agent troubles

[Magnus Egilsson]

Hi

 

Has anyone experienced not beeing able to add more than 5 agents to the server? After restart I can see number six added in the ossec-log. I can see ip traffic from the agent but the server remains silent. No errors occur in logs and ive tried this with iptables on and off. The server is running latest gentoo.

 

The first five agents are running like a charm and are doing a very good job.What I find strange is I clone the basic config on agents / server so everything should be working fine. Client number six is on the same subnet as the server.

 

Maybe this is just beginner error since im rather new to ossec :)

 

Best regards’

Magnus

 

 

 

 

 

 

 

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.410 / Virus Database: 268.17.8/649 - Release Date: 23.1.2007

[Rafael Capovilla]

I got 11 agents and no problems :)

2007/1/24, Magnus Egilsson <magn...@median.is>:

--
Certified LPIC -1
http://under-linux.org/

Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

[Fred]

Hello,

 

I installed 14 agents (Linux RedHat Enterprise 3 and 4, and AIX 5.2) and one server (Linux). And yes, I experienced some troubles with that installation, and in particular following problem:

 

    - Syscheck modules never worked, on any of the 14 agents

 

And I never saw any errors in logs, including with full debug options activated on agents and server. All I can say, and maybe could it be source of trouble, is that Ossec agents were installed on test machines and then exported on production servers, that had not compilers for security reasons.

 

One way to by-pass this problem is to install Ossec agents as "Server", and not as agents. So, instead of communicating with a Ossec server, "agents" communicate with a SMTP server for alerts emails. Less easy to manage, but efficient !

 

And it seems that I'm alone to have this problem...

 

However, I would say that Ossec is a great software, I think the best of HIDS. Let's wait a few months that there are more different types of Ossec installations ;-)

 

Fred

[Daniel Cid]

Hi Magnus,

I didn't understand your problem well. What do you mean by "I can see
ip traffic from
the agent but the server remains silent"? Is your agent getting the
"unable to connect"
errors in the logs or are you just not seeing any alerts from it? If
you do something like
a 'logger "Segmentation Fault"' on the agent, do you see any alert on
the server?

*You will not get any alert if nothing is happening in the agent...

*The most common cause of problems is related to authentication keys
(wrong IP, or duplicated entry, etc).

If the problem is different, try to provide us with more information (like your
ossec config, parts of the log, etc) ...

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

[Magnus Egilsson]

Hi David

I can see the agent sending udp packets to the server (agent starting up) but there seems to be no response to them (server not responding), its like the server is totally ignoring the client. I dont get any errors in agent / server logs, the server appears to startup normally and does service the first five agents without a hitch.

The IP addresses check out, no duplicate entries, no errors on keys, tried this many times without firewalls but no success, everything looks painfully normal.

Ive tried adding other machines as well but no go.

Is there some kind of debug mode for the server

Best regards
Magnus?

[Magnus Egilsson]

Hi

 

Took the advice from an earlier email on having a separate server instead of an agent. Works perfectly on the mishaped wannabe agent machines.

 

It would be nice if future versions of ossec included some sort of dump / detailed logging mode for communications between agent / server.

 

Regards

 

Magnús Egilsson

 

 

 

 

 

 

--
No virus found in this outgoing message.
Checked by AVG Free Edition.

Version: 7.1.410 / Virus Database: 268.17.11/652 - Release Date: 25.1.2007

[Nicolas Arias]

Guys, here's the magazine article that iv been working for.

Its in spanish, sorry for that, but i dont have time to do a translation.

Any comments / suggestion is going to be preciated.

Im going to send it to the magazine around mid week.

Cheers!

[John J. Culkin]

Can OSSEC act as a centralized log host for linux machines? Or should I
keep investigating solutions like metalog and syslog-ng?

If it can act as a centralized log host, are they any examples using it
with stunnel to secure the connections?

Thanks,

-- John C.

--
John J. Culkin Systems Administrator
John....@Scranton.edu The University of Scranton
Phone: (570) 941-7665

[Daniel Cid]

Hi John,

OSSEC can act as a *centralized log for Linux and it will encrypt the
logs while in transit (no need for stunnel to encrypt the connections).
However, it is not a replacement for syslog or syslog-ng. It can basically
read the log files on the agents (your linux systems) and forward them
to the ossec server (along with integrity data, etc).

By default ossec will not store every received log, just the ones that
matches any of our rules, but you can configure it to log everything
(log_all tag). You will see them at /var/ossec/logs/archives/ if you
enable logging all.

*Note that ossec is meant to be a log analysis engine, so you will
not have as many options regarding how to archive your logs.

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net