Hello Shaharyar, compiling from source works just fine
Jan On Sun, Feb 7, 2016 at 6:39 PM, Shaharyar Chaudhry <c.shahar...@gmail.com> wrote: > Hey, I was wondering how you got the ossec agent to work on rpi, is there > a guide to this? I am trying to get agent on my rpi2 model to work. Any > help would be great. > > Cheers :) > > > On Thursday, October 15, 2015 at 9:50:38 AM UTC-4, Jedi Meister wrote: >> >> So, >> >> I rebuild the server with the SAME tar.gz file and restart it. >> >> Now i receive the alerts from the clients. >> >> ** Alert 1444916936.103875: - syslog,sshd,authentication_failed, >> 2015 Oct 15 15:48:56 (hal) 78.46.76.44->/var/log/auth.log >> Rule: 5716 (level 5) -> 'SSHD authentication failed.' >> Src IP: 80.87.168.98 >> User: itsolutions >> Oct 15 15:48:55 hal sshd[21772]: Failed password for foobar from >> 80.87.168.98 port 55976 ssh2 >> >> >> VERY Strange. But anyway, it works now. >> >> Thanks for the help!! >> >> Am Donnerstag, 15. Oktober 2015 15:44:39 UTC+2 schrieb Jedi Meister: >>> >>> Sorry, >>> >>> You didn't give us much to go on. Did you create a new key for this >>> agent? >>> Yes, new keys were generated on the rasperrby for the agents >>> >>> >>> Did you install it? >>> I used the install.sh method of the installation tar.gz >>> >>> >>> Did you restart the OSSEC processes after adding the key? >>> Yes, Restart or ossec and restart of the system >>> >>> Are you sure there's no firewall on the OSSEC manager blocking the >>> traffic? >>> Correct, Iptables is flushed, the firewall before let the ossec >>> communication pass (as I receive the data with the same rule on the old >>> system) >>> >>> Are there any logs from the manager's ossec.log file that might hint >>> at the problem? >>> >>> No, there is only the no indication. I included the full log: >>> >>> 2015/10/15 15:42:17 ossec-testrule: INFO: Reading local decoder file. >>> 2015/10/15 15:42:18 ossec-testrule: INFO: Started (pid: 5575). >>> 2015/10/15 15:42:18 ossec-maild: INFO: Started (pid: 5587). >>> 2015/10/15 15:42:18 ossec-execd: INFO: Started (pid: 5591). >>> 2015/10/15 15:42:18 ossec-remoted: INFO: Started (pid: 5603). >>> 2015/10/15 15:42:18 ossec-remoted: INFO: Started (pid: 5605). >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading local decoder file. >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'rules_config.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'pam_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'sshd_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'telnetd_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'syslog_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'arpwatch_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'symantec-av_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'symantec-ws_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'pix_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'named_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'smbd_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'vsftpd_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'pure-ftpd_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'proftpd_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'ms_ftpd_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'ftpd_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'hordeimp_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'roundcube_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'wordpress_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'cimserver_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'vpopmail_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'vmpop3d_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'courier_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'web_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'web_appsec_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'apache_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'nginx_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'php_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'mysql_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'postgresql_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'ids_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'squid_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'firewall_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'cisco-ios_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'netscreenfw_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'sonicwall_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'postfix_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'sendmail_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'imapd_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'mailscanner_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'dovecot_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'ms-exchange_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'racoon_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'vpn_concentrator_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'spamd_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'msauth_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'mcafee_av_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'trend-osce_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'ms-se_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'zeus_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'solaris_bsm_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'vmware_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'ms_dhcp_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'asterisk_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'ossec_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'attack_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'openbsd_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'clam_av_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'dropbear_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'local_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Total rules enabled: '1310' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >>> '/etc/hosts.deny' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >>> '/etc/mail/statistics' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >>> '/etc/random-seed' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >>> '/etc/httpd/logs' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >>> '/etc/cups/certs' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >>> '/etc/dumpdates' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >>> '/etc/svc/volatile' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >>> 'C:\WINDOWS/System32/LogFiles' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >>> 'C:\WINDOWS/Debug' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >>> 'C:\WINDOWS/WindowsUpdate.log' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >>> 'C:\WINDOWS/iis6.log' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >>> 'C:\WINDOWS/system32/wbem/Logs' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >>> 'C:\WINDOWS/system32/wbem/Repository' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >>> 'C:\WINDOWS/Prefetch' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >>> 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >>> 'C:\WINDOWS/SoftwareDistribution' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >>> 'C:\WINDOWS/Temp' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >>> 'C:\WINDOWS/system32/config' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >>> 'C:\WINDOWS/system32/spool' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Ignoring file: >>> 'C:\WINDOWS/system32/CatRoot' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: White listing IP: '127.0.0.1' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: White listing IP: >>> '10.23.23.123' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: 2 IPs in the white list for >>> active response. >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: White listing Hostname: >>> 'localhost.localdomain' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: 1 Hostname(s) in the white >>> list for active response. >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Started (pid: 5595). >>> 2015/10/15 15:42:19 ossec-remoted(4111): INFO: Maximum number of agents >>> allowed: '256'. >>> 2015/10/15 15:42:19 ossec-remoted(1410): INFO: Reading authentication >>> keys file. >>> 2015/10/15 15:42:19 ossec-remoted: INFO: Assigning counter for agent >>> hal: '7:3538'. >>> 2015/10/15 15:42:19 ossec-remoted: INFO: Assigning sender counter: 0:102 >>> 2015/10/15 15:42:19 ossec-monitord: INFO: Started (pid: 5614). >>> 2015/10/15 15:42:21 ossec-analysisd: INFO: Connected to >>> '/queue/alerts/ar' (active-response queue) >>> 2015/10/15 15:42:21 ossec-analysisd: INFO: Connected to >>> '/queue/alerts/execq' (exec queue) >>> 2015/10/15 15:42:23 ossec-syscheckd: INFO: Started (pid: 5610). >>> 2015/10/15 15:42:23 ossec-rootcheck: INFO: Started (pid: 5610). >>> 2015/10/15 15:42:23 ossec-syscheckd: INFO: Monitoring directory: '/etc'. >>> 2015/10/15 15:42:23 ossec-syscheckd: INFO: Monitoring directory: >>> '/usr/bin'. >>> 2015/10/15 15:42:23 ossec-syscheckd: INFO: Monitoring directory: >>> '/usr/sbin'. >>> 2015/10/15 15:42:23 ossec-syscheckd: INFO: Monitoring directory: '/bin'. >>> 2015/10/15 15:42:23 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. >>> 2015/10/15 15:42:24 ossec-logcollector(1950): INFO: Analyzing file: >>> '/var/log/auth.log'. >>> 2015/10/15 15:42:24 ossec-logcollector(1950): INFO: Analyzing file: >>> '/var/log/syslog'. >>> 2015/10/15 15:42:24 ossec-logcollector(1950): INFO: Analyzing file: >>> '/var/log/dpkg.log'. >>> 2015/10/15 15:42:24 ossec-logcollector(1950): INFO: Analyzing file: >>> '/var/log/apache2/error.log'. >>> 2015/10/15 15:42:24 ossec-logcollector(1950): INFO: Analyzing file: >>> '/var/log/apache2/access.log'. >>> 2015/10/15 15:42:24 ossec-logcollector: INFO: Monitoring output of >>> command(360): df -h >>> 2015/10/15 15:42:24 ossec-logcollector: INFO: Monitoring full output of >>> command(360): netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort >>> 2015/10/15 15:42:24 ossec-logcollector: INFO: Monitoring full output of >>> command(360): last -n 5 >>> 2015/10/15 15:42:24 ossec-logcollector: INFO: Started (pid: 5599). >>> >>> >>> >>> >>> Am Donnerstag, 15. Oktober 2015 14:52:51 UTC+2 schrieb dan (ddpbsd): >>>> >>>> On Thu, Oct 15, 2015 at 8:49 AM, Jedi Meister <foob...@gmail.com> >>>> wrote: >>>> > Hi, >>>> > >>>> > I'm currently migrating OSSEC from Ubuntu 14.04 (x64) to an >>>> Raspeberry Pi2 >>>> > running Ubuntu 14.04 (arm). As there is no binary build, I build up >>>> > everything from the source. I copy over the running config from the >>>> Ubuntu >>>> > host to the Raspberry. >>>> > >>>> > When I start OSSEC, Agents can not connect to OSSEC. >>>> > >>>> > I search the list and found something similar at: >>>> > >>>> https://www.mail-archive.com/ossec-list@googlegroups.com/msg09198.html >>>> > >>>> > There was the case that the agents can not connect to the Rethat >>>> system but >>>> > to a cent os system in the same network. >>>> > >>>> > It's the same here. Firewall is open and agents sends data: >>>> > tcpdump: verbose output suppressed, use -v or -vv for full protocol >>>> decode >>>> > listening on eth0, link-type EN10MB (Ethernet), capture size 65535 >>>> bytes >>>> > >>>> > 14:46:42.590610 IP static.xx.xx.xx.xx > 10.23.23.2.1514: UDP, length >>>> 441 >>>> > >>>> > >>>> > Log files: >>>> > 2015/10/15 14:29:38 ossec-remoted(4111): INFO: Maximum number of >>>> agents >>>> > allowed: '256'. >>>> > 2015/10/15 14:29:38 ossec-remoted(1410): INFO: Reading authentication >>>> keys >>>> > file. >>>> > 2015/10/15 14:29:38 ossec-monitord: INFO: Started (pid: 32534). >>>> > 2015/10/15 14:29:40 ossec-analysisd: INFO: Connected to >>>> '/queue/alerts/ar' >>>> > (active-response queue) >>>> > 2015/10/15 14:29:40 ossec-analysisd: INFO: Connected to >>>> > '/queue/alerts/execq' (exec queue) >>>> > 2015/10/15 14:29:42 ossec-syscheckd: INFO: Started (pid: 32527). >>>> > 2015/10/15 14:29:42 ossec-rootcheck: INFO: Started (pid: 32527). >>>> > >>>> > Any ideas what could be the cause of the server not accepting >>>> connections? >>>> > The same setup, same config is running fine on the intel ubuntu. >>>> > >>>> >>>> You didn't give us much to go on. Did you create a new key for this >>>> agent? >>>> Did you install it? >>>> Did you restart the OSSEC processes after adding the key? >>>> Are you sure there's no firewall on the OSSEC manager blocking the >>>> traffic? >>>> Are there any logs from the manager's ossec.log file that might hint >>>> at the problem? >>>> >>>> > Brgs >>>> > Daniel >>>> > >>>> > -- >>>> > >>>> > --- >>>> > You received this message because you are subscribed to the Google >>>> Groups >>>> > "ossec-list" group. >>>> > To unsubscribe from this group and stop receiving emails from it, >>>> send an >>>> > email to ossec-list+...@googlegroups.com. >>>> > For more options, visit https://groups.google.com/d/optout. >>>> >>> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
