OSSEC Agent to server communication issue

264 views
Skip to first unread message

vi...@acpl.com

unread,
Oct 25, 2016, 8:50:50 AM10/25/16
to ossec-list
Hi,

Agent to server communication issue is occurring on multiple machines and below logs are getting generated on client machine. We have requested customer to check packet drop on firewall but according to customer there is no packet drop on firewall for client machines.

2016/10/25 16:33:19 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: 'x.x.x.x'.
2016/10/25 17:00:03 ossec-agent: INFO: Trying to connect to server (x.x.x.x:1514).
2016/10/25 17:00:03 ossec-agent: INFO: Using IPv4 for: x.x.x.x

Kindly help..

Regards
Vipin

dan (ddp)

unread,
Oct 25, 2016, 8:52:45 AM10/25/16
to ossec...@googlegroups.com
Are there any log messages related to this agent in the ossec.log on the server?
Does the IP address of the packets from this agent (as seen with
tcpdump on the OSSEC server) match the IP address in client.keys on
the server?

> Kindly help..
>
> Regards
> Vipin
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

vi...@acpl.com

unread,
Nov 5, 2016, 5:24:25 AM11/5/16
to ossec-list
Hi,

Can you help me with detailed information (Does the IP address of the packets from this agent (as seen with tcpdump on the OSSEC server) match the IP address in client.keys on the server). I am new to this product.

Regards
Vipin Hooda  

Victor Fernandez

unread,
Nov 7, 2016, 5:09:18 AM11/7/16
to ossec-list
Hi Vipin,

Prior to connect to the manager, agents must be registered onto it. For example, let the manager's IP be 1.1.1.1 and the agent's IP be 2.2.2.2.

In first place, use /var/ossec/bin/manage_agents to add an agent. Choose an arbitrary name for it, then you'll be asked for the agent's IP. If the agent's IP will always be the same (2.2.2.2), write it; else, if the agent's IP is dynamic or can change, write "any" as the IP. The manager will reject an agent if its IP doesn't match with the registered IP (unless it is "any").

When the agent is registered, use the option E (at manage_agents) to extract the agent's key. After, go to the agent and run /var/ossec/bin/manage_agents, in this cas you'll see that there's no option to add an agent but you can import (option I) a key. Select that option and paste the key that you extracted from the manager.

You can get more information about agents management at: http://ossec-docs.readthedocs.io/en/latest/manual/agent/agent-management.html.

Now, restart the manager (in order to reload the agents' keys) and the agent. You should get a message at the log such:

2016/11/07 10:55:27 ossec-agentd(4102): INFO: Connected to the server (1.1.1.1:1514).

The manager should trigger this alert:

** Alert 1478512792.55161: mail  - ossec,pci_dss_10.6.1,
2016 Nov 07 10:59:52 (CentOS) 2.2.2.2->ossec
Rule: 501 (level 3) -> 'New ossec agent connected.'
ossec: Agent started: 'CentOS->2.2.2.2'.


A common error is that the agent was no registered with the proper IP, or the key is not correctly imported into the agent. In this case, the manager's log would print messages like:

2016/11/07 10:28:18 ossec-remoted(1403): ERROR: Incorrectly formated message from 'any'.
or:
2016/11/07 10:59:06 ossec-remoted(1408): ERROR: Invalid ID 003 for the source ip: '2.2.2.2'.


If you see those messages, check the previous steps. But if no message appears in the manager, packages may not be arriving to the server, so use tools such netstat or tcpdump to check your network. By default, OSSEC uses the port 1514/UDP.

Hope it helps.

Kind regards,
Victor.

Kumar G

unread,
Nov 8, 2016, 9:13:38 AM11/8/16
to ossec-list
Don't know if this falls under same issue. We are getting same error messages on one of the ossec server A, no new agents addition via manage_agents or ossec_authd were changing the status from "Never connected" to Active after adding them. Both manual and ossec auth worked out, these were the first agents which I tried to connect and they did not.

Hence have to repoint them to another ossec server B where it worked. So is it safe to delete the client.keys file from first ossec server and add a server via manage-agents? Please let us know if its safe to delete the client.keys? There are no agents currently reporting to the ossec server A.


Thanks
Kumar

dan (ddp)

unread,
Nov 8, 2016, 9:20:22 AM11/8/16
to ossec...@googlegroups.com
On Tue, Nov 8, 2016 at 9:13 AM, Kumar G <mkg...@gmail.com> wrote:
> Don't know if this falls under same issue. We are getting same error messages on one of the ossec server A, no new agents addition via manage_agents or ossec_authd were changing the status from "Never connected" to Active after adding them. Both manual and ossec auth worked out, these were the first agents which I tried to connect and they did not.
>
> Hence have to repoint them to another ossec server B where it worked. So is it safe to delete the client.keys file from first ossec server and add a server via manage-agents? Please let us know if its safe to delete the client.keys? There are no agents currently reporting to the ossec server A.
>

Stop the OSSEC processes on that server, then delete the file.

>
> Thanks
> Kumar

Michael Dukelsky

unread,
Nov 11, 2016, 9:51:25 AM11/11/16
to ossec...@googlegroups.com
Hi,

After I have installed ossec agent from ossec-hids-2.8.3-53.el6.art.i686.rpm in CentOS 6 I
see that ossec processes are unconfined.

ps -eZ | grep unconfined
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 7554 ? 00:00:00 ossec-execd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 7558 ? 00:00:00 ossec-agentd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 7562 ? 00:00:00 ossec-logcollec
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 7566 ? 00:00:00 ossec-syscheckd

Is there a SELinux policy for ossec?

Best regards,
Michael Dukelsky

Christina Plummer

unread,
Nov 17, 2016, 4:27:21 PM11/17/16
to ossec-list

Is there a SELinux policy for ossec?

I don't think there is.  I'd be potentially interested in helping if someone were to start working on one, though.  Currently I run unconfined and then set up a few file context rules to allow logrotate to work.


cgzones

unread,
Nov 18, 2016, 8:24:11 AM11/18/16
to ossec...@googlegroups.com
I started one a while ago, but i don't if it's still working and how
well remote connections and active response are supported.
Also i am unaware of where the rpm package install ossec.
Feel free to take a look.
ossec.fc
ossec.if
ossec.te
Reply all
Reply to author
Forward
0 new messages