OSSEC Agent not works

[Руслан Аминджанов]

Hello!

I installed OSSEC server and client on 2 hosts whoever agent showed as "Never connected". There is no firewall between these hosts and if I use netcat to connect to server It log shows that message is not properly formated.

Output of tcpdump:

00:58:11.619862 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length 73

00:58:11.620415 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 73

00:58:15.620201 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length 73

00:58:15.620618 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 73

00:58:20.620619 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length 73

00:58:20.621167 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 73

00:58:26.621162 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length 73

00:58:26.621703 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 73

[dan (ddp)]

On Thu, Apr 13, 2017 at 6:09 PM, Руслан Аминджанов
<thetec...@gmail.com> wrote:
> Hello!
> I installed OSSEC server and client on 2 hosts whoever agent showed as
> "Never connected". There is no firewall between these hosts and if I use
> netcat to connect to server It log shows that message is not properly
> formated.

Did you add the agent using manage_agents and then restart the OSSEC
processes on the server?
Did you export the key and add it to you agent and then start the
OSSEC processes on the agent?

> Output of tcpdump:
>
> 00:58:11.619862 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length 73
>
> 00:58:11.620415 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 73
>
> 00:58:15.620201 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length 73
>
> 00:58:15.620618 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 73
>
> 00:58:20.620619 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length 73
>
> 00:58:20.621167 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 73
>
> 00:58:26.621162 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length 73
>
> 00:58:26.621703 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 73
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Руслан Аминджанов]

Yes, I done it.

[dan (ddp)]

On Fri, Apr 14, 2017 at 4:21 AM, Руслан Аминджанов
<thetec...@gmail.com> wrote:
> Yes, I done it.
>

Configure debug mode on the OSSEC server
(`/var/ossec/bin/ossec-control enable debug &&
/var/ossec/bin/ossec-control restart`).
Then check the server's ossec.log again to see if an error is produced.

[Руслан Аминджанов]

Reinstalled on both server and client, enabled debug mode. Still same situation.

пятница, 14 апреля 2017 г., 21:44:18 UTC+14 пользователь dan (ddpbsd) написал:

[dan (ddp)]

On Sat, Apr 15, 2017 at 4:57 AM, Руслан Аминджанов
<thetec...@gmail.com> wrote:
> Reinstalled on both server and client, enabled debug mode. Still same
> situation.
>

Are there any relevant logs in the server's ossec.log?
Are there any relevant logs in the agent's ossec.log?
Help me help you.

[Kat]

It really sounds like you are missing a step -- perhaps post the steps you do for the install, adding an agent etc, showing the commands and results. We need something more to help you. 

Kat

[Victor Fernandez]

Hi,

have you more than one network interface on your manager? I see your tcpdump log a bit unusual:

00:58:11.619862 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length 73
00:58:11.620415 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 73

It seems that the manager is responding (probably an ACK message) but it is doing it from a different IP (10.2.2.13 instead of 10.2.2.12).

Do you see any error at /var/ossec/log/ossec.log at the agent?

Best regards. 

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Victor M. Fernandez-Castro

IT Security Engineer

Wazuh Inc.

[Руслан Аминджанов]

I am reinstalling system right now but it looks like this was the issue. Thank you very much!

понедельник, 17 апреля 2017 г., 7:01:29 UTC+5:45 пользователь Victor Fernandez написал:

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Руслан Аминджанов]

Fully reinstalled system and got a new problem: still agents not connecting but now event if I send messages to ossec-remoted via netcat there is no entities in log. Checked via netstat and ossec-remoted is listening.

понедельник, 17 апреля 2017 г., 18:01:44 UTC+5:45 пользователь Руслан Аминджанов написал:

[dan (ddp)]

On Sat, May 27, 2017 at 5:39 PM, Руслан Аминджанов
<thetec...@gmail.com> wrote:
> Fully reinstalled system and got a new problem: still agents not connecting
> but now event if I send messages to ossec-remoted via netcat there is no
> entities in log. Checked via netstat and ossec-remoted is listening.
>

Turn on debug mode on the manager (`/var/ossec/bin/ossec-control
enable debug`), restart OSSEC (`/var/ossec/bin/ossec-control
restart`), and try again.

[Руслан Аминджанов]

Still nothing.

https://0bin.net/paste/7rMT6xDrnBLdjAZd#HIJmfdpKt4bnGmgsV30SdbywkXSi0-pnzZ7UXZBDffw

суббота, 27 мая 2017 г., 22:38:13 UTC+5 пользователь dan (ddpbsd) написал: