Couple of agents unable to connect to server

147 views
Skip to first unread message

Cal

unread,
Jan 4, 2016, 12:25:02 PM1/4/16
to ossec-list
I have about 20 OSSEC agents connected to my OSSEC server without issue. There are approximately 6 however that cannot connect. I'm using a non-default port of 1520. Note: All IPs replaced here for OPSEC.

Logs:

  • Agent:
    • 2016/01/04 11:12:23 ossec-agentd: INFO: Using IPv4 for: SERVER_IP .
      2016/01/04 11:12:44 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'SERVER_IP'.
  • Server:
    • Nothing outside the standard output, even with debug enabled

What I've done so far:
  • Added rules into iptables to allow communication on both agent/sever
  • TCPdump confirming on agent that it is sending packet
  • TCPdump confirming on server that it is receiving agent packet
  • Netcat on both server/agent:
    • netcat -uv SERVER_IP 1520
      Connection to SERVER_IP 1520 port [udp/*] succeeded!
    • netcat -uv AGENT_IP1520
      Connection to AGENT_IP 1520 port [udp/*] succeeded!

ossec.conf:

  • <ossec_config>
      <client>
        <server-ip>SERVER_IP</server-ip>
        <port>1520</port>
      </client>
      <remote>
        <connection>secure</connection>
        <protocol>tcp</protocol>
        <port>1520</port>
      </remote>


Cal

unread,
Jan 4, 2016, 12:35:44 PM1/4/16
to ossec-list
Also, from agent:

# netstat -panu | grep 1520
udp        0      0 AGENT_IP:43737     SERVER_IP:1520      ESTABLISHED 30669/ossec-agentd

Cal

unread,
Jan 4, 2016, 2:06:04 PM1/4/16
to ossec-list
Found a solution, thinking it might be a key issue. On one server, I had to chmod the keys file, which allowed the agent to connect. I tried re-adding the existing key to the other agents and configuring the permissions without anything working. Finally, I re-issued the keys for the disconnect clients, and all connected after restart. Not sure what the issue was.

Santiago Bassett

unread,
Jan 4, 2016, 4:17:00 PM1/4/16
to ossec...@googlegroups.com
Usually there are warning or error messages in ossec.log file (check those both in the agent and manager).

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages