: Reading local decoder file. >> 2015/10/15 15:42:18 ossec-testrule: INFO: Started (pid: 5575). >> 2015/10/15 15:42:18 ossec-maild: INFO: Started (pid: 5587). >> 2015/10/15 15:42:18 ossec-execd: INFO: Started (pid: 5591). >> 2015/10/15 15:42:18 ossec-remoted: INFO: Started (pid: 5603). >> 2015/10/15 15:42:18 ossec-remoted: INFO: Started (pid: 5605). >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading local decoder file. >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'rules_config.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'pam_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'sshd_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'telnetd_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'syslog_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'arpwatch_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'symantec-av_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'symantec-ws_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'pix_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'named_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'smbd_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'vsftpd_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'pure-ftpd_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'proftpd_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'ms_ftpd_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'ftpd_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'hordeimp_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'roundcube_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'wordpress_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'cimserver_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'vpopmail_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'vmpop3d_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'courier_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'web_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'web_appsec_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'apache_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'nginx_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'php_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'mysql_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'postgresql_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'ids_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'squid_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'firewall_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'cisco-ios_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'netscreenfw_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'sonicwall_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'postfix_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'sendmail_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'imapd_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'mailscanner_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'dovecot_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'ms-exchange_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'racoon_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'vpn_concentrator_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'spamd_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'msauth_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'mcafee_av_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'trend-osce_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'ms-se_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'zeus_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'solaris_bsm_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'vmware_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'ms_dhcp_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'asterisk_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'ossec_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'attack_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'openbsd_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'clam_av_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'dropbear_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >> 'local_rules.xml' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Total rules enabled: '1310' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >> '/etc/hosts.deny' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >> '/etc/mail/statistics' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >> '/etc/random-seed' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >> '/etc/httpd/logs' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >> '/etc/cups/certs' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >> '/etc/svc/volatile' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >> 'C:\WINDOWS/System32/LogFiles' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >> 'C:\WINDOWS/Debug' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >> 'C:\WINDOWS/WindowsUpdate.log' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >> 'C:\WINDOWS/iis6.log' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >> 'C:\WINDOWS/system32/wbem/Logs' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >> 'C:\WINDOWS/system32/wbem/Repository' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >> 'C:\WINDOWS/Prefetch' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >> 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >> 