Re: [ossec-list] cant delete agent
Thanks Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael_barr...@mgic.com This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Suppressing noisy traffic in archives
On Thu, Feb 21, 2013 at 1:21 PM, ash kumar wrote: > Dan, > > I understand the intended function of the "logall" option. > > I interpreted the no_log to imply specific exclusion from > that. Since it clearly does not appear to do that, is it merely the > equivalent of level="0"? > That would be my guess. > Ash > > PS: Are you able to use Logstash reliably? I gave up after numerous java > errors and crashes. I am now working on nxlog to json and ossec to json to > nxlog but that is an entirely different thread. > I haven't tried it in a while. I've been lax in maintaining my home logging solutions lately. > On Thursday, February 21, 2013 1:12:54 PM UTC-5, dan (ddpbsd) wrote: >> >> On Thu, Feb 21, 2013 at 1:08 PM, ash kumar wrote: >> > I need to archive all logs, but am overwhelmed with pointless traffic >> > such >> > as the one below. Since the suppression of the event involves a >> > subcategory >> > and can not be automatically be done by group Policy in a mixed (2003, >> > 2008) >> > environment, I am exploring the option of suppressing it at the log >> > storage >> > level. >> > While this is not the ideal situation as I am still processing the event >> > and >> > creating network traffic, nonetheless.. >> > >> > AUDIT_SUCCESS(5156): Microsoft-Windows-Security-Auditing: (no user): no >> > domain: SERVER.domain.com: The Windows Filtering Platform has allowed a >> > connection. Application Information: Process ID: 4 Application Name: >> > System Network Information: Direction: %%14592 Source Address: >> > 1.2.2.2 >> > Source Port: 138 Destination Address: 1.2.7.5 Destination Port: 138 >> > Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: >> > %%14610 Layer Run-Time ID: 44 >> > >> > I created a rule (that is successfully triggered by the event) in >> > local_rules >> > >> > >> > 18100 >> >^5156$|^5157$ >> >no_log >> >Suppress Windows Filtering Log Messages >> > >> > >> > However, this does not stop the event from being recorded in >> > /var/ossec/logs/archives/archives.log >> > >> > Any suggestions as to how to handle this? >> > >> > Thanks in advance >> > >> > Ash Kumar >> > >> > -- >> > >> >> If you turn on the log all option, OSSEC will log all messages. If you >> don't want to log all messages, don't turn the log all option on. >> >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Suppressing noisy traffic in archives
Dan, I understand the intended function of the "logall" option. I interpreted the no_log to imply specific exclusion from that. Since it clearly does not appear to do that, is it merely the equivalent of level="0"? Ash PS: Are you able to use Logstash reliably? I gave up after numerous java errors and crashes. I am now working on nxlog to json and ossec to json to nxlog but that is an entirely different thread. On Thursday, February 21, 2013 1:12:54 PM UTC-5, dan (ddpbsd) wrote: > > On Thu, Feb 21, 2013 at 1:08 PM, ash kumar > > wrote: > > I need to archive all logs, but am overwhelmed with pointless traffic > such > > as the one below. Since the suppression of the event involves a > subcategory > > and can not be automatically be done by group Policy in a mixed (2003, > 2008) > > environment, I am exploring the option of suppressing it at the log > storage > > level. > > While this is not the ideal situation as I am still processing the event > and > > creating network traffic, nonetheless.. > > > > AUDIT_SUCCESS(5156): Microsoft-Windows-Security-Auditing: (no user): no > > domain: SERVER.domain.com: The Windows Filtering Platform has allowed a > > connection. Application Information: Process ID: 4 Application Name: > > System Network Information: Direction: %%14592 Source Address: > 1.2.2.2 > > Source Port: 138 Destination Address: 1.2.7.5 Destination Port: 138 > > Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: > > %%14610 Layer Run-Time ID: 44 > > > > I created a rule (that is successfully triggered by the event) in > > local_rules > > > > > > 18100 > >^5156$|^5157$ > >no_log > >Suppress Windows Filtering Log Messages > > > > > > However, this does not stop the event from being recorded in > > /var/ossec/logs/archives/archives.log > > > > Any suggestions as to how to handle this? > > > > Thanks in advance > > > > Ash Kumar > > > > -- > > > > If you turn on the log all option, OSSEC will log all messages. If you > don't want to log all messages, don't turn the log all option on. > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Suppressing noisy traffic in archives
