Fresh install error from Agent

36 views
Skip to first unread message

agsossec

unread,
Jan 8, 2020, 4:29:49 PM1/8/20
to ossec-list
Hello,
We am setting up a test OSSEC server and agent -- both on AWS Linux
On both we
  • ran, sudo wget https://www.atomicorp.com/installers/atomic && sudo chmod +x atomic && sudo ./atomic
  • saved a copy of the agent config -- /var/ossec/etc/ossec-agent.conf /var/ossec/etc/ossec-agent.conf.orig
  • edited the agent config
    • removed the example line
    • changed the server IP our our OSSEC server IP
    • restarted the OSSEC services
At first we received an error, saying that the system was failing upon not finding the default server IP address -- which was only in the saved copy of the Agent config file.
When we deleted that file, and restarted the service, we now get the error... 

ossec-agentd(4105): ERROR: No valid server IP found.
ossec-agentd(1215): ERROR: No client configured. Exiting.

In the file = /var/ossec/etc/ossec-agent.conf                                                                 

<ossec_config>
  <client>
    <server-ip>10.1.252.41</server-ip>
  </client>

In the logs, we see...

2020/01/08 11:49:37 ossec-execd(1314): INFO: Shutdown received. Deleting responses.
2020/01/08 11:49:37 ossec-execd(1225): INFO: SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2020/01/08 11:49:38 ossec-agentd(4105): ERROR: No valid server IP found.
2020/01/08 11:49:38 ossec-execd: INFO: Started (pid: 3326).
2020/01/08 11:49:38 ossec-agentd(1215): ERROR: No client configured. Exiting.

What are doing wrong?
Thank you!



 


theruck242

unread,
Jan 8, 2020, 4:58:43 PM1/8/20
to ossec...@googlegroups.com
you need to add the client on the server side with the appropriate command

On 8 Jan 2020, at 22:29, agsossec <alangu...@gmail.com> wrote:


--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/7dbb8b68-6c70-461b-a2b3-9a9ca901eb9c%40googlegroups.com.

agsossec

unread,
Jan 8, 2020, 5:03:37 PM1/8/20
to ossec-list
From the Server, we had previously added the Agent...

§* OSSEC HIDS v3.5.0 Agent manager.     *
§* The following options are available: *
§****************************************
§   (A)dd an agent (A).
§   (E)xtract key for an agent (E).
§   (L)ist already added agents (L).
§   (R)emove an agent (R).
§   (Q)uit.
§Choose your action: A,E,L,R or Q: E
§
§Available agents: 
§   ID: 001, Name: testadmin2, IP: 10.1.252.50

Is that what you are referring to?
To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.

agsossec

unread,
Jan 8, 2020, 10:46:19 PM1/8/20
to ossec-list
We decided to try using Wazuh instead.
Case closed.

dan (ddp)

unread,
Jan 9, 2020, 7:01:56 AM1/9/20
to ossec...@googlegroups.com
I don't have an AWS instance to test against, so I tried the CentOS 7 package.
I couldn't reproduce the issue (but I did have to remove a default agent.conf?).

I even tried using the ossec_config snippet posted above, and couldn't
get the same error.

>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages