Dan, trying to add the agent I get this: *************************************** * OSSEC HIDS v3.3.0 Agent manager. * * The following options are available: * **************************************** (I)mport key from the server (I). (Q)uit. Choose your action: I or Q: i
* Provide the Key generated by the server. * The best approach is to cut and paste it. *** OBS: Do not include spaces or new lines. Paste it here (or '\q' to quit): <key from server> Agent information: ID:002 Name:tcpdiag IP Address:10.10.10.29 Confirm adding it?(y/n): y *Not Adding.* Also, when does the agent get added to the database? If it's done on the server the manage_agents is not working! jerry On Wed, Oct 2, 2019 at 4:55 PM dan (ddp) <ddp...@gmail.com> wrote: > On Wed, Oct 2, 2019 at 6:32 PM Jerry Lowry <michaiah2...@gmail.com> wrote: > > > > Well, I have the agent running and the server running but they are not > talking. From the agent log file : > > Started ossec-agentd... > > 2019/10/02 15:24:23 ossec-logcollector: Remote commands are not accepted > from the manager. Ignoring it on the agent.conf > > 2019/10/02 15:24:23 ossec-logcollector(1202): ERROR: Configuration error > at '/var/ossec/etc/shared/agent.conf'. Exiting. > > Started ossec-logcollector... > > Start removing configurations from the agent.conf until you find the right > one. > > > 2019/10/02 15:11:34 ossec-agentd: INFO: Trying to connect to server > 10.10.10.108, port 1514. > > 2019/10/02 15:11:34 INFO: Connected to 10.10.10.108 at address > 10.10.10.108, port 1514 > > 2019/10/02 15:11:44 ossec-agentd(1218): ERROR: Unable to send message to > 'server'. > > 2019/10/02 15:11:56 ossec-agentd(1218): ERROR: Unable to send message to > 'server'. > > 2019/10/02 15:11:57 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: '10.10.10.108'. > > > > I get this message but it does not say what the error is? > > > > How do they communicate? > > > > UDP port 1514. This needs to be not blocked by iptables on the server side. > > > From the server log file: > > > > 2019/10/02 15:21:42 INFO: Connected to west.smtp.exch083.serverdata.net. > at address 199.193.205.130, port 25 > > 2019/10/02 15:21:42 os_sendmail(1765): WARN: RCPT TO not accepted by > server - 'jlo...@edt.com'. > > 2019/10/02 15:21:42 ossec-maild(1223): ERROR: Error Sending email to > west.smtp.exch083.serverdata.net. (smtp server) > > > > How can you specify the smtp port and connection security? > > > > ossec-maild doesn't do tls, auth, or custom ports. I usually use the > local mail server to relay the emails. > > > thanks > > > > On Wed, Oct 2, 2019 at 10:08 AM Jerry Lowry <michaiah2...@gmail.com> > wrote: > >> > >> Dan, > >> I have noticed that when the application is started and there are > errors like : > >> 2019/10/02 10:03:15 ossec-maild(1235): ERROR: Invalid value for element > 'format': sms. > >> 019/10/02 10:03:15 ossec-dbd(5202): ERROR: Error connecting to database > '10.10.10.108'(ossec): ERROR: Access denied for user ''@'ossec' to database > 'ossec'. > >> > >> When you stop ossec it does NOT kill the ossec-dbd process. Also, the > book specifies the use of 'format' sms for email alerts but it says its and > invalid value. > >> > >> jerry > >> > >> On Wed, Oct 2, 2019 at 9:00 AM Jerry Lowry <michaiah2...@gmail.com> > wrote: > >>> > >>> thanks Dan! > >>> That was the problem. Rebuilt Pcre with --enable-jit=no and it is off > and running. This is my test VM where I installed MariaDB. I will add an > agent to it and see if it has the same problem as my physical server. > >>> > >>> jerry > >>> > >>> On Wed, Oct 2, 2019 at 4:00 AM dan (ddp) <ddp...@gmail.com> wrote: > >>>> > >>>> On Tue, Oct 1, 2019 at 1:13 PM Jerry Lowry <michaiah2...@gmail.com> > wrote: > >>>> > > >>>> > List, > >>>> > > >>>> > I just installed a test VM running Centos 7 and installed ossec > 3.3.0. Ran through the script and took all the default questions except > for the email. When I try to start ossec these are the errors I get in the > log: > >>>> > 019/09/27 16:21:53 ossec-analysisd(1450): ERROR: Syntax error on > regex: '(pam_unix)$': 9. > >>>> > 2019/09/27 16:21:53 ossec-testrule(1202): ERROR: Configuration > error at '/etc/decoder.xml'. Exiting. > >>>> > 2019/09/27 16:29:41 ossec-analysisd(1450): ERROR: Syntax error on > regex: '(pam_unix)$': 9. > >>>> > 2019/09/27 16:29:41 ossec-testrule(1202): ERROR: Configuration > error at '/etc/decoder.xml'. Exiting. > >>>> > 2019/09/30 08:49:07 ossec-analysisd(1450): ERROR: Syntax error on > regex: '(pam_unix)$': 9. > >>>> > 2019/09/30 08:49:07 ossec-testrule(1202): ERROR: Configuration > error at '/etc/decoder.xml'. Exiting. > >>>> > 2019/09/30 09:37:55 ossec-analysisd(1450): ERROR: Syntax error on > regex: '(pam_unix)$': 9. > >>>> > 2019/09/30 09:37:55 ossec-testrule(1202): ERROR: Configuration > error at '/etc/decoder.xml'. Exiting. > >>>> > I have not touched any of the rules or configuration files as they > were setup based on the question in the installation script. > >>>> > > >>>> > so, what I am I missing. Shouldn't this run with a default install? > >>>> > > >>>> > >>>> I think this is a pcre2 issue. I ran into it a bunch of times when I > >>>> didn't disable JIT on a system that didn't support the JIT. > >>>> > >>>> > jerry > >>>> > > >>>> > ps....no errors during the installation/compilation > >>>> > > >>>> > -- > >>>> > > >>>> > --- > >>>> > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >>>> > To unsubscribe from this group and stop receiving emails from it, > send an email to ossec-list+unsubscr...@googlegroups.com. > >>>> > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/c9a3f10d-b29c-444c-a678-0bb0d18f7b38%40googlegroups.com > . > >>>> > >>>> -- > >>>> > >>>> --- > >>>> You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >>>> To unsubscribe from this group and stop receiving emails from it, > send an email to ossec-list+unsubscr...@googlegroups.com. > >>>> To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/CAMyQvMo4L5rb6Jgsm3tOnyLt7OX9Yn9huZp9FNKwm%3D_ey1L%2BTQ%40mail.gmail.com > . > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/CAKP%3DcB5i%2Bn6OWH2wo%3DPQsj62jo3E2fCv4o4SC%3DdF5ukawbh_0g%40mail.gmail.com > . > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/CAMyQvMp9Mma%2Bk6mdb8UtBR8s49DwOhn401S9PfheJbd39p3T3w%40mail.gmail.com > . > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAKP%3DcB5NpZbQgYxM2S6a0FWP06WUa_SyCp0m94PbaARhbN8qKw%40mail.gmail.com.