Issue with OSSIM server


New Life Form
Hello Everyone,

I have recently installed OSSIM 5.6.5 on a Virtual platform.
After installation following is the issue I am facing :

  • The agents which are in sync with the OSSIM server using OSSEC agent are staying active for 48 hours approx and then going in an offline state.
  • The agents when are in an active state do not send logs to the OSSIM Server.
  • The few logs that are getting captured are showing IP Address as in source and destination.
Need to fix this on an urgent basis.

  • Devang,

    The agent disconnect issue, particularly the timing of the disconnect, tends to indicate that a firewall or router is blocking response packets from your OSSIM Server. I would check

    1 - That network or local firewalls are allowing response traffic (you may need to add an exception).
    2 - that you do not have two interfaces configured with IP address in the same subnet. (Potential UDP routing issues)

    This may be helpful for troubleshooting agent issues in general:

    With regard to the SRC/DST address issue, have you confirmed that the events being seen actually include a source or destination IP address in the raw log, or a resolvