/etc/client.keys not found
Forrest Aldrich
2006/09/05 16:11:00 ossec-remoted(1402): Authentication key file '/etc/client.keys' not found.
This was generated when one of my agent installs tried to authenticate, I believe.
I also noticed this:
2006/09/05 16:10:59 ossec-remoted(1501): No IP or network allowed in the access list for syslog. No reason for running it. Exiting.
So it seems something got missed during the initial config... or did I miss something.
Thanks.
Daniel Cid
You need to run the manage_agents tool to add the agents you want
to connect to your server. The first message means that there is no
agent allowed to connect. The second message means that you
didn't allow any IP to send remote syslog messages to ossec, so
it has no reason to run (nothing is allowed)...
Hope it helps,
--
Daniel B. Cid
dcid ( at ) ossec.net
Forrest Aldrich
giving it the IP of the client (which I did via manage_agents, and I
imported the key to the agent).
I'm still debugging the setup - however, under what circumstances will
OSSEC log to the server via syslog. I may switch my systems to
syslog-ng for better control; however, at the moment it's just stock
syslogd (FreeBSD6.1).
Thanks.
Forrest Aldrich
Also forgot to mention that it's looking for /etc/client.keys..... it's
not supposed to, it's supposed to be looking in
/var/ossec/etc/client.keys -- and that file *is* populated with keys.
I am trying to figure out where the /var/ossec portion got truncated in
this.
gentuxx
Hash: SHA1
Forrest Aldrich wrote:
>
> Where in the setup does it ask for a syslog IP to permit? Other than
> giving it the IP of the client (which I did via manage_agents, and I
> imported the key to the agent).
I'm not sure where the install got '/etc/client.keys'. As you pointed
out in your second post, it *should* be /var/ossec/etc/client.keys (by
default). Maybe something went awry with your install?
As to your second message below, I ran into this myself when I migrated
from a local install to a server install (although I didn't get the
handy message at the time).
You should have some lines similar to the following in your
/var/ossec/etc/ossec.conf to allow client/server communications:
<global>
....other global config stuff here....
<white_list>127.0.0.1</white_list>
<white_list>my.client.ip.here</white_list>
</global>
<remote>
<connection>secure</connection>
</remote>
This will allow your agents to talk to the server through UDP port 1514
(default). Alternate ports are configurable.
>
> I'm still debugging the setup - however, under what circumstances will
> OSSEC log to the server via syslog. I may switch my systems to
> syslog-ng for better control; however, at the moment it's just stock
> syslogd (FreeBSD6.1).
>
As to syslog monitoring, I know it's possible, but I haven't tried it
yet, so I can't clue you in to how to config things to get it to work.
Poke around the Wiki (http://www.ossec.net/wiki), I think there might be
some docs there talking about it. If not, let me know, and I'll try it
out and post something.
- --
gentux
echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2
18D3 4A9E
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFE/kjUTPA54hjTSp4RAtanAJ9gwMlVHg5HvabHNY66TYq52SoYSQCfY8K1
+0Xvm5Xvy8JfqWHHphXBPCU=
=ag76
-----END PGP SIGNATURE-----
Forrest Aldrich
and the keys are indeed where they are supposed to be, per my other message.
/var/ossec/etc/client.keys:
-rw-r--r-- 1 root ossec 90 Sep 5 19:48 client.keys
001 machine192.168.1.1 thekeygoeshereblahblahblah
Somewhere in the configuration, the root path was truncated
(/var/ossec)... I'm trying to figure out where.
Where do the logs get shipped to by default when logging via syslog ...
as I've yet to see anything come in that route (but that could also be
due to the client.keys issue above).
Anyone using syslog-ng here? I'm considering it.
Thanks.