Re: [ossec-list] cannot connect to ossec server on docker
Hi Ka-Hing Thanks for sharing! Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On August 26, 2016 at 9:44:23 PM, Ka-Hing Cheung (kah...@gmail.com) wrote: > Figured out the problem. It's a docker bug: > https://github.com/docker/docker/issues/7540 > > On Friday, August 26, 2016 at 6:34:58 PM UTC-7, jose wrote: >> >> Did you try to add a new key to the agent already? >> >> Regards >> --- >> Jose Luis Ruiz >> Wazuh Inc. >> jo...@wazuh.com >> >> On August 26, 2016 at 9:19:52 PM, Ka-Hing Cheung (kah...@gmail.com >> ) wrote: >> >>> From the agent container >>> >>> On Friday, August 26, 2016 at 6:16:23 PM UTC-7, jose wrote: Hi Ka-Hing When do you run the command nc -u 10.0.129.94 1514, this command is from the agent container or the main server? Regards --- Jose Luis Ruiz Wazuh Inc. jo...@wazuh.com On August 26, 2016 at 7:14:50 PM, Ka-Hing Cheung (kah...@gmail.com) wrote: nc -u 10.0.129.94 1514 -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] cannot connect to ossec server on docker
Figured out the problem. It's a docker bug: https://github.com/docker/docker/issues/7540 On Friday, August 26, 2016 at 6:34:58 PM UTC-7, jose wrote: > > Did you try to add a new key to the agent already? > > Regards > --- > Jose Luis Ruiz > Wazuh Inc. > jo...@wazuh.com > > On August 26, 2016 at 9:19:52 PM, Ka-Hing Cheung (kah...@gmail.com > ) wrote: > >> From the agent container >> >> On Friday, August 26, 2016 at 6:16:23 PM UTC-7, jose wrote: >>> >>> Hi Ka-Hing >>> >>> When do you run the command nc -u 10.0.129.94 1514, this command is >>> from the agent container or the main server? >>> >>> Regards >>> --- >>> Jose Luis Ruiz >>> Wazuh Inc. >>> jo...@wazuh.com >>> >>> On August 26, 2016 at 7:14:50 PM, Ka-Hing Cheung (kah...@gmail.com) >>> wrote: >>> >>> nc -u 10.0.129.94 1514 >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] cannot connect to ossec server on docker
Did you try to add a new key to the agent already? Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On August 26, 2016 at 9:19:52 PM, Ka-Hing Cheung (kah...@gmail.com) wrote: > From the agent container > > On Friday, August 26, 2016 at 6:16:23 PM UTC-7, jose wrote: >> >> Hi Ka-Hing >> >> When do you run the command nc -u 10.0.129.94 1514, this command is >> from the agent container or the main server? >> >> Regards >> --- >> Jose Luis Ruiz >> Wazuh Inc. >> jo...@wazuh.com >> >> On August 26, 2016 at 7:14:50 PM, Ka-Hing Cheung (kah...@gmail.com >> ) wrote: >> >> nc -u 10.0.129.94 1514 >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] cannot connect to ossec server on docker
>From the agent container On Friday, August 26, 2016 at 6:16:23 PM UTC-7, jose wrote: > > Hi Ka-Hing > > When do you run the command nc -u 10.0.129.94 1514, this command is from > the agent container or the main server? > > Regards > --- > Jose Luis Ruiz > Wazuh Inc. > jo...@wazuh.com > > On August 26, 2016 at 7:14:50 PM, Ka-Hing Cheung (kah...@gmail.com > ) wrote: > > nc -u 10.0.129.94 1514 > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] cannot connect to ossec server on docker
Hi Ka-Hing When do you run the command nc -u 10.0.129.94 1514, this command is from the agent container or the main server? Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On August 26, 2016 at 7:14:50 PM, Ka-Hing Cheung (kah...@gmail.com) wrote: nc -u 10.0.129.94 1514 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] cannot connect to ossec server on docker
