Re: [ossec-list] Re: Couple of agents unable to connect to server
Usually there are warning or error messages in ossec.log file (check those both in the agent and manager). On Mon, Jan 4, 2016 at 11:06 AM, Calwrote: > Found a solution, thinking it might be a key issue. On one server, I had > to chmod the keys file, which allowed the agent to connect. I tried > re-adding the existing key to the other agents and configuring the > permissions without anything working. Finally, I re-issued the keys for the > disconnect clients, and all connected after restart. Not sure what the > issue was. > > > On Monday, January 4, 2016 at 12:35:44 PM UTC-5, Cal wrote: >> >> Also, from agent: >> >> # netstat -panu | grep 1520 >> udp0 0 AGENT_IP:43737 SERVER_IP:1520 ESTABLISHED >> 30669/ossec-agentd >> >> On Monday, January 4, 2016 at 12:25:02 PM UTC-5, Cal wrote: >>> >>> I have about 20 OSSEC agents connected to my OSSEC server without issue. >>> There are approximately 6 however that cannot connect. I'm using a >>> non-default port of 1520. Note: All IPs replaced here for OPSEC. >>> >>> Logs: >>> >>>- Agent: >>> - 2016/01/04 11:12:23 ossec-agentd: INFO: Using IPv4 for: >>> SERVER_IP . >>> 2016/01/04 11:12:44 ossec-agentd(4101): WARN: Waiting for server >>> reply (not started). Tried: 'SERVER_IP'. >>>- Server: >>> - Nothing outside the standard output, even with debug enabled >>> >>> >>> What I've done so far: >>> >>>- Added rules into iptables to allow communication on both >>>agent/sever >>>- TCPdump confirming on agent that it is sending packet >>>- TCPdump confirming on server that it is receiving agent packet >>>- Netcat on both server/agent: >>> - netcat -uv SERVER_IP 1520 >>> Connection to SERVER_IP 1520 port [udp/*] succeeded! >>> - netcat -uv AGENT_IP1520 >>> Connection to AGENT_IP 1520 port [udp/*] succeeded! >>> >>> ossec.conf: >>> >>>- >>> >>>SERVER_IP >>>1520 >>> >>> >>>secure >>>tcp >>>1520 >>> >>> >>> >>> >>> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Couple of agents unable to connect to server
Found a solution, thinking it might be a key issue. On one server, I had to chmod the keys file, which allowed the agent to connect. I tried re-adding the existing key to the other agents and configuring the permissions without anything working. Finally, I re-issued the keys for the disconnect clients, and all connected after restart. Not sure what the issue was. On Monday, January 4, 2016 at 12:35:44 PM UTC-5, Cal wrote: > > Also, from agent: > > # netstat -panu | grep 1520 > udp0 0 AGENT_IP:43737 SERVER_IP:1520 ESTABLISHED > 30669/ossec-agentd > > On Monday, January 4, 2016 at 12:25:02 PM UTC-5, Cal wrote: >> >> I have about 20 OSSEC agents connected to my OSSEC server without issue. >> There are approximately 6 however that cannot connect. I'm using a >> non-default port of 1520. Note: All IPs replaced here for OPSEC. >> >> Logs: >> >>- Agent: >> - 2016/01/04 11:12:23 ossec-agentd: INFO: Using IPv4 for: >> SERVER_IP . >> 2016/01/04 11:12:44 ossec-agentd(4101): WARN: Waiting for server >> reply (not started). Tried: 'SERVER_IP'. >>- Server: >> - Nothing outside the standard output, even with debug enabled >> >> >> What I've done so far: >> >>- Added rules into iptables to allow communication on both agent/sever >>- TCPdump confirming on agent that it is sending packet >>- TCPdump confirming on server that it is receiving agent packet >>- Netcat on both server/agent: >> - netcat -uv SERVER_IP 1520 >> Connection to SERVER_IP 1520 port [udp/*] succeeded! >> - netcat -uv AGENT_IP1520 >> Connection to AGENT_IP 1520 port [udp/*] succeeded! >> >> ossec.conf: >> >>- >> >>SERVER_IP >>1520 >> >> >>secure >>tcp >>1520 >> >> >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Couple of agents unable to connect to server
Also, from agent: # netstat -panu | grep 1520 udp0 0 AGENT_IP:43737 SERVER_IP:1520 ESTABLISHED 30669/ossec-agentd On Monday, January 4, 2016 at 12:25:02 PM UTC-5, Cal wrote: > > I have about 20 OSSEC agents connected to my OSSEC server without issue. > There are approximately 6 however that cannot connect. I'm using a > non-default port of 1520. Note: All IPs replaced here for OPSEC. > > Logs: > >- Agent: > - 2016/01/04 11:12:23 ossec-agentd: INFO: Using IPv4 for: SERVER_IP > . > 2016/01/04 11:12:44 ossec-agentd(4101): WARN: Waiting for server > reply (not started). Tried: 'SERVER_IP'. >- Server: > - Nothing outside the standard output, even with debug enabled > > > What I've done so far: > >- Added rules into iptables to allow communication on both agent/sever >- TCPdump confirming on agent that it is sending packet >- TCPdump confirming on server that it is receiving agent packet >- Netcat on both server/agent: > - netcat -uv SERVER_IP 1520 > Connection to SERVER_IP 1520 port [udp/*] succeeded! > - netcat -uv AGENT_IP1520 > Connection to AGENT_IP 1520 port [udp/*] succeeded! > > ossec.conf: > >- > >SERVER_IP >1520 > > >secure >tcp >1520 > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.