On Thu, Feb 21, 2013 at 1:08 PM, ash kumar wrote: > I need to archive all logs, but am overwhelmed with pointless traffic such > as the one below. Since the suppression of the event involves a subcategory > and can not be automatically be done by group Policy in a mixed (2003, 2008) > environment, I am exploring the option of suppressing it at the log storage > level. > While this is not the ideal situation as I am still processing the event and > creating network traffic, nonetheless.. > > AUDIT_SUCCESS(5156): Microsoft-Windows-Security-Auditing: (no user): no > domain: SERVER.domain.com: The Windows Filtering Platform has allowed a > connection. Application Information: Process ID: 4 Application Name: > System Network Information: Direction: %%14592 Source Address: 1.2.2.2 > Source Port: 138 Destination Address: 1.2.7.5 Destination Port: 138 > Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: > %%14610 Layer Run-Time ID: 44 > > I created a rule (that is successfully triggered by the event) in > local_rules > > > 18100 >^5156$|^5157$ >no_log >Suppress Windows Filtering Log Messages > > > However, this does not stop the event from being recorded in > /var/ossec/logs/archives/archives.log > > Any suggestions as to how to handle this? > > Thanks in advance > > Ash Kumar > > -- > If you turn on the log all option, OSSEC will log all messages. If you don't want to log all messages, don't turn the log all option on. > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Suppressing noisy traffic in archives
I need to archive all logs, but am overwhelmed with pointless traffic such as the one below. Since the suppression of the event involves a subcategory and can not be automatically be done by group Policy in a mixed (2003, 2008) environment, I am exploring the option of suppressing it at the log storage level. While this is not the ideal situation as I am still processing the event and creating network traffic, nonetheless.. AUDIT_SUCCESS(5156): Microsoft-Windows-Security-Auditing: (no user): no domain: SERVER.domain.com: The Windows Filtering Platform has allowed a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: %%14592 Source Address: 1.2.2.2 Source Port: 138 Destination Address: 1.2.7.5 Destination Port: 138 Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: %%14610 Layer Run-Time ID: 44 I created a rule (that is successfully triggered by the event) in local_rules 18100 ^5156$|^5157$ no_log Suppress Windows Filtering Log Messages However, this does not stop the event from being recorded in /var/ossec/logs/archives/archives.log Any suggestions as to how to handle this? Thanks in advance Ash Kumar -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Troubleshooting: Alerts fire, but email not sent
I figured it out. I has the alert set to a number below my email alert threshold. Phil On Wed, Feb 20, 2013 at 1:06 PM, Phil Cox wrote: > Is ossec-maild running? >> Does it try to send the email (you can use tcpdump or the email >> server's logs to find out)? >> >> > It is running. It does NOT seem to be attempting to send email when the > rules fire. I do see the alert in the alert.log file though. > > Phil > -- Director of Security and Compliance RightScale Inc - http://www.rightscale.com 805-243-0942 Skype: phil.cox.rs Twitter: @sec_prof -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Re: Agentless error "timeout while running on host (too long to finish)"
On Thu, Feb 21, 2013 at 9:15 AM, wrote: > So which privilege level is the best to run the script? > > May I have to change this to get the anted result? > > > > -- > I really don't have much experience with agentless, especially with cisco products. Your best bet is to read through the script to see how it is supposed to work. > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Re: Agentless error "timeout while running on host (too long to finish)"
So which *privilege level *is the best to run the script? May I have to change this to get the anted result? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] cant delete agent
On Thu, Feb 21, 2013 at 8:24 AM, Michael Barrett wrote: > > > Is it possible to just vi the client.keys file? > It is possible, it's a plain text file. Here's an example of a removed agent: 003 #*#*#*#*#*#*#*#*#*#*#638d2f2affc852245528f7ba749c57ee38aba3f3d152d10278687fe > Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty > Insurance Corporation > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 > 1.888.601.4440 | * michael_barr...@mgic.com > > This message is intended for use only by the person(s) addressed above and > may contain privileged and confidential information. Disclosure or use of > this message by any other person is strictly prohibited. If this message is > received in error, please notify the sender immediately and delete this > message. > > > > From: "dan (ddp)" > To: ossec-list@googlegroups.com > Date: 02/19/2013 02:52 PM > Subject: Re: [ossec-list] cant delete agent > Sent by: ossec-list@googlegroups.com > > > > > > On Tue, Feb 19, 2013 at 3:49 PM, Michael Barrett > wrote: > > > > Please help > > > > I'm trying to delete and agent. > > > > I grep for the agent ID > > > > run manage_agent and delete the ID > > > > Grep again and its still there > > > > I tried stopping the process after deleting same thing > > > > Running ossec 2.6 on linux > > > > Welcome back. Removing the agent with manage_agents does not delete > all entries from client.keys, it mostly deactivates it. If you do a > list in manage_agents, does the agent still show up? > > > > > > > Michael Barrett | Information Security Analyst - Lead | Mortgage > > Guaranty > > Insurance Corporation > > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 > > 1.888.601.4440 | * michael_barr...@mgic.com > > > > This message is intended for use only by the person(s) addressed above > > and > > may contain privileged and confidential information. Disclosure or use > > of > > this message by any other person is strictly prohibited. If this message > > is > > received in error, please notify the sender immediately and delete this > > message. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > > an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit > > https://urldefense.proofpoint.com/v1/url?u=https://groups.google.com/groups/opt_out&k=jBZCcUEtecsEqEpqTUdgJg%3D%3D%0A&r=kQFULLplNJvezX1OsQ4ZMnCtACpvbx%2B78GdKWTp7g4U%3D%0A&m=TozXIh3J323BFUUGV2nBpZ7CgLJ%2BDFK64er6Vg6Ex2c%3D%0A&s=ecaf8e382f15452c85b9b69f69aa260aa739c895ad544d4a89b27883097f8f45. > > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit > https://urldefense.proofpoint.com/v1/url?u=https://groups.google.com/groups/opt_out&k=jBZCcUEtecsEqEpqTUdgJg%3D%3D%0A&r=kQFULLplNJvezX1OsQ4ZMnCtACpvbx%2B78GdKWTp7g4U%3D%0A&m=TozXIh3J323BFUUGV2nBpZ7CgLJ%2BDFK64er6Vg6Ex2c%3D%0A&s=ecaf8e382f15452c85b9b69f69aa260aa739c895ad544d4a89b27883097f8f45. > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] cant delete agent
Is it possible to just vi the client.keys file? Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael_barr...@mgic.com This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message. From: "dan (ddp)" To: ossec-list@googlegroups.com Date: 02/19/2013 02:52 PM Subject: Re: [ossec-list] cant delete agent Sent by: ossec-list@googlegroups.com On Tue, Feb 19, 2013 at 3:49 PM, Michael Barrett wrote: > > Please help > > I'm trying to delete and agent. > > I grep for the agent ID > > run manage_agent and delete the ID > > Grep again and its still there > > I tried stopping the process after deleting same thing > > Running ossec 2.6 on linux > Welcome back. Removing the agent with manage_agents does not delete all entries from client.keys, it mostly deactivates it. If you do a list in manage_agents, does the agent still show up? > > > Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty > Insurance Corporation > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 > 1.888.601.4440 | * michael_barr...@mgic.com > > This message is intended for use only by the person(s) addressed above and > may contain privileged and confidential information. Disclosure or use of > this message by any other person is strictly prohibited. If this message is > received in error, please notify the sender immediately and delete this > message. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://urldefense.proofpoint.com/v1/url?u=https://groups.google.com/groups/opt_out&k=jBZCcUEtecsEqEpqTUdgJg%3D%3D%0A&r=kQFULLplNJvezX1OsQ4ZMnCtACpvbx%2B78GdKWTp7g4U%3D%0A&m=TozXIh3J323BFUUGV2nBpZ7CgLJ%2BDFK64er6Vg6Ex2c%3D%0A&s=ecaf8e382f15452c85b9b69f69aa260aa739c895ad544d4a89b27883097f8f45 . > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://urldefense.proofpoint.com/v1/url?u=https://groups.google.com/groups/opt_out&k=jBZCcUEtecsEqEpqTUdgJg%3D%3D%0A&r=kQFULLplNJvezX1OsQ4ZMnCtACpvbx%2B78GdKWTp7g4U%3D%0A&m=TozXIh3J323BFUUGV2nBpZ7CgLJ%2BDFK64er6Vg6Ex2c%3D%0A&s=ecaf8e382f15452c85b9b69f69aa260aa739c895ad544d4a89b27883097f8f45 . -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Agentless error "timeout while running on host (too long to finish)"
I try to run the command manuel on the router it takes just a secend to run it. It looks like that it locked in shows the router# but than it retunres the error rhanks for your help Am Dienstag, 19. Februar 2013 15:38:39 UTC+1 schrieb dan (ddpbsd): > On Tue, Feb 19, 2013 at 5:08 AM, > wrote: > > Hi I try to monitore a Cisco router. > > > > I enable agentless I added the router in to register_host.sh the the > > Password and edit also ossec.conf. > > > > I try to run " ( cd /var/ossec && ./agentless/ssh_pixconfig_diff > > ci...@172.17.0.1 'show hardware' ) " to test if all works > well > > > > BUT > > > > I retunes me an error timeout while running on host (too long to > finish). > > > > Ossec is loged in to the router but noting hepens after a few monets it > pops > > up with th error. what is my failure? > > > > I try theis all ready but it is sill not working > > (http://www.mail-archive.com/ossec-list@googlegroups.com/msg15466.html) > > > > thx for your help and sorry for my bad english > > > > > > -- > > > > If you run the command manually on the router, how long does it take? > Are you sure the OSSEC server successfully logs into the router? > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Re: Agentless error "timeout while running on host (too long to finish)"
I ask my colleague who set up a account on the router. This user is automaticly in enable may this is the problem? thanks for your advice -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Cannot get agent profile working on windows (2nd try)
I tried to add a bad option and i see that it is not being picked up... Like in my example, i don't see anything related to options in specific agent profile. вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan (ddpbsd) написал: > > On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко > > > wrote: > > osssec.conf(agent test_PC): > > > >> > >> > >> > >> > >> > >> test1 > >> > >> 1.1.1.1 > >> > >> > >> > >> > >> > >> > >> no > >> > >> > >> > >> > >> > > > > > > > > agent.conf(server): > > > >> > >> > >> > >> > >> D:/ > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> F:/ > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> C:/ > >> > >> > >> > >> > > > > > > ossec.log(agent): > > > >> 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'D:/'. > >> > >> 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'C:/'. > > > > > > Disk F is not monitored. > > > > Equal configuration for agent under FreeBSD works fine. > > > > -- > > > > You could add a bad option under that profile to see if it's being > picked up, like monitoring a syslog file that doesn't actually exist. > > Other than that, I'd try something like: > > > > F:\. > > > > I can't test this at the moment, so I don't know for sure that it will > work. > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Hybrid Killed Me?
