Re: [ossec-list] connection issue?

[Joe Gedeon]

Looks like you have the wrong OSSEC key on the OSSEC Client.

On Fri, Aug 31, 2012 at 5:21 PM, dkoleary <dkol...@olearycomputers.com> wrote:
> Hey;
>
> I'm suspecting a firewall issue, but there's an odd twist. We installed the
> ossec agent on an aix 5.3 box; but, it's not able to connect to the ossec
> server. On the client, we're getting the typical:
>
> 2012/08/31 16:01:21 ossec-agentd(4101): WARN: Waiting for server reply (not
> started). Tried: '111.22.33.444'.
> 2012/08/31 16:01:23 ossec-agentd: INFO: Trying to connect to server
> (111.22.33.444:1514).
> 2012/08/31 16:01:23 ossec-agentd: INFO: Using IPv4 for: 111.22.33.444 .
>
> We verified that the client.keys file has the right information in it,
> restarted the service looking for any errors and nothing. Screen output was
> clean; ossec.log file is clean.
>
> The twist, though, is that the ossec server is clocking errors:
>
> ossec-remoted(1403): ERROR: Incorrectly formated message from '111.77.88.99'
>
> I asked the client to verify the firewall port 1514 is open stateful to the
> server; however, I'm not sure that's it. If the firewall were blocking the
> traffic, I wouldn't expect to see anything on the server... should I be
> looking somewhere else?
>
> Any hints/tips/suggestions greatly appreciated.
>
> Doug O'Leary



--
Registered Linux User # 379282

[Thomas Bartos]

Check your Firewall and make sure UDP protocol is open on port 1514 

-tom

[Joe Gedeon]

The log message on the server shows the problem.

The twist, though, is that the ossec server is clocking errors:

ossec-remoted(1403): ERROR: Incorrectly formated message from '111.77.88.99'

[nOBEL jUNG]

Hello,

I got the same problem in agent AIX7.1 with wazuh-3.6.1 as following;

..........ossec.log .................

2019/01/12 11:03:03 ossec-agentd: INFO: Trying to connect to server (192.168.0.98:1514/udp).

2019/01/12 11:03:24 ossec-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: '192.168.0.98'

------ checking port------------

bash-3.2# netstat -Aan|grep 1514

f1000e0000086e00 udp4       0      0  192.168.0.35.32956    192.168.0.72.1514

bash-3.2# netstat -Aan|grep ossec-agentd

bash-3.2#

-----checking port config------------

#vi /etc/services

..........

fujitsu-dtcns    1514/tcp               # Fujitsu Systems Business of America, Inc

fujitsu-dtcns    1514/udp               # Fujitsu Systems Business of America, Inc

............

Many thanks,

n.j

2012년 9월 4일 화요일 오전 10시 44분 46초 UTC+9, Thomas Bartos 님의 말:

[dan (ddp)]

On Fri, Jan 11, 2019 at 9:37 PM nOBEL jUNG <datate...@gmail.com> wrote:
>
> Hello,
>
> I got the same problem in agent AIX7.1 with wazuh-3.6.1 as following;

You might get better help by asking the Wazuh folks.
Run tcpdump on your OSSEC manager. Make sure the packets from the
OSSEC agent are arriving from the expected IP address (no NAT or
anything in the way).
Check for packets being sent to the agent from the OSSEC manager.
Run the OSSEC manager in debug mode (`/var/ossec/bin/ossec-control
enable debug && /var/ossec/bin/ossec-control restart`) and look for
errors in the ossec.log.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[NOBEL]

Hi,

Thanks to your tips, I solved that issue.
I do appreciate your time.

Many thanks,

2019년 1월 15일 (화) 오전 12:13, dan (ddp) <ddp...@gmail.com>님이 작성:

> You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/e9cbb9KoalU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.