Ok, using this
http://www.mail-archive.com/ossec-list@googlegroups.com/msg02964.html
, I was able to troubleshoot the issue.
I have installed over an ossec install, and I thought I had my agents
already added, but apparently they werent!
Thanks for your time!
-Anapologetos
On Jun 1, 12:15 pm,
Here are the ossec processes running:
=
:~/ossec-hids-2.4$ ps aux | grep ossec
ossecm6258 0.0 0.0 1 652 ?S11:36 0:00 /var/
ossec/bin/ossec-maild
ossec 6266 0.0 0.2 13908 2056 ?S11:36 0:02 /var/
ossec/bin/ossec-analysisd
root 6271 0
Ok, got a bit more info from tcpdump:
=
14:29:14.326521 IP 192.168.65.251.63375 > ossec-server.1514: UDP,
length 73
14:29:14.326605 IP ossec-server > 192.168.65.251: ICMP jack-
itsec-01.local udp port 1514 unreachable, length 109
14:29:20.326435 IP 192.168.65.251.63375 > ossec
I am wondering if ossec parses F5 SSL Terminator/Reverse Proxy logs (app tier -
Microsoft IIS and Apache servers) if they are fed as syslog messages.
Has any one ever tried it? Do I need to do any pre-processing before feeding it
to ossec? Any pointers to accomplished this is greatly appreciated
If you're using the secure option, it uses port 1514. If you're using
syslog, I think it uses 514.
On Tue, Jun 1, 2010 at 9:59 AM, BOUTROUILLE PASCAL
wrote:
> Hello
>
>
>
> I always have a problem with the ossec server
>
> I do a new installation from debian to kubuntu.
>
> It ‘s better, because
What ossec processes are running on the server?
Have you tried running tcpdump on the server to see if the packets are
making it?
Anything in the logs of the server or agents that might be useful in
tracking down the issue?
On Tue, Jun 1, 2010 at 11:50 AM, Anapologetos wrote:
> I have installed o
I have installed ossec 2.4 on Ubuntu Lucid as a Server install. I am
trying to connect Server 2008 agents to it, but I continue to get
"waiting for server reply" errors on the agents. I have disabled all
firewalls in between the servers.
When I run netstat on the ossec server, I dont even see an
Hello
I always have a problem with the ossec server
I do a new installation from debian to kubuntu.
It 's better, because the server see now itself in the agent available, so i
have 1 agent : the server.
I have created 2 other agent : 1 windows and 1 debian :
/var/ossec/bin# ./agent_c