OSSEC running Agents on servers connected but NO events are logging??

jgraysongstes

During one of the last updates OSSEC stopped collecting from the servers it is installed on.   I checked all agents and they have connection to server.   Network is working fine.   I also restarted the system and also the various agents on each server.   Connection is establlished but it is only sending keep alive on agent side and logging NOTHING on the Alienvault side.   Any ideas???   I just ran the verify-agent-config and it comes back with agent.conf not found.   Checked directory and agent.conf is not there.   Is that the cause??  if so is there a generic or backup version that I can put in without having to redo all the servers?

AlexL

Is there anything within the /var/ossec/logs/ossec.log on the OSSEC server? 

jgraysongstes

Yes there is ossec logs and the are incrementing.    here is a view of the current one.

______________________________________________________________

alienvault:/var/ossec/logs# view ossec.log

2012/10/16 06:25:57 ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...

2012/10/16 06:25:57 ossec-logcollector(1225): INFO: SIGNAL Received. Exit Cleaning...

2012/10/16 06:25:57 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit Cleaning...

2012/10/16 06:25:57 ossec-remoted(1225): INFO: SIGNAL Received. Exit Cleaning...

2012/10/16 06:25:57 ossec-analysisd(1225): INFO: SIGNAL Received. Exit Cleaning...

2012/10/16 06:25:57 ossec-testrule: INFO: Reading local decoder file.

2012/10/16 06:25:57 ossec-maild: INFO: E-Mail notification disabled. Clean Exit.

2012/10/16 06:25:57 ossec-execd(1350): INFO: Active response disabled. Exiting.

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading local decoder file.

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'symantec-ws_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'pure-ftpd_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'vmpop3d_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'courier_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'apache_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'postgresql_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'cisco-ios_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'sonicwall_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'sendmail_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'mailscanner_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'ms-exchange_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'racoon_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'vpn_concentrator_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'spamd_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'msauth_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'mcafee_av_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'zeus_rules.xml'

2012/10/16 06:25:57 ossec-analysisd: INFO: Reading rules file: 'solaris_bsm_rules.xml'

jhillAV

Have you verified the keys for each client match the on the AV side and client side?

Mike

1. Have you restarted the ossec server ?
2. The agent.conf error is "normal"
3. Like @jhillAV says have you double checked the keys ?
4. Can you check the local agent log for any errors ?

punkrokk

just so it's noted somewhere -- I had to turn off my ossim firewall in ossim-setup. then they connected. 

louheruska

I have the same issue with some of my linux and ESX machines connecting to OSSIM.  Weird thing is of my 10 ESX hosts 7 of which are on the same version and patch level some work and some don't.  This is driving me nuts.  On one linux machine I'm seeing the UDP port 1514 established to the server see below:

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 127.0.0.1:32769             127.0.0.1:32768             ESTABLISHED
tcp        0      0 127.0.0.1:32768             127.0.0.1:32769             ESTABLISHED
tcp        0      0 127.0.0.1:5988              127.0.0.1:44433             ESTABLISHED
tcp        0      0 10.2.0.17:22                10.2.0.53:59317             ESTABLISHED
tcp        0      0 127.0.0.1:44433             127.0.0.1:5988              ESTABLISHED
udp        0      0 10.2.0.17:32771             10.2.0.75:1514              ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node Path
unix  3      [ ]         DGRAM                    2856146 /var/ossec/queue/alerts/execq
unix  5      [ ]         DGRAM                    2856150 /queue/ossec/queue
unix  12     [ ]         DGRAM                    3302   /dev/log
unix  2      [ ]         DGRAM                    2856278

I'm also seeing the time difference as others have reported on the OSSIM Server SEIM (about 5 hours ahead)

Any other ideas?  If this was all amchines not communicating then I would feel better but having some work and some fail is frustraiting as all hell.  And yes i have removed and added agents on the server, removed keys (that was my first thought and I noticed good keys ending in a == and keys that did not end with == were not working)  I should also note that this is only linux and esx failing - all windows servers are sending data to the server.

only other point of data I can contribute is that the server OSSEC version is one behind the agent which is 2.7 I just downloaded from OSSEC - OSSIM is on 2.5.1 from what I can tell.