[ossec-list] Ossec agent connection problem

[Don_Johny]

Hello, i have problem connecting agents. I installed Ossec on Ubuntu Server 
16.04 Virtual machines, Added an agents ( with IP and any) extracted key, 
but when i see agents list i got only. "No agent avalibale. Could anyone 
know whats the issue Here are my logs from machines.Any help is 
apprecitated,thanks in advance
Log file from server :





























*2018/08/31 13:07:57 ossec-analysisd: INFO: White listing IP: '2018/08/31 
13:07:57 ossec-analysisd: INFO: 7 IPs in the white list for active 
response.2018/08/31 13:07:57 ossec-analysisd: INFO: White listing Hostname: 
'::1'2018/08/31 13:07:57 ossec-analysisd: INFO: 1 Hostname(s) in the white 
list for active response.2018/08/31 13:07:57 ossec-analysisd: INFO: Started 
(pid: 5794).2018/08/31 13:07:58 ossec-monitord: INFO: Started (pid: 
5813).2018/08/31 13:07:58 ossec-remoted(4111): INFO: Maximum number of 
agents allowed: '16384'.2018/08/31 13:07:58 ossec-remoted(1410): INFO: 
Reading authentication keys file.2018/08/31 13:07:58 ossec-remoted: INFO: 
No previous counter available for 'sv2'.2018/08/31 13:07:58 ossec-remoted: 
INFO: Assigning counter for agent sv2: '0:0'.2018/08/31 13:07:58 
ossec-remoted: INFO: No previous sender counter.2018/08/31 13:07:58 
ossec-remoted: INFO: Assigning sender counter: 0:02018/08/31 13:08:00 
ossec-analysisd: INFO: Connected to '/queue/alerts/ar' (active-response 
queue)2018/08/31 13:08:00 ossec-analysisd: INFO: Connected to 
'/queue/alerts/execq' (exec queue)2018/08/31 13:08:02 ossec-syscheckd: 
INFO: Started (pid: 5810).2018/08/31 13:08:02 ossec-rootcheck: INFO: 
Started (pid: 5810).2018/08/31 13:08:03 ossec-logcollector: INFO: Started 
(pid: 5799).2018/08/31 13:08:22 INFO: Connected to 127.0.1.1 at address 
127.0.1.1, port 252018/08/31 13:09:04 ossec-syscheckd: INFO: Starting 
syscheck scan (forwarding database).2018/08/31 13:09:04 ossec-syscheckd: 
INFO: Starting syscheck database (pre-scan).2018/08/31 13:09:04 
ossec-syscheckd: INFO: Initializing real time file monitoring (not 
started).2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File not 
available, ignoring it: '/var/log/messages'.2018/08/31 13:10:13 
ossec-logcollector(1904): INFO: File not available, ignoring it: 
'/var/log/secure'.2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File 
not available, ignoring it: '/var/log/xferlog'.2018/08/31 13:10:13 
ossec-logcollector(1904): INFO: File not available, ignoring it: 
'/var/log/maillog'.2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File 
not available, ignoring it: '/var/www/logs/access_log'.2018/08/31 13:10:13 
ossec-logcollector(1904): INFO: File not available, ignoring it: 
'/var/www/logs/error_log'.2018/08/31 13:10:13 ossec-logcollector(1904): 
INFO: File not available, ignoring it: '/var/log/exim_mainlog'.2018/08/31 
13:13:21 ossec-syscheckd(1124): ERROR: Could not rename file 
'/usr/bin/vmware-user' to 
'/var/ossec/queue/diff/local/usr/bin/vmware-user/last-entry' due to 
[(2)-(No such file or directory)].*

Log from agent : 





















*2018/08/31 12:34:46 ossec-execd: INFO: Started (pid: 10201).2018/08/31 
12:34:46 ossec-agentd: INFO: Using notify time: 600 and max time to 
$2018/08/31 12:34:46 ossec-agentd(1410): INFO: Reading authentication keys 
file.2018/08/31 12:34:46 ossec-agentd: INFO: Started (pid: 
10205).2018/08/31 12:34:46 ossec-agentd: INFO: Server 1: 
157.97.106.1072018/08/31 12:34:46 ossec-agentd: INFO: Trying to connect to 
server 157.97.106.$2018/08/31 12:34:46 INFO: Connected to 157.97.106.107 at 
address 157.97.106.107$2018/08/31 12:34:46 rootcheck: System audit file not 
configured.2018/08/31 13:08:26 ossec-agentd(4101): WARN: Waiting for server 
reply (not started). Tried: '157.97.106.107'.2018/08/31 13:08:28 
ossec-agentd: INFO: Trying to connect to server 157.97.106.107, port 
1514.2018/08/31 13:08:28 INFO: Connected to 157.97.106.107 at address 
157.97.106.107, port 15142018/08/31 13:08:49 ossec-agentd(4101): WARN: 
Waiting for server reply (not started). Tried: '157.97.106.107'.2018/08/31 
13:09:09 ossec-agentd: INFO: Trying to connect to server 157.97.106.107, 
port 1514.2018/08/31 13:09:09 INFO: Connected to 157.97.106.107 at address 
157.97.106.107, port 15142018/08/31 13:09:11 ossec-syscheckd: INFO: 
Starting syscheck scan (forwarding database).2018/08/31 13:09:11 
ossec-syscheckd: WARN: Process locked. Waiting for permission...2018/08/31 
13:09:30 ossec-agentd(4101): WARN: Waiting for server reply (not started). 
Tried: '157.97.106.107'.2018/08/31 13:10:08 ossec-agentd: INFO: Trying to 
connect to server 157.97.106.107, port 1514.2018/08/31 13:10:08 INFO: 
Connected to 157.97.106.107 at address 157.97.106.107, port 15142018/08/31 
13:10:21 ossec-logcollector: WARN: Process locked. Waiting for 
permission...2018/08/31 13:10:29 ossec-agentd(4101): WARN: Waiting for 
server reply (not started). Tried: '157.97.106.107'.*

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscri

Re: [ossec-list] PSAD rule include error

[Fredrik Hilmersson]

Hello Dan,

well that solved it! I added the rule in the top of the list, adding it 
where you suggested (in your conf) and no issues.

Thanks for the response as always!

Den torsdag 30 augusti 2018 kl. 13:19:17 UTC+2 skrev dan (ddpbsd):
>
> On Thu, Aug 30, 2018 at 4:11 AM Fredrik Hilmersson 
> > wrote: 
> > 
> > Hello, 
> > 
> > The ruleset psad_rules.xml which is included in the 3.0.0 version is not 
> by default included in the ossec.conf file. When i add the the include: 
> psad_rules.xml within the  I get the following error: 
> > 
> > ossec-testrule: INFO: Reading local decoder file. 
> > rules_list: Category '1' not found. Invalid 'category'. 
> > 
> > It works by adding the rules to local_rules.xml, so that's no issue, but 
> for convenience and also to learn if i've done something incorrect I would 
> appreciate some help of the above issue. 
> > 
>
> I'm not having any issues. 
>
>
> rules_config.xml 
> pam_rules.xml 
> sshd_rules.xml 
> telnetd_rules.xml 
> syslog_rules.xml 
> arpwatch_rules.xml 
> symantec-av_rules.xml 
> symantec-ws_rules.xml 
> pix_rules.xml 
> named_rules.xml 
> smbd_rules.xml 
> vsftpd_rules.xml 
> pure-ftpd_rules.xml 
> proftpd_rules.xml 
> ms_ftpd_rules.xml 
> ftpd_rules.xml 
> hordeimp_rules.xml 
> roundcube_rules.xml 
> wordpress_rules.xml 
> cimserver_rules.xml 
> vpopmail_rules.xml 
> vmpop3d_rules.xml 
> courier_rules.xml 
> web_rules.xml 
> web_appsec_rules.xml 
> apache_rules.xml 
> nginx_rules.xml 
> php_rules.xml 
> mysql_rules.xml 
> postgresql_rules.xml 
> ids_rules.xml 
> squid_rules.xml 
> firewall_rules.xml 
> apparmor_rules.xml 
> cisco-ios_rules.xml 
> netscreenfw_rules.xml 
> sonicwall_rules.xml 
> postfix_rules.xml 
> sendmail_rules.xml 
> imapd_rules.xml 
> mailscanner_rules.xml 
> dovecot_rules.xml 
> ms-exchange_rules.xml 
> racoon_rules.xml 
> vpn_concentrator_rules.xml 
> spamd_rules.xml 
> msauth_rules.xml 
> mcafee_av_rules.xml 
> trend-osce_rules.xml 
> ms-se_rules.xml 
>  
> zeus_rules.xml 
> solaris_bsm_rules.xml 
> vmware_rules.xml 
> ms_dhcp_rules.xml 
> asterisk_rules.xml 
> ossec_rules.xml 
> attack_rules.xml 
> openbsd_rules.xml 
> clam_av_rules.xml 
> dropbear_rules.xml 
> sysmon_rules.xml 
> opensmtpd_rules.xml 
> exim_rules.xml 
> openbsd-dhcpd_rules.xml 
> dnsmasq_rules.xml 
> psad_rules.xml  
> local_rules.xml 
>  
>
>
> [root@rossak ossec]# /var/ossec/bin/ossec-logtest -t 
> 2018/08/30 07:18:54 ossec-testrule: INFO: Reading local decoder file. 
> [root@rossak ossec]# 
>
>
> > Kind regards, 
> > Fredrik 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.