I am deploying OSSEC in restricted environment where agent and hosts are segregated by L3 switch.
1- when I open 1514 udp/tcp on server the agent shows "never connected" as the host which is my windows machine is unable to get any response from server because ossec uses random high ports. using tcpdump on server I can see server sending and receiving fix length of 73 size udp packets using port 1514, but no packets approaching the host machine.
2- for testing when I opened IP-IP to access means all ports access to and from server the agent manages to connect to server.
The problem is I have to specify specific ports for hosts using ossec using ACL on network level, as the environment is restricted and IP-IP access is not allowed.