[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Waiting for server reply (not started)

To: "'Daniel Cid'" <daniel.cid@xxxxxxxxx>, <ossec-list@xxxxxxxxxxxxxxxx>
Subject: [ossec-list] Re: Waiting for server reply (not started)
From: "Tim Boyer" <tim@xxxxxxxxxxxxxx>
Date: Tue, 3 Jul 2007 20:59:37 -0400
Thread-index: Ace9zWmKQaz0+3aTRvG+q/snJtj9FAAB5MXw

Daniel -

Here's what I've tried.

> There is a firewall between the agent and the server.

You _bet_ there is! :)  The only two that aren't working are out on vpns.
But 1514 is open:

[root@buran logs]# nc -u 192.168.42.1 1514
testing

[root@buran logs]# nc -u -l 1514
testing the other way

[root@kyushu logs]# nc -u -l 192.168.1.200 -p 1514
testing

[root@kyushu logs]# nc -u 192.168.1.200 1514
testing the other way

So I've got communications both ways on 1514.

I made sure that ossec was stopped, and added the keys:

[root@buran logs]# ps -ef|grep ossec
root     32121 31762  0 20:52 pts/1    00:00:00 grep ossec
[root@buran logs]# ../bin/manage_agents

****************************************
* OSSEC HIDS v1.2 Agent manager.       *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: r

Available agents:

   ID: 009, Name: chekov, IP: 192.168.42.1
Provide the ID of the agent to be removed (or '\q' to quit): 008
Confirm deleting it?(y/n): y
Agent '008' removed.

- Adding a new agent (use '\q' to return to the main menu).
  Please provide the following:
   * A name for the new agent: kyushu
   * The IP Address of the new agent: 192.168.42.1
   * An ID for the new agent[008]:
Agent information:
   ID:008
   Name:kyushu
   IP Address:192.168.42.1

Confirm adding it?(y/n): y
Agent added.

and then started the server.  Imported the key on the agent, and the ips
match:

Choose your action: I or Q: i

* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.

Agent information:
   ID:008
   Name:kyushu
   IP Address:192.168.42.1

and started the agent.  Absolutely nothing in the server log, and in the
agent log:

2007/07/03 20:56:20 ossec-agentd(4101): Waiting for server reply (not
started).
2007/07/03 20:56:51 ossec-agentd(4101): Waiting for server reply (not
started).
2007/07/03 20:57:37 ossec-agentd(4101): Waiting for server reply (not
started).
2007/07/03 20:58:38 ossec-agentd(4101): Waiting for server reply (not
started).

I'll email you the logs after I try this one more time.

-- 
Tim Boyer 
Director
Information Systems and Engineering Projects
Denman Tire Corporation
tim@xxxxxxxxxxxxxx

> 
> Hi Tim,
> 
> I just added a new entry to the wiki with more information 
> regarding it:
> 
> http://www.ossec.net/wiki/index.php/Errors:AgentCommunication
> 
> Can you try all the steps in there to see if it works? If 
> not, we would need to
> see your logs (from server and agent) to try to figure out 
> what is happening.
> 
> Thanks,
> 
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
> 
> 
> On 6/29/07, Tim Boyer <tim@xxxxxxxxxxxxxx> wrote:
> >
> >
> > Yup.  Just tried it again, just to be sure - no luck.
> >
> >
> > Hi Tim,
> >
> > Did you restart the server after adding the new agents? And 
> after that start
> > the new agents?
> >
> > E.
> >
> >
> > 2007/6/29, Tim Boyer <tim@xxxxxxxxxxxxxx>:
> > >
> > > You know you're getting old when you google for an answer 
> - and find one
> > of
> > > your own posts.  But this is _slightly_ different.
> > >
> > > I'm getting the subject's error on a client.  The last 
> time it happened,
> > it
> > > was a firewall issue - I was letting port 1514 out, but 
> not back in.  This
> > > time, I'm letting 1514 go both ways.
> > >
> > > [root@kyushu logs]# nc -u 192.168.1.200 1514
> > > Testing going to the server
> > >
> > > [root@buran bin]# nc -ul 1514
> > > Testing going to the server
> > >
> > > [root@buran bin]# nc -u 192.168.42.1 1514
> > > Testing going back
> > >
> > > [root@kyushu logs]# nc -ul -p 1514
> > > Testing going back
> > >
> > > So it's not a firewall issue.  Reinforcing this is the 
> fact that I've got
> > a
> > > half-dozen agents working fine:
> > >
> > > [root@buran bin]# ./list_agents -a
> > > defiant-192.168.1.130 is available.
> > > roosevelt-192.168.1.80 is available.
> > > gage-192.168.2.95 is available.
> > > melbourne-192.168.1.90 is available.
> > > saratoga-192.168.1.250 is available.
> > > challenger-192.168.1.79 is available.
> > > tolstoy-192.168.1.75 is available.
> > >
> > > I've deleted the agent keys and re-created them, and then 
> re-imported them
> > -
> > > so it's not that.  Anyone have any suggestions?
> > >
> > > Thanks,
> > >
> > > --
> > > Tim Boyer
> > > Director
> > > Information Systems and Engineering Projects
> > > Denman Tire Corporation
> > > tim@xxxxxxxxxxxxxx
> > >
> > >
> >
> >
>

References:
- [ossec-list] Re: Waiting for server reply (not started)
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: "Excessive number of events" rule 11
Next by Date: [ossec-list] Re: Anyone suggest windows Firewall works with ossec?
Previous by thread: [ossec-list] Re: Waiting for server reply (not started)
Next by thread: [ossec-list] Re: Integrity Checking Not Working <-- SOLVED
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.