[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: Problems faced with OSSEC.
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: Problems faced with OSSEC.
- From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
- Date: Wed, 21 Feb 2007 21:27:33 -0400
- Cc: pankajppawar@xxxxxxxxx
- Content-disposition: inline
- Content-transfer-encoding: quoted-printable
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=jh0iyIclkNtJpZKkE/PvLSSaR7pPXToGHj2EssXrNn6LUE4S6ixE+dHqvzwihRYUfnL5fLvm5tY75go7NaoP6S/qTXvttwbodzBWRk0mbAkoqNei+ig1hYgIKHVzhp/tMYE99AbfB7454KNpCRw+b3uZT/QYC7qq7BbczX9EE9I=
Hi Pankaj,
Reply inline.
On 2/20/07, Pankaj P. Pawar <Pankajpa@xxxxxxxxxx> wrote:
Hi,
This is the first time I am raising the query in this group.
I am using Ossec past three months and I am facing the problems since my first installation of which some are listed below.
1.) I have to change the permission of the /var/ossec/log/*current log file* to READ everyday as the WEBUI shows the permission as FORBIDDEN.
I have tried using CHMOD –R 777 var/ossec/log but of no use.
Can I know what should be the permissions of the files that are installed in the /var/ossec directory?
You need to be using version 1.0 (at least) and make sure to have your
web server
user in the ossec group. The following link has a step by step on how to install
the UI: http://www.ossec.net/dcid/?p=26 .
2.) I am getting the following error currently "2007/02/20 09:34:13 ossec-agentd(1214): >Problem receiving message from 172.16.7.254" and due to that I am not receiving any >alerts for my client on my mail ID although the same can be seen in the Current Log File >and WEBUI. Also I am able to get the mail alerts for the Server. Can I know what does it >means? I have tried importing the authentication keys and adding the client again and >again but still the problem persists.
You need to make sure that the IP you configured match what you are
receiving. Can you
send us your ossec.conf and ossec.log files in the gz format? In
addition to that, which version are you using?
3.) I have attached the client and server configuration for your reference. I have followed the manual for configuring the active response and the "ar.conf" file does shows an entry for "host-deny" on the server as well as the client. But still the actual blocking is not happening. Can somebody tell me what could be the possible reason for this? I have simulated the same using Nessus Scan and block the Source IP if Rule 30114 triggers.
4.) I am getting the error "2007/02/19 11:16:50 ossec-remoted(1403): Incorrectly formated message from '172.16.2.35' and
"2007/02/15 14:08:44 ossec-remoted(1407): Duplicated counter for 'À¬#ÿÿÿÿ'.
2007/02/15 14:08:44 ossec-remoted: Duplicate error: global: 2, local: 9997, saved global: 3, saved local:3"
quite frequently which doesn't appears once I restart both the client and server. Is this a >bug and do we have to ignore this message?
This kind of message should not happen frequently. Looks like you have
a mis-configured
agent. You need to make sure that every IP address maps to only one
agent (unless
your configure it for natting).
It is high time for me since I have to deploy the same in my production and I have no explanations for these queries. Any help would be highly appreciated.
Thanks,
Pankaj P.
I hope it helps. If you can send your config (and your client.keys
file) and the ossec.log
we can see what is going on (please, use the gz format)...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.