[ossec-list] Re: /etc/client.keys not found

[gentuxx <gentuxx@xxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Forrest Aldrich wrote:
> 
> Where in the setup does it ask for a syslog IP to permit?  Other than
> giving it the IP of the client (which I did via manage_agents, and I
> imported the key to the agent).

I'm not sure where the install got '/etc/client.keys'.  As you pointed
out in your second post, it *should* be /var/ossec/etc/client.keys (by
default).  Maybe something went awry with your install?

As to your second message below, I ran into this myself when I migrated
from a local install to a server install (although I didn't get the
handy message at the time).

You should have some lines similar to the following in your
/var/ossec/etc/ossec.conf to allow client/server communications:

  <global>
    ....other global config stuff here....
    <white_list>127.0.0.1</white_list>
    <white_list>my.client.ip.here</white_list>
  </global>

  <remote>
    <connection>secure</connection>
  </remote>

This will allow your agents to talk to the server through UDP port 1514
(default).  Alternate ports are configurable.

> 
> I'm still debugging the setup - however, under what circumstances will
> OSSEC log to the server via syslog.  I may switch my systems to
> syslog-ng for better control; however, at the moment it's just stock
> syslogd (FreeBSD6.1).
> 

As to syslog monitoring, I know it's possible, but I haven't tried it
yet, so I can't clue you in to how to config things to get it to work.
Poke around the Wiki (http://www.ossec.net/wiki), I think there might be
some docs there talking about it.  If not, let me know, and I'll try it
out and post something.

> 
> Thanks.
> 
> 
> Daniel Cid wrote:
>>
>> Hi Forrest,
>>
>> You need to run the manage_agents tool to add the agents you want
>> to connect to your server. The first message means that there is no
>> agent allowed to connect. The second message means that you
>> didn't allow any IP to send remote syslog messages to ossec, so
>> it has no reason to run (nothing is allowed)...
>>
>> Hope it helps,
>>
>> -- 
>> Daniel B. Cid
>> dcid ( at ) ossec.net
>>
>> On 9/5/06, Forrest Aldrich <forrie@xxxxxxxxxx> wrote:
>>>
>>>  Maybe I hit a small config bug here.  I installed 0.9.1-a which
>>> defaults
>>> all under /var/ossec:
>>>
>>>
>>> 2006/09/05 16:11:00 ossec-remoted(1402): Authentication key file
>>> '/etc/client.keys' not found.
>>>
>>>  This was generated when one of my agent installs tried to
>>> authenticate, I
>>> believe.
>>>
>>>  I also noticed this:
>>>
>>>
>>> 2006/09/05 16:10:59 ossec-remoted(1501): No IP or network allowed in the
>>> access list for syslog. No reason for running it. Exiting.
>>>
>>>  So it seems something got missed during the initial config... or did
>>> I miss
>>> something.
>>>
>>>
>>>  Thanks.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
> 


- --
gentux
echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'

gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239  D840 4CF0 39E2
18D3 4A9E
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE/kjUTPA54hjTSp4RAtanAJ9gwMlVHg5HvabHNY66TYq52SoYSQCfY8K1
+0Xvm5Xvy8JfqWHHphXBPCU=
=ag76
-----END PGP SIGNATURE-----