Hi Will The idea for Hybrid configuration is so that if you have an environment that is very chatty you can offload you server. It allows you to process locally on the "agents" and push the alerts only to the "server". Another reason for this configuration would be if you had a network with multiple subnetworks and you want them all to have their own servers but then push everything to one centralized location. Make sense? On Wed, Feb 20, 2013 at 6:28 PM, TWAD wrote: > Dan, > I changed the permisisons for merged.mg to rwrwr and it is updating as I > write this. Group is ossec, owner is ossec > I no longer run the hybrid, I have only the server installed to reduce > troubleshooting efforts. > > Here is what I recently noticed and changed. Upon start-up tonight, > ossec-remotd was not starting. I noticed an error that I did not have an IP > for syslog so I edited ossec.conf and noticed that I have two remote > elements. One for syslog, and one for secure. I removed the syslog > element, added a port 1514 (sisnce I cannot see it through tcpdump), and > allowed IPs . > > ** > > 127.0.0.1 > > ^localhost.localdomain$ > > 10.10.1.1 > > 10.10.2.8 > > 10.10.2.100 > > 10.10.1.100 > > > > ** ** > > > > secure > > 1514 > > 10.10.1.100 > > 10.10.1.1 > > 10.10.2.100 > > 10.10.2.8 > > 10.10.2.10 > > > > ** ** > > # > > # secure > > # > > > I saved the configuration and ran ossec-control restart > > Now I get: > > [root@rhelx bin]# ./ossec-control status ossec-monitord is running... > > ossec-logcollector is running... > > *ossec-remoted: Process 24878 not used by ossec, removing ..* > * * > > *ossec-remoted not running...* > > ossec-syscheckd is running... > > ossec-analysisd is running... > > ossec-maild not running... > > ossec-execd is running... > > The agent still gets: > 2013/02/20 19:54:35 ossec-agent: INFO: Started (pid: 6364). > 2013/02/20 19:54:45 ossec-agent: WARN: Process locked. Waiting for > permission... > 2013/02/20 19:54:55 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.10.2.8'. > 2013/02/20 19:54:57 ossec-agent: INFO: Trying to connect to server ( > 10.10.2.8:1514). > 2013/02/20 19:54:57 ossec-agent: INFO: Using IPv4 for: 10.10.2.8 . > > and when I grep for ossec-remoted in the ossec log, I get this: > > 2013/02/20 19:53:10 ossec-remoted: DEBUG: Starting ... > > 2013/02/20 19:53:10 ossec-remoted: INFO: Started (pid: 24876). > > 2013/02/20 19:53:10 ossec-remoted: DEBUG: Forking remoted: '1'. > > 2013/02/20 19:53:10 ossec-remoted: DEBUG: Forking remoted: '0'. > > 2013/02/20 19:53:10 ossec-remoted: INFO: Started (pid: 24878). > > 2013/02/20 19:53:10 ossec-remoted(1206): ERROR: Unable to Bind port '1514' > > > 2013/02/20 19:53:11 ossec-remoted: DEBUG: Running manager_init > > 2013/02/20 19:53:11 ossec-remoted: INFO: (unix_domain) Maximum send buffer > set to: '229376'. > > 2013/02/20 19:53:11 ossec-remoted(4111): INFO: Maximum number of agents*** > * > > allowed: '256'. > > 2013/02/20 19:53:11 ossec-remoted(1410): INFO: Reading authentication keys > file. > > 2013/02/20 19:53:11 ossec-remoted: DEBUG: OS_StartCounter. > > 2013/02/20 19:53:11 ossec-remoted: OS_StartCounter: keysize: 2 > > I searched for hours today looking through old posts to find an answer and > I noticed a guy (Eric Hansen) had the same issue, but the thread stopped > before the solve. > https://groups.google.com/forum/?fromgroups#!topic/ossec-list/gDbBjD6r-DQ > > Thanks > Will > > > > On Wednesday, February 20, 2013 9:10:47 AM UTC-6, dan (ddpbsd) wrote: > >> On Tue, Feb 19, 2013 at 11:55 PM, TWAD wrote: >> > Bottom line: No Clients will connect after I installed Hybrid, >> Uninstalled >> > Hybrid, and Reinstalled Server. What am I doing/have I done wrong? >> > >> >> Hybrid just installs a server installation in /var/ossec, and an agent >> in /var/ossec/ossec-agent (for forwarding alerts to other OSSEC >> servers). So setup should be the same. >> >> > Details >> > >> > 1. SO I had v2.7 installed as a server on RHEL 6.4 >> > >> > 2. I had agents on 10 hosts in the lab >> > >> > 3. All agents were monitored with no issues >> > >> > 4. I wanted an agent on the server, So I installed Hybrid >> > >> > 5. Then none of the agents would connect >> > >> > 6. Every agent log shows ossec-agent (4101): WARN: Waiting for server >> reply >> > (not started). Tried 10.10.2.8, trying to connect to server ( >> 10.10.2.8:1514) >> > >> > 7. So from here I uninstalled and reinstalled over and over again >> keys, >> > clients, and finally the server using the script below AND removing the >> > /var/ossec directory >> > >> > 8. Today I reinstalled the server (not hybrid) and >> uninstalled/reinstalled >> > installed clients on two hosts. I am getting the same error no matter >> what >> > >> > 9. I have the firewall completely disabled >> > >> > [root@rh