'C:\WINDOWS/SoftwareDistribution' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >> 'C:\WINDOWS/Temp' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >> 'C:\WINDOWS/system32/config' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >> 'C:\WINDOWS/system32/spool' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >> 'C:\WINDOWS/system32/CatRoot' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: White listing IP: '127.0.0.1' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: White listing IP: >> '10.23.23.123' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: 2 IPs in the white list for >> active response. >> 2015/10/15 15:42:18 ossec-analysisd: INFO: White listing Hostname: >> 'localhost.localdomain' >> 2015/10/15 15:42:18 ossec-analysisd: INFO: 1 Hostname(s) in the white >> list for active response. >> 2015/10/15 15:42:18 ossec-analysisd: INFO: Started (pid: 5595). >> 2015/10/15 15:42:19 ossec-remoted(4111): INFO: Maximum number of agents >> allowed: '256'. >> 2015/10/15 15:42:19 ossec-remoted(1410): INFO: Reading authentication >> keys file. >> 2015/10/15 15:42:19 ossec-remoted: INFO: Assigning counter for agent hal: >> '7:3538'. >> 2015/10/15 15:42:19 ossec-remoted: INFO: Assigning sender counter: 0:102 >> 2015/10/15 15:42:19 ossec-monitord: INFO: Started (pid: 5614). >> 2015/10/15 15:42:21 ossec-analysisd: INFO: Connected to >> '/queue/alerts/ar' (active-response queue) >> 2015/10/15 15:42:21 ossec-analysisd: INFO: Connected to >> '/queue/alerts/execq' (exec queue) >> 2015/10/15 15:42:23 ossec-syscheckd: INFO: Started (pid: 5610). >> 2015/10/15 15:42:23 ossec-rootcheck: INFO: Started (pid: 5610). >> 2015/10/15 15:42:23 ossec-syscheckd: INFO: Monitoring directory: '/etc'. >> 2015/10/15 15:42:23 ossec-syscheckd: INFO: Monitoring directory: >> '/usr/bin'. >> 2015/10/15 15:42:23 ossec-syscheckd: INFO: Monitoring directory: >> '/usr/sbin'. >> 2015/10/15 15:42:23 ossec-syscheckd: INFO: Monitoring directory: '/bin'. >> 2015/10/15 15:42:23 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. >> 2015/10/15 15:42:24 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/auth.log'. >> 2015/10/15 15:42:24 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/syslog'. >> 2015/10/15 15:42:24 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/dpkg.log'. >> 2015/10/15 15:42:24 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/apache2/error.log'. >> 2015/10/15 15:42:24 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/apache2/access.log'. >> 2015/10/15 15:42:24 ossec-logcollector: INFO: Monitoring output of >> command(360): df -h >> 2015/10/15 15:42:24 ossec-logcollector: INFO: Monitoring full output of >> command(360): netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort >> 2015/10/15 15:42:24 ossec-logcollector: INFO: Monitoring full output of >> command(360): last -n 5 >> 2015/10/15 15:42:24 ossec-logcollector: INFO: Started (pid: 5599). >> >> >> >> >> Am Donnerstag, 15. Oktober 2015 14:52:51 UTC+2 schrieb dan (ddpbsd): >>> >>> On Thu, Oct 15, 2015 at 8:49 AM, Jedi Meister <foob...@gmail.com> >>> wrote: >>> > Hi, >>> > >>> > I'm currently migrating OSSEC from Ubuntu 14.04 (x64) to an Raspeberry >>> Pi2 >>> > running Ubuntu 14.04 (arm). As there is no binary build, I build up >>> > everything from the source. I copy over the running config from the >>> Ubuntu >>> > host to the Raspberry. >>> > >>> > When I start OSSEC, Agents can not connect to OSSEC. >>> > >>> > I search the list and found something similar at: >>> > https://www.mail-archive.com/ossec-list@googlegroups.com/msg09198.html >>> > >>> > There was the case that the agents can not connect to the Rethat >>> system but >>> > to a cent os system in the same network. >>> > >>> > It's the same here. Firewall is open and agents sends data: >>> > tcpdump: verbose output suppressed, use -v or -vv for full protocol >>> decode >>> > listening on eth0, link-type EN10MB (Ethernet), capture size 65535 >>> bytes >>> > >>> > 14:46:42.590610 IP static.xx.xx.xx.xx > 10.23.23.2.1514: UDP, length >>> 441 >>> > >>> > >>> > Log files: >>> > 2015/10/15 14:29:38 ossec-remoted(4111): INFO: Maximum number of >>> agents >>> > allowed: '256'. >>> > 2015/10/15 14:29:38 ossec-remoted(1410): INFO: Reading authentication >>> keys >>> > file. >>> > 2015/10/15 14:29:38 ossec-monitord: INFO: Started (pid: 32534). >>> > 2015/10/15 14:29:40 ossec-analysisd: INFO: Connected to >>> '/queue/alerts/ar' >>> > (active-response queue) >>> > 2015/10/15 14:29:40 ossec-analysisd: INFO: Connected to >>> > '/queue/alerts/execq' (exec queue) >>> > 2015/10/15 14:29:42 ossec-syscheckd: INFO: Started (pid: 32527). >>> > 2015/10/15 14:29:42 ossec-rootcheck: INFO: Started (pid: 32527). >>> > >>> > Any ideas what could be the cause of the server not accepting >>> connections? >>> > The same setup, same config is running fine on the intel ubuntu. >>> > >>> >>> You didn't give us much to go on. Did you create a new key for this >>> agent? >>> Did you install it? >>> Did you restart the OSSEC processes after adding the key? >>> Are you sure there's no firewall on the OSSEC manager blocking the >>> traffic? >>> Are there any logs from the manager's ossec.log file that might hint >>> at the problem? >>> >>> > Brgs >>> > Daniel >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an >>> > email to ossec-list+...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