It looks like the server is able to receive the messages, from tcpdump 23:10:06.123099 IP (tos 0x0, ttl 64, id 3755, offset 0, flags [DF], proto UDP (17), length 106) 172.17.42.1.54099 > 172.17.11.152.1514: UDP, length 78 23:10:06.123376 IP (tos 0x0, ttl 64, id 31027, offset 0, flags [DF], proto UDP (17), length 101) 172.17.11.152.1514 > 172.17.42.1.54099: UDP, length 73 172.17.11.152 is the server's IP on the docker0 interface. 172.17.42.1 is the default gateway of the docker0 interface though, and not the IP from the agent. Both agent and server are on the same machine. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] cannot connect to ossec server on docker
Hi Jose, 3d71dacc22e0etleap/ossec:latest "/usr/bin/supervisor 20 hours agoUp 3 hours 0.0.0.0:1514->1514/udp, 0.0.0.0:1515->1515/tcp ossec Again, I can use nc to manually send an udp packet to the server from the agent container, so I don't think it's a networking problem. On Friday, August 26, 2016 at 3:57:17 PM UTC-7, jose wrote: > > Hi Ka-hing > > First of all we need to know which command you use to run the container in > order to know which ports are you mapping. > > > Regards > --- > Jose Luis Ruiz > Wazuh Inc. > jo...@wazuh.com > > On August 26, 2016 at 5:11:03 PM, Ka-Hing Cheung (kah...@gmail.com > ) wrote: > >> I have ossec server and agent running in two different docker images. The >> agent is not able to connect to the server: >> >> >> 2016/08/26 20:56:25 ossec-agentd: INFO: Trying to connect to server ( >> ossec.domain/10.0.129.94:1514). >> 2016/08/26 20:56:25 ossec-agentd: INFO: Using IPv4 for: 10.0.129.94 . >> 2016/08/26 20:56:46 ossec-agentd(4101): WARN: Waiting for server reply ( >> not started). Tried: 'ossec.domain/10.0.129.94'. >> >> >> There's no log on the server for the connection attempt. However, if I >> execute nc -u 10.0.129.94 1514 and send a random message, I see this in >> the server log: >> >> >> 2016/08/26 19:19:46 ossec-remoted(1213): WARN: Message from 172.17.42.1 >> not allowed. >> >> >> >> 172.17.42.1 is the IP from the docker interface. I already have this in >> my server ossec.conf: >> >> >> >> >> 127.0.0.1 >> 10.0.0.0/16 >> 172.17.0.0/16 >> >> >> >> secure >> 10.0.0.0/16 >> 172.17.0.0/16 >> >> >> >> Any ideas? >> >> - Ka-Hing >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] cannot connect to ossec server on docker
Hi Ka-hing First of all we need to know which command you use to run the container in order to know which ports are you mapping. Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On August 26, 2016 at 5:11:03 PM, Ka-Hing Cheung (kah...@gmail.com) wrote: > I have ossec server and agent running in two different docker images. The > agent is not able to connect to the server: > > > 2016/08/26 20:56:25 ossec-agentd: INFO: Trying to connect to server (ossec > .domain/10.0.129.94:1514). > 2016/08/26 20:56:25 ossec-agentd: INFO: Using IPv4 for: 10.0.129.94 . > 2016/08/26 20:56:46 ossec-agentd(4101): WARN: Waiting for server reply ( > not started). Tried: 'ossec.domain/10.0.129.94'. > > > There's no log on the server for the connection attempt. However, if I > execute nc -u 10.0.129.94 1514 and send a random message, I see this in > the server log: > > > 2016/08/26 19:19:46 ossec-remoted(1213): WARN: Message from 172.17.42.1 > not allowed. > > > > 172.17.42.1 is the IP from the docker interface. I already have this in > my server ossec.conf: > > > > > 127.0.0.1 > 10.0.0.0/16 > 172.17.0.0/16 > > > > secure > 10.0.0.0/16 > 172.17.0.0/16 > > > > Any ideas? > > - Ka-Hing > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] cannot connect to ossec server on docker
