Windows Agent never connected

[toko123]

I am getting started with OSSEC and i want to configure windows agent. I have followed the documentation and this. My server is a VM ubuntu and I want to have an Windows Agent.

This is the output of active agents.

 /var/ossec/bin/agent_control -i 001

OSSEC HIDS agent_control. Agent information:

   Agent ID:   001

   Agent Name: WindowsAgent

   IP address: 192.168.8.69/32

   Status:     Never connected

   Operating system:    Unknown

   Client version:      Unknown

   Last keep alive:     Unknown

   Syscheck last started  at: Unknown

   Rootcheck last started at: Unknown

This is list of already added agents.

Available agents: ID: 001Name: WindowsAgent, IP: 192.168.8.69

I thounght that it may be the firewall problem but on the server side I have droped the firewall.

The IP are take from ifconfig command.

vm:~/ossec-hids-3.2.0# tcpdump -i ens3 src 192.168.8.69

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes

13:44:30.979244 IP 192.168.8.69.55341 > 10.0.0.4.ssh: Flags [.], ack >1445060350, win 16319, length 0

The connection seems to be working. 

Any ideas?

[dan (ddp)]

Is your ossec server running on port 22?

> Any ideas?
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[toko123]

I am connected to VM via SSH on port 22 . 
I belive that my OSSEC Server is running on default port. However i don't know how to check it.

[dan (ddp)]

On Wed, Apr 24, 2019 at 10:25 AM toko123 <ttomek...@gmail.com> wrote:
>
> I am connected to VM via SSH on port 22 .
> I belive that my OSSEC Server is running on default port. However i don't know how to check it.
>

`tcpdump -i ens3 -nn host 192.168.8.69 and port 1514`

should give you the traffic going to and from ossec.

>> > To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.

[toko123]

After

 tcpdump -i ens3 -nn host 192.168.8.69 and port 1514

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes

^C

0 packets captured

0 packets received by filter

0 packets dropped by kernel

And output for port number 22.

 tcpdump -i ens3 -nn host 192.168.8.69 and port 22

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes

11:01:07.432964 IP 10.0.0.4.22 > 192.168.8.69.49766: Flags [P.], seq 2452502731:2452502859, ack 1239911147, win 933, length 128

11:01:07.433030 IP 10.0.0.4.22 > 192.168.8.69.49766: Flags [P.], seq 128:192, ack 1, win 933, length 64

11:01:07.433088 IP 10.0.0.4.22 > 192.168.8.69.49766: Flags [P.], seq 192:320, ack 1, win 933, length 128

11:01:07.433139 IP 10.0.0.4.22 > 192.168.8.69.49766: Flags [P.], seq 320:384, ack 1, win 933, length 64

So my ossec is running on port 22. I suspect that this cause the lack of connection. However when i type 

 lsof -i :1514

COMMAND    PID   USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME

ossec-rem 6374 ossecr    4u  IPv6 1075394      0t0  UDP *:1514

How can i change the used port for port number 22?

[toko123]

I have found a solution. I was using the IP from ifconfig which was 10.0.0.4 and i should have used IP via which i connect using SSH.