Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread David Masters
I will try the process you suggest tomorrow. As for the rest: there are no duplicate IP's (all agents have been added with the "any" IP configuration) or ID's (all keys were deleted from the client.keys file (except 001) in order to prevent duplicates)(all rid's were deleted afterwards to make

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread David Masters
The exact command I typed is was: tcpdump -i eth1 host xxx.xxx.xxx.xxx port 1514 No other ethernet ports are active on the machine. Did I miss something when I typed it in? On Monday, October 13, 2014 7:43:23 PM UTC-5, Grant L wrote: > > I guessed at your eth interface > > the command is soun

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread Michael Starks
On 10/13/2014 11:18 AM, David Masters wrote: > The whole purpose of this exercise is to not have to go to each > individual machine to input the key and configuration. We have over > 3000 machines so that really is just not feasible. If the key & server > is input manually when the software is in

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread Grant L
I guessed at your eth interface the command is sound, I just dont know what your OS looks like SO tcpdump -i host and port 1514 -vvv Make sense? Grant Leonard Castra Consulting, LLC 919-949-4002 On Mon, Oct 13, 2014 at 8:32 PM, David Masters wrote: > clien

[ossec-list] Re: Windows agents not connecting to OSSEC server

2014-10-13 Thread Roy Feintuch
Just note that there is no magic here - it does not work because your automated way does not 100% replicate the manual way (how to add an agent / the client.keys / the ossec.conf / the agent installation...) My guess is that the key file is not created correctly - preventing the client-server to

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread David Masters
client is installed on Win7 machine with admin credentials (logged in as domain admin and "ran as administrator" to install, group policy installation runs under system credentials before login). tcpdump gives me a : syntax error on each IP address I have tried it on. On Monday, October 13, 2

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread Grant L
Do this for about 5 non communicating servers at random. On the OSSEC-SERVER run 'tcpdump -i eth0 host port 1514' see if the connection even makes it to the server Also, note that OSSEC has to be installed as local admin or domain admin, else UAC kind of kills the application. Grant Leonard C

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread David Masters
All agents are using the "any" IP address now because our systems move subnets quite a bit depending on client load. Port 1514 is open because I can manually install the client on a machine and manually enter the information and the client will connect with the server. The same machine (with n

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread David Masters
This is what we did last year Entered in the machines manually to the server to create the account/key on the ossec server once all of the machines were entered, we ran cat client.keys on the ossec server, which reads/prints out all the keys to the screen the session was being recorded to th

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread grant
David You wrote -- "The key files I am creating are being created directly from the spreadsheet" You are not creating the keys yourself are you? when you run manage-agents and add a new agent, a key gets put into client.keys, that key is associated with the hostname of the sending device and

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread David Masters
I am acquiring the keys originally from the server (cat client.keys) then copying that information directly from the putty.log file into a spreadsheet. The key files I am creating are being created directly from the spreadsheet. I manually verify the information in the keys file before it is

RE: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread LostInTheTubez
Many people have created an automated deployment script successfully, so no need to worry there. How are you exporting the agent keys from the manager? More to the point, WHICH key are you using in your group policy script? If you really are using the same key that you would use in the GUI, as y

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread Grant L
That is kind of how it works for Windows, my company wrote a tool that will deploy them automatically for you. On Oct 13, 2014 12:20 PM, "David Masters" wrote: > The whole purpose of this exercise is to not have to go to each individual > machine to input the key and configuration. We have over

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread dan (ddp)
On Mon, Oct 13, 2014 at 12:18 PM, David Masters wrote: > The whole purpose of this exercise is to not have to go to each individual > machine to input the key and configuration. We have over 3000 machines so > that really is just not feasible. If the key & server is input manually My apologies,

Re: [ossec-list] check that a service is running

2014-10-13 Thread dan (ddp)
On Mon, Oct 13, 2014 at 12:27 PM, wrote: > Hi, > > I've googled this a lot and looked through a lot of the group's posts but I > can find if there's a way to check that a given service is running. It would > be a service that has an init script. > > Is there a way to do this? > `/var/ossec/bin/o

[ossec-list] check that a service is running

2014-10-13 Thread felicity . ratcliffe
Hi, I've googled this a lot and looked through a lot of the group's posts but I can find if there's a way to check that a given service is running. It would be a service that has an init script. Is there a way to do this? Many thanks :) Felicity -- --- You received this message because you

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread David Masters
The whole purpose of this exercise is to not have to go to each individual machine to input the key and configuration. We have over 3000 machines so that really is just not feasible. If the key & server is input manually when the software is installed it works fine. When the key file and conf

Re: [ossec-list] how do import rules into database for posegresql?

2014-10-13 Thread dan (ddp)
On Mon, Oct 13, 2014 at 11:35 AM, wrote: > yes,alert is Normal insertinto the database。but if i want wirte WUI for > ossec,can not acquire rule description。。 > Then work on ossec-dbd first. :) > 在 2014年10月13日星期一UTC+8下午8时11分47秒,dan (ddpbsd)写道: >> >> On Mon, Oct 13, 2014 at 5:02 AM, wrote: >> >

Re: [ossec-list] how do import rules into database for posegresql?

2014-10-13 Thread root
yes,alert is Normal insertinto the database。but if i want wirte WUI for ossec,can not acquire rule description。。 在 2014年10月13日星期一UTC+8下午8时11分47秒,dan (ddpbsd)写道: > > On Mon, Oct 13, 2014 at 5:02 AM, > wrote: > > > > Hi,ALL > > > > > > i use posegresql database for ossec,but i look the

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread dan (ddp)
On Mon, Oct 13, 2014 at 11:21 AM, David Masters wrote: > 2014/10/13 10:19:11 ossec-remoted(1403): ERROR: Incorrectly formated message > from 'any'. > 2014/10/13 10:19:13 ossec-remoted(1408): ERROR: Invalid ID for the source > ip: '10.50.107.21'. Try readding the key to one of these agents manuall

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread David Masters
Yes, each agent key is unique, appears to be coming from the correct ip address. Error message from log: 2014/10/13 10:15:56 ossec-remoted(1403): ERROR: Incorrectly formated message from 'any'. 2014/10/13 10:16:02 ossec-remoted(1403): ERROR: Incorrectly formated message from 'any'. 2014/10/13 10

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread David Masters
No "not allowed" messages. Saw it run through a debug scan. Only error messages coming up are: 2014/10/13 10:15:56 ossec-remoted(1403): ERROR: Incorrectly formated message from 'any'. 2014/10/13 10:16:02 ossec-remoted(1403): ERROR: Incorrectly formated message from 'any'. 2014/10/13 10:16:06 o

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread David Masters
2014/10/13 10:19:11 ossec-remoted(1403): ERROR: Incorrectly formated message from 'any'. 2014/10/13 10:19:13 ossec-remoted(1408): ERROR: Invalid ID for the source ip: '10.50.107.21'. 2014/10/13 10:19:16 ossec-remoted(1408): ERROR: Invalid ID for the source ip: '10.50.107.20'. 2014/10/13 10:19:16

Re: [ossec-list] Does a single machine scenario use an agent?

2014-10-13 Thread dan (ddp)
On Mon, Oct 13, 2014 at 10:50 AM, wrote: > Goodness, I'm nowhere near clued up enough to suggest how to improve things > just yet. I haven't read enough of it! > > But note that neither yours nor Jan's posts actually answer my question > (although I completely appreciate your good intentions). >

Re: [ossec-list] Does a single machine scenario use an agent?

2014-10-13 Thread derek
Goodness, I'm nowhere near clued up enough to suggest how to improve things just yet. I haven't read enough of it! But note that neither yours nor Jan's posts actually answer my question (although I completely appreciate your good intentions). When I look at the basic information, here: http:/

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread dan (ddp)
On Mon, Oct 13, 2014 at 10:32 AM, David Masters wrote: > Yes, removed all rid files before restarting the server > Have you checked the ossec.log on the manager? Is each agent key unique? Are the packets making it to the manager? So they appear to be coming from the correct ip address? Is the man

Re: [ossec-list] Does a single machine scenario use an agent?

2014-10-13 Thread dan (ddp)
On Mon, Oct 13, 2014 at 9:06 AM, wrote: > I'm exploring the use of OSSEC and I've got a question the docs I've read > aren't yet answering. I think it's going to be quicker to just ask... > > I have a single Linux box which runs in the DMZ. It has a few services, with > Apache and Squid being the

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread David Masters
Yes, removed all rid files before restarting the server On Monday, October 13, 2014 7:04:41 AM UTC-5, Antonio Querubin wrote: > > On Sun, 12 Oct 2014, David Masters wrote: > > > Ok...here is the log file from a freshly installed agent (shutdown ossec > > server, removed all rid files, no rid fi

Re: [ossec-list] Does a single machine scenario use an agent?

2014-10-13 Thread Jan Andrasko
Hello Derek, just install ossec in "local" mode, this should be best for you. Brgds Jan On Mon, Oct 13, 2014 at 3:06 PM, wrote: > I'm exploring the use of OSSEC and I've got a question the docs I've read > aren't yet answering. I think it's going to be quicker to just ask... > > I have a singl

[ossec-list] Does a single machine scenario use an agent?

2014-10-13 Thread derek
I'm exploring the use of OSSEC and I've got a question the docs I've read aren't yet answering. I think it's going to be quicker to just ask... I have a single Linux box which runs in the DMZ. It has a few services, with Apache and Squid being the main ones. I want to put OSSEC on it primarily

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread grant
Assuming agent key and IP are distinct for each server, please put the ossec-control into debug on the server and look for errors such as "not allowed" and so forth On Monday, October 13, 2014 8:04:41 AM UTC-4, Antonio Querubin wrote: > > On Sun, 12 Oct 2014, David Masters wrote: > > > Ok...her

Re: [ossec-list] how do import rules into database for posegresql?

2014-10-13 Thread dan (ddp)
On Mon, Oct 13, 2014 at 5:02 AM, wrote: > > Hi,ALL > > > i use posegresql database for ossec,but i look the tables "signature" is > null,so how do i import all rules into "signature" > > Perhaps that functionality doesn't exist yet. Are there alerts in the database? If yes, that's pretty muc

[ossec-list] how do import rules into database for posegresql?

2014-10-13 Thread root
Hi,ALL i use posegresql database for ossec,but i look the tables "signature" is null,so how do i import all rules into "signature" -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving e

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread Antonio Querubin
On Sun, 12 Oct 2014, David Masters wrote: Ok...here is the log file from a freshly installed agent (shutdown ossec server, removed all rid files, no rid files on agent system, manually entererd key and server address): This is the log file from same machine after pushing out key file/ossec.co