no agent available ... always !

857 views
Skip to first unread message

BOUTROUILLE PASCAL

unread,
Jun 1, 2010, 9:59:07 AM6/1/10
to ossec...@googlegroups.com

Hello

 

I always have a problem with the ossec server

I do a new installation from debian to kubuntu.

It ‘s better,  because the server see now itself  in the agent available, so i have 1 agent : the server.

I have created 2 other agent : 1 windows and 1 debian :

 

/var/ossec/bin# ./agent_control  -lc

OSSEC HIDS agent_control. List of available agents:

   ID: 000, Name: ubuntutest (server), IP: 127.0.0.1, Active/Local

 

But :

./agent_control  -l

OSSEC HIDS agent_control. List of available agents:

   ID: 000, Name: ubuntutest (server), IP: 127.0.0.1, Active/Local

   ID: 001, Name: windows1, IP: 10.133.125.23, Never connected

   ID: 002, Name: uxrec13, IP: 10.133.3.8, Never connected

 

è Why « never connected » ?

I try to restart agent, enter again the key, but same problem

How can i test the communication between agent and server ? what port use the server ?

 

In the agent log :

2010/06/01 15:47:36 ossec-agent: INFO: Trying to connect to server (10.133.125.45:1514).

2010/06/01 15:47:57 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.133.125.45'.

2010/06/01 15:50:23 ossec-agent: INFO: Trying to connect to server (10.133.125.45:1514).

2010/06/01 15:50:44 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.133.125.45'.

2010/06/01 15:53:28 ossec-agent: INFO: Trying to connect to server (10.133.125.45:1514).

2010/06/01 15:53:49 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.133.125.45'.

2010/06/01 15:56:51 ossec-agent: INFO: Trying to connect to server (10.133.125.45:1514).

2010/06/01 15:57:12 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.133.125.45'.

 

With the server :

ossec-monitord is running...

ossec-logcollector is running...

ossec-syscheckd is running...

ossec-analysisd is running...

ossec-maild is running...

ossec-execd is running...

 

Thank you

dan (ddp)

unread,
Jun 1, 2010, 12:12:20 PM6/1/10
to ossec...@googlegroups.com
If you're using the secure option, it uses port 1514. If you're using
syslog, I think it uses 514.

Dave S

unread,
Jun 2, 2010, 9:20:09 AM6/2/10
to ossec-list
I also notice you do not list ossec-remoted as a running process.
That's the server process that accepts data from the agents. Make
sure that's running. If not, no agents can connect.

You can look in ossec.log for clues. grep for "remoted" to see if
there's messages from that process.

- Dave
Reply all
Reply to author
Forward
0 new messages