Re: [ossec-list] Ossec agent connection problem
179 views
Skip to first unread message
dan (ddp)
Sep 12, 2018, 7:10:20 AM9/12/18
to ossec...@googlegroups.com
On Fri, Aug 31, 2018 at 9:53 AM Don_Johny <dzenis...@gmail.com> wrote:
>
> Hello, i have problem connecting agents. I installed Ossec on Ubuntu Server 16.04 Virtual machines, Added an agents ( with IP and any) extracted key, but when i see agents list i got only. "No agent avalibale. Could anyone know whats the issue Here are my logs from machines.Any help is apprecitated,thanks in advance
Make sure the firewall on the OSSEC server is allowing traffic in on UDP 1514.
Restart the OSSEC server in debug mode (`/var/ossec/bin/ossec-control
enable debug && /var/ossec/bin/ossec-control restart`).
Check the logs when the agent is trying to connect.
Use tcpdump to see if the agent's connection attempts are making it to
the server. If so, does the server reply?
> Log file from server :
> 2018/08/31 13:07:57 ossec-analysisd: INFO: White listing IP: '
> 2018/08/31 13:07:57 ossec-analysisd: INFO: 7 IPs in the white list for active response.
> 2018/08/31 13:07:57 ossec-analysisd: INFO: White listing Hostname: '::1'
> 2018/08/31 13:07:57 ossec-analysisd: INFO: 1 Hostname(s) in the white list for active response.
> 2018/08/31 13:07:57 ossec-analysisd: INFO: Started (pid: 5794).
> 2018/08/31 13:07:58 ossec-monitord: INFO: Started (pid: 5813).
> 2018/08/31 13:07:58 ossec-remoted(4111): INFO: Maximum number of agents allowed: '16384'.
> 2018/08/31 13:07:58 ossec-remoted(1410): INFO: Reading authentication keys file.
> 2018/08/31 13:07:58 ossec-remoted: INFO: No previous counter available for 'sv2'.
> 2018/08/31 13:07:58 ossec-remoted: INFO: Assigning counter for agent sv2: '0:0'.
> 2018/08/31 13:07:58 ossec-remoted: INFO: No previous sender counter.
> 2018/08/31 13:07:58 ossec-remoted: INFO: Assigning sender counter: 0:0
> 2018/08/31 13:08:00 ossec-analysisd: INFO: Connected to '/queue/alerts/ar' (active-response queue)
> 2018/08/31 13:08:00 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' (exec queue)
> 2018/08/31 13:08:02 ossec-syscheckd: INFO: Started (pid: 5810).
> 2018/08/31 13:08:02 ossec-rootcheck: INFO: Started (pid: 5810).
>
> 2018/08/31 13:08:03 ossec-logcollector: INFO: Started (pid: 5799).
> 2018/08/31 13:08:22 INFO: Connected to 127.0.1.1 at address 127.0.1.1, port 25
> 2018/08/31 13:09:04 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
> 2018/08/31 13:09:04 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
> 2018/08/31 13:09:04 ossec-syscheckd: INFO: Initializing real time file monitoring (not started).
> 2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/log/messages'.
> 2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/log/secure'.
> 2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/log/xferlog'.
> 2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/log/maillog'.
> 2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/www/logs/access_log'.
> 2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/www/logs/error_log'.
> 2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/log/exim_mainlog'.
> 2018/08/31 13:13:21 ossec-syscheckd(1124): ERROR: Could not rename file '/usr/bin/vmware-user' to '/var/ossec/queue/diff/local/usr/bin/vmware-user/last-entry' due to [(2)-(No such file or directory)].
>
> Log from agent :
>
> 2018/08/31 12:34:46 ossec-execd: INFO: Started (pid: 10201).
> 2018/08/31 12:34:46 ossec-agentd: INFO: Using notify time: 600 and max time to $
> 2018/08/31 12:34:46 ossec-agentd(1410): INFO: Reading authentication keys file.
> 2018/08/31 12:34:46 ossec-agentd: INFO: Started (pid: 10205).
> 2018/08/31 12:34:46 ossec-agentd: INFO: Server 1: 157.97.106.107
> 2018/08/31 12:34:46 ossec-agentd: INFO: Trying to connect to server 157.97.106.$
> 2018/08/31 12:34:46 INFO: Connected to 157.97.106.107 at address 157.97.106.107$
> 2018/08/31 12:34:46 rootcheck: System audit file not configured.
> 2018/08/31 13:08:26 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '157.97.106.107'.
> 2018/08/31 13:08:28 ossec-agentd: INFO: Trying to connect to server 157.97.106.107, port 1514.
> 2018/08/31 13:08:28 INFO: Connected to 157.97.106.107 at address 157.97.106.107, port 1514
> 2018/08/31 13:08:49 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '157.97.106.107'.
> 2018/08/31 13:09:09 ossec-agentd: INFO: Trying to connect to server 157.97.106.107, port 1514.
> 2018/08/31 13:09:09 INFO: Connected to 157.97.106.107 at address 157.97.106.107, port 1514
> 2018/08/31 13:09:11 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
> 2018/08/31 13:09:11 ossec-syscheckd: WARN: Process locked. Waiting for permission...
> 2018/08/31 13:09:30 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '157.97.106.107'.
> 2018/08/31 13:10:08 ossec-agentd: INFO: Trying to connect to server 157.97.106.107, port 1514.
> 2018/08/31 13:10:08 INFO: Connected to 157.97.106.107 at address 157.97.106.107, port 1514
> 2018/08/31 13:10:21 ossec-logcollector: WARN: Process locked. Waiting for permission...
> 2018/08/31 13:10:29 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '157.97.106.107'.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
> Hello, i have problem connecting agents. I installed Ossec on Ubuntu Server 16.04 Virtual machines, Added an agents ( with IP and any) extracted key, but when i see agents list i got only. "No agent avalibale. Could anyone know whats the issue Here are my logs from machines.Any help is apprecitated,thanks in advance
Make sure the firewall on the OSSEC server is allowing traffic in on UDP 1514.
Restart the OSSEC server in debug mode (`/var/ossec/bin/ossec-control
enable debug && /var/ossec/bin/ossec-control restart`).
Check the logs when the agent is trying to connect.
Use tcpdump to see if the agent's connection attempts are making it to
the server. If so, does the server reply?
> Log file from server :
> 2018/08/31 13:07:57 ossec-analysisd: INFO: White listing IP: '
> 2018/08/31 13:07:57 ossec-analysisd: INFO: 7 IPs in the white list for active response.
> 2018/08/31 13:07:57 ossec-analysisd: INFO: White listing Hostname: '::1'
> 2018/08/31 13:07:57 ossec-analysisd: INFO: 1 Hostname(s) in the white list for active response.
> 2018/08/31 13:07:57 ossec-analysisd: INFO: Started (pid: 5794).
> 2018/08/31 13:07:58 ossec-monitord: INFO: Started (pid: 5813).
> 2018/08/31 13:07:58 ossec-remoted(4111): INFO: Maximum number of agents allowed: '16384'.
> 2018/08/31 13:07:58 ossec-remoted(1410): INFO: Reading authentication keys file.
> 2018/08/31 13:07:58 ossec-remoted: INFO: No previous counter available for 'sv2'.
> 2018/08/31 13:07:58 ossec-remoted: INFO: Assigning counter for agent sv2: '0:0'.
> 2018/08/31 13:07:58 ossec-remoted: INFO: No previous sender counter.
> 2018/08/31 13:07:58 ossec-remoted: INFO: Assigning sender counter: 0:0
> 2018/08/31 13:08:00 ossec-analysisd: INFO: Connected to '/queue/alerts/ar' (active-response queue)
> 2018/08/31 13:08:00 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' (exec queue)
> 2018/08/31 13:08:02 ossec-syscheckd: INFO: Started (pid: 5810).
> 2018/08/31 13:08:02 ossec-rootcheck: INFO: Started (pid: 5810).
>
> 2018/08/31 13:08:03 ossec-logcollector: INFO: Started (pid: 5799).
> 2018/08/31 13:08:22 INFO: Connected to 127.0.1.1 at address 127.0.1.1, port 25
> 2018/08/31 13:09:04 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
> 2018/08/31 13:09:04 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
> 2018/08/31 13:09:04 ossec-syscheckd: INFO: Initializing real time file monitoring (not started).
> 2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/log/messages'.
> 2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/log/secure'.
> 2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/log/xferlog'.
> 2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/log/maillog'.
> 2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/www/logs/access_log'.
> 2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/www/logs/error_log'.
> 2018/08/31 13:10:13 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/log/exim_mainlog'.
> 2018/08/31 13:13:21 ossec-syscheckd(1124): ERROR: Could not rename file '/usr/bin/vmware-user' to '/var/ossec/queue/diff/local/usr/bin/vmware-user/last-entry' due to [(2)-(No such file or directory)].
>
> Log from agent :
>
> 2018/08/31 12:34:46 ossec-execd: INFO: Started (pid: 10201).
> 2018/08/31 12:34:46 ossec-agentd: INFO: Using notify time: 600 and max time to $
> 2018/08/31 12:34:46 ossec-agentd(1410): INFO: Reading authentication keys file.
> 2018/08/31 12:34:46 ossec-agentd: INFO: Started (pid: 10205).
> 2018/08/31 12:34:46 ossec-agentd: INFO: Server 1: 157.97.106.107
> 2018/08/31 12:34:46 ossec-agentd: INFO: Trying to connect to server 157.97.106.$
> 2018/08/31 12:34:46 INFO: Connected to 157.97.106.107 at address 157.97.106.107$
> 2018/08/31 12:34:46 rootcheck: System audit file not configured.
> 2018/08/31 13:08:26 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '157.97.106.107'.
> 2018/08/31 13:08:28 ossec-agentd: INFO: Trying to connect to server 157.97.106.107, port 1514.
> 2018/08/31 13:08:28 INFO: Connected to 157.97.106.107 at address 157.97.106.107, port 1514
> 2018/08/31 13:08:49 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '157.97.106.107'.
> 2018/08/31 13:09:09 ossec-agentd: INFO: Trying to connect to server 157.97.106.107, port 1514.
> 2018/08/31 13:09:09 INFO: Connected to 157.97.106.107 at address 157.97.106.107, port 1514
> 2018/08/31 13:09:11 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
> 2018/08/31 13:09:11 ossec-syscheckd: WARN: Process locked. Waiting for permission...
> 2018/08/31 13:09:30 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '157.97.106.107'.
> 2018/08/31 13:10:08 ossec-agentd: INFO: Trying to connect to server 157.97.106.107, port 1514.
> 2018/08/31 13:10:08 INFO: Connected to 157.97.106.107 at address 157.97.106.107, port 1514
> 2018/08/31 13:10:21 ossec-logcollector: WARN: Process locked. Waiting for permission...
> 2018/08/31 13:10:29 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '157.97.106.107'.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages