OSSEC agents on different subnet unable to connect OSSEC server

[Tahir Hafiz]

We have an OSSEC server located in one particular subnet and the majority of the agents are located in the same subnet and work fine.
However, we have a few OSSEC agents located in a different subnet and they are having problems being able to connect to the server.

We have opened up port 1514 UDP between subnets for ingress and egress traffic.

Is there anything that we should do to allow server and agent communication?

[dan (ddp)]

Do you see the traffic on the server from the hosts that are having issues?
Do the source IPs match your expectations?

>
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Jesus Linares]

It should work with port 1514 UDP. First, check if you have connectivity between agents and manager (ping, telnet, tcpdump...) and review your network settings (routers, firewall rules, etc). Then, check out the ossec.log of each agent to see what it is the issue.

[Tahir Hafiz]

Thanks. I am seeing this in the alerts.log for the ones not connecting, I mean they seem to be able to connect in network terms but not the OSSEC server instance process:
ossec-remoted(1408): ERROR: Invalid ID for the source ip: 'a.b.c.d'.
ossec-remoted(1213): WARN: Message from a.b.c.d not allowed.

Is there something we are not doing to allow these particular agents to connect - a key file etc?

[Jose Luis Ruiz]

Hi Thair, 

Your Agents configuration are with static IP, Network or set to ANY?

Regards

-----------------------

Jose Luis Ruiz
Wazuh Inc.
jo...@wazuh.com

[dan (ddp)]

On Fri, Jun 17, 2016 at 5:27 AM, Tahir Hafiz <tahir...@gmail.com> wrote:
> Thanks. I am seeing this in the alerts.log for the ones not connecting, I
> mean they seem to be able to connect in network terms but not the OSSEC
> server instance process:
> ossec-remoted(1408): ERROR: Invalid ID for the source ip: 'a.b.c.d'.
> ossec-remoted(1213): WARN: Message from a.b.c.d not allowed.
>
> Is there something we are not doing to allow these particular agents to
> connect - a key file etc?
>

Is that IP an IP you expect an agent to come from?
Did you duplicate IPs when adding agents in manage_agents?

[Jesus Linares]

Hi Tahir,

It could be an issue with the keys. OSSEC (agents and manager) keep a counter of each message sent and received in /var/ossec/queue/rids. This is a technique to prevent replay attacks. Let's try the following:

• In an agent of your particular subnet: stop it and go to /var/ossec/queue/rids and remove every file in there.
• In the manager: stop it and remove the rids file with the same name as the agent id that is reporting errors.
• Restart the manager and the agent.

Then, review the ossec.log of the agent to see what happens.

In case that this works, you will need to do the same in each agent. Also, if you don't need the feature to prevent replay attacks, you can disable it changing remoted.verify_msg_id from 1 to 0 in /var/ossec/etc/internal_options.conf.

Regards.

[Jesus Linares]

Before doing what I said above, check if your client.keys doesn't have duplicated IPs.  

[Tahir Hafiz]

This actually turned out to be a networking issued, the two subnets were not talking to each other.
Thanks all!