Looking for documentation? Check out our new learning center!
AlienVault v4.5 Released! Download here

OSSEC running Agents on servers connected but NO events are logging??

jgraysongstesjgraysongstes UFO Spotter
edited December 2012 in [N|W|H]IDS
During one of the last updates OSSEC stopped collecting from the servers it is installed on.   I checked all agents and they have connection to server.   Network is working fine.   I also restarted the system and also the various agents on each server.   Connection is establlished but it is only sending keep alive on agent side and logging NOTHING on the Alienvault side.   Any ideas???   I just ran the verify-agent-config and it comes back with agent.conf not found.   Checked directory and agent.conf is not there.   Is that the cause??  if so is there a generic or backup version that I can put in without having to redo all the servers?

Answers

  • Is there anything within the /var/ossec/logs/ossec.log on the OSSEC server? 
  • Yes there is ossec logs and the are incrementing.    here is a view of the current one.

    ______________________________________________________________

    alienvault:/var/ossec/logs# view ossec.log
    2012/10/16 06:25:57 ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...
    2012/10/16 06:25:57 ossec-logcollector(1225): INFO: SIGNAL Received. Exit Cleaning...
    2012/10/16 06:25:57 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit Cleaning...
    2012/10/16 06:25:57 ossec-remoted(1225): INFO: SIGNAL Received. Exit Cleaning...
    2012/10/16 06:25:57 ossec-analysisd(1225): INFO: SIGNAL Received. Exit Cleaning...
    2012/10/16 06:25:57 ossec-testrule: INFO: Reading local decoder file.
    2012/10/16 06:25:57 ossec-maild: INFO: E-Mail notification disabled. Clean Exit.
    2012/10/16 06:25:57 ossec-execd(1350): INFO: Active response disabled. Exiting.
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading local decoder file.
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'symantec-ws_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'pure-ftpd_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'vmpop3d_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'courier_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'apache_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'postgresql_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'cisco-ios_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'sonicwall_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'sendmail_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'mailscanner_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'ms-exchange_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'racoon_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'vpn_concentrator_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'spamd_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'msauth_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'mcafee_av_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'zeus_rules.xml'
    2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'solaris_bsm_rules.xml'

  • jhillAVjhillAV Alien Overseer
    Have you verified the keys for each client match the on the AV side and client side?
  • MikeMike Abducted By Aliens
    edited October 2012
    1. Have you restarted the ossec server ?
    2. The agent.conf error is "normal"
    3. Like @jhillAV says have you double checked the keys ?
    4. Can you check the local agent log for any errors ?
  • punkrokkpunkrokk UFO Spotter
    just so it's noted somewhere -- I had to turn off my ossim firewall in ossim-setup. then they connected. 
  • I have the same issue with some of my linux and ESX machines connecting to OSSIM.  Weird thing is of my 10 ESX hosts 7 of which are on the same version and patch level some work and some don't.  This is driving me nuts.  On one linux machine I'm seeing the UDP port 1514 established to the server see below:

    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address               Foreign Address             State
    tcp        0      0 127.0.0.1:32769             127.0.0.1:32768             ESTABLISHED
    tcp        0      0 127.0.0.1:32768             127.0.0.1:32769             ESTABLISHED
    tcp        0      0 127.0.0.1:5988              127.0.0.1:44433             ESTABLISHED
    tcp        0      0 10.2.0.17:22                10.2.0.53:59317             ESTABLISHED
    tcp        0      0 127.0.0.1:44433             127.0.0.1:5988              ESTABLISHED
    udp        0      0 10.2.0.17:32771             10.2.0.75:1514              ESTABLISHED
    Active UNIX domain sockets (w/o servers)
    Proto RefCnt Flags       Type       State         I-Node Path
    unix  3      [ ]         DGRAM                    2856146 /var/ossec/queue/alerts/execq
    unix  5      [ ]         DGRAM                    2856150 /queue/ossec/queue
    unix  12     [ ]         DGRAM                    3302   /dev/log
    unix  2      [ ]         DGRAM                    2856278

    I'm also seeing the time difference as others have reported on the OSSIM Server SEIM (about 5 hours ahead)

    Any other ideas?  If this was all amchines not communicating then I would feel better but having some work and some fail is frustraiting as all hell.  And yes i have removed and added agents on the server, removed keys (that was my first thought and I noticed good keys ending in a == and keys that did not end with == were not working)  I should also note that this is only linux and esx failing - all windows servers are sending data to the server.

    only other point of data I can contribute is that the server OSSEC version is one behind the agent which is 2.7 I just downloaded from OSSEC - OSSIM is on 2.5.1 from what I can tell.

Sign In or Register to comment.