I can try that, but why do you think that's the problem? the server is not logging any connection attempt at all. On Friday, August 26, 2016 at 3:41:02 PM UTC-7, Eero Volotinen wrote: > > Try creating client key with correct ip addresa.. > > 27.8.2016 12.35 ap. "Ka-Hing Cheung" > > kirjoitti: > >> I have ossec server and agent running in two different docker images. The >> agent is not able to connect to the server: >> >> >> 2016/08/26 20:56:25 ossec-agentd: INFO: Trying to connect to server ( >> ossec.domain/10.0.129.94:1514). >> 2016/08/26 20:56:25 ossec-agentd: INFO: Using IPv4 for: 10.0.129.94 . >> 2016/08/26 20:56:46 ossec-agentd(4101): WARN: Waiting for server reply ( >> not started). Tried: 'ossec.domain/10.0.129.94'. >> >> >> There's no log on the server for the connection attempt. However, if I >> execute nc -u 10.0.129.94 1514 and send a random message, I see this in >> the server log: >> >> >> 2016/08/26 19:19:46 ossec-remoted(1213): WARN: Message from 172.17.42.1 not >> allowed. >> >> >> 172.17.42.1 is the IP from the docker interface. I already have this in >> my server ossec.conf: >> >> >> >> >> 127.0.0.1 >> 10.0.0.0/16 >> 172.17.0.0/16 >> >> >> >> secure >> 10.0.0.0/16 >> 172.17.0.0/16 >> >> >> >> Any ideas? >> >> - Ka-Hing >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] cannot connect to ossec server on docker
Try creating client key with correct ip addresa.. 27.8.2016 12.35 ap. "Ka-Hing Cheung" kirjoitti: > I have ossec server and agent running in two different docker images. The > agent is not able to connect to the server: > > > 2016/08/26 20:56:25 ossec-agentd: INFO: Trying to connect to server (ossec > .domain/10.0.129.94:1514). > 2016/08/26 20:56:25 ossec-agentd: INFO: Using IPv4 for: 10.0.129.94 . > 2016/08/26 20:56:46 ossec-agentd(4101): WARN: Waiting for server reply ( > not started). Tried: 'ossec.domain/10.0.129.94'. > > > There's no log on the server for the connection attempt. However, if I > execute nc -u 10.0.129.94 1514 and send a random message, I see this in > the server log: > > > 2016/08/26 19:19:46 ossec-remoted(1213): WARN: Message from 172.17.42.1 not > allowed. > > > 172.17.42.1 is the IP from the docker interface. I already have this in my > server ossec.conf: > > > > > 127.0.0.1 > 10.0.0.0/16 > 172.17.0.0/16 > > > > secure > 10.0.0.0/16 > 172.17.0.0/16 > > > > Any ideas? > > - Ka-Hing > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] cannot connect to ossec server on docker
I have ossec server and agent running in two different docker images. The agent is not able to connect to the server: 2016/08/26 20:56:25 ossec-agentd: INFO: Trying to connect to server (ossec. domain/10.0.129.94:1514). 2016/08/26 20:56:25 ossec-agentd: INFO: Using IPv4 for: 10.0.129.94 . 2016/08/26 20:56:46 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'ossec.domain/10.0.129.94'. There's no log on the server for the connection attempt. However, if I execute nc -u 10.0.129.94 1514 and send a random message, I see this in the server log: 2016/08/26 19:19:46 ossec-remoted(1213): WARN: Message from 172.17.42.1 not allowed. 172.17.42.1 is the IP from the docker interface. I already have this in my server ossec.conf: 127.0.0.1 10.0.0.0/16 172.17.0.0/16 secure 10.0.0.0/16 172.17.0.0/16 Any ideas? - Ka-Hing -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.