Re: [ossec-list] Re: Couple of agents unable to connect to server

2016-01-04 Thread Santiago Bassett 
Usually there are warning or error messages in ossec.log file (check those
both in the agent and manager).

On Mon, Jan 4, 2016 at 11:06 AM, Cal  wrote:

> Found a solution, thinking it might be a key issue. On one server, I had
> to chmod the keys file, which allowed the agent to connect. I tried
> re-adding the existing key to the other agents and configuring the
> permissions without anything working. Finally, I re-issued the keys for the
> disconnect clients, and all connected after restart. Not sure what the
> issue was.
>
>
> On Monday, January 4, 2016 at 12:35:44 PM UTC-5, Cal wrote:
>>
>> Also, from agent:
>>
>> # netstat -panu | grep 1520
>> udp0  0 AGENT_IP:43737 SERVER_IP:1520  ESTABLISHED
>> 30669/ossec-agentd
>>
>> On Monday, January 4, 2016 at 12:25:02 PM UTC-5, Cal wrote:
>>>
>>> I have about 20 OSSEC agents connected to my OSSEC server without issue.
>>> There are approximately 6 however that cannot connect. I'm using a
>>> non-default port of 1520. Note: All IPs replaced here for OPSEC.
>>>
>>> Logs:
>>>
>>>- Agent:
>>>   - 2016/01/04 11:12:23 ossec-agentd: INFO: Using IPv4 for:
>>>   SERVER_IP .
>>>   2016/01/04 11:12:44 ossec-agentd(4101): WARN: Waiting for server
>>>   reply (not started). Tried: 'SERVER_IP'.
>>>- Server:
>>>   - Nothing outside the standard output, even with debug enabled
>>>
>>>
>>> What I've done so far:
>>>
>>>- Added rules into iptables to allow communication on both
>>>agent/sever
>>>- TCPdump confirming on agent that it is sending packet
>>>- TCPdump confirming on server that it is receiving agent packet
>>>- Netcat on both server/agent:
>>>   - netcat -uv SERVER_IP 1520
>>>   Connection to SERVER_IP 1520 port [udp/*] succeeded!
>>>   - netcat -uv AGENT_IP1520
>>>   Connection to AGENT_IP 1520 port [udp/*] succeeded!
>>>
>>> ossec.conf:
>>>
>>>- 
>>>  
>>>SERVER_IP
>>>1520
>>>  
>>>  
>>>secure
>>>tcp
>>>1520
>>>  
>>>
>>>
>>>
>>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Couple of agents unable to connect to server

2016-01-04 Thread Cal 
Found a solution, thinking it might be a key issue. On one server, I had to 
chmod the keys file, which allowed the agent to connect. I tried re-adding 
the existing key to the other agents and configuring the permissions 
without anything working. Finally, I re-issued the keys for the disconnect 
clients, and all connected after restart. Not sure what the issue was.

On Monday, January 4, 2016 at 12:35:44 PM UTC-5, Cal wrote:
>
> Also, from agent:
>
> # netstat -panu | grep 1520
> udp0  0 AGENT_IP:43737 SERVER_IP:1520  ESTABLISHED 
> 30669/ossec-agentd
>
> On Monday, January 4, 2016 at 12:25:02 PM UTC-5, Cal wrote:
>>
>> I have about 20 OSSEC agents connected to my OSSEC server without issue. 
>> There are approximately 6 however that cannot connect. I'm using a 
>> non-default port of 1520. Note: All IPs replaced here for OPSEC.
>>
>> Logs:
>>
>>- Agent:
>>   - 2016/01/04 11:12:23 ossec-agentd: INFO: Using IPv4 for: 
>>   SERVER_IP .
>>   2016/01/04 11:12:44 ossec-agentd(4101): WARN: Waiting for server 
>>   reply (not started). Tried: 'SERVER_IP'.
>>- Server:
>>   - Nothing outside the standard output, even with debug enabled
>>   
>>
>> What I've done so far:
>>
>>- Added rules into iptables to allow communication on both agent/sever
>>- TCPdump confirming on agent that it is sending packet
>>- TCPdump confirming on server that it is receiving agent packet
>>- Netcat on both server/agent:
>>   - netcat -uv SERVER_IP 1520
>>   Connection to SERVER_IP 1520 port [udp/*] succeeded!
>>   - netcat -uv AGENT_IP1520
>>   Connection to AGENT_IP 1520 port [udp/*] succeeded!
>>
>> ossec.conf:
>>
>>- 
>>  
>>SERVER_IP
>>1520
>>  
>>  
>>secure
>>tcp
>>1520
>>  
>>
>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Couple of agents unable to connect to server

2016-01-04 Thread Cal 
Also, from agent:

# netstat -panu | grep 1520
udp0  0 AGENT_IP:43737 SERVER_IP:1520  ESTABLISHED 
30669/ossec-agentd

On Monday, January 4, 2016 at 12:25:02 PM UTC-5, Cal wrote:
>
> I have about 20 OSSEC agents connected to my OSSEC server without issue. 
> There are approximately 6 however that cannot connect. I'm using a 
> non-default port of 1520. Note: All IPs replaced here for OPSEC.
>
> Logs:
>
>- Agent:
>   - 2016/01/04 11:12:23 ossec-agentd: INFO: Using IPv4 for: SERVER_IP 
>   .
>   2016/01/04 11:12:44 ossec-agentd(4101): WARN: Waiting for server 
>   reply (not started). Tried: 'SERVER_IP'.
>- Server:
>   - Nothing outside the standard output, even with debug enabled
>   
>
> What I've done so far:
>
>- Added rules into iptables to allow communication on both agent/sever
>- TCPdump confirming on agent that it is sending packet
>- TCPdump confirming on server that it is receiving agent packet
>- Netcat on both server/agent:
>   - netcat -uv SERVER_IP 1520
>   Connection to SERVER_IP 1520 port [udp/*] succeeded!
>   - netcat -uv AGENT_IP1520
>   Connection to AGENT_IP 1520 port [udp/*] succeeded!
>
> ossec.conf:
>
>- 
>  
>SERVER_IP
>1520
>  
>  
>secure
>tcp
>1520
>  
>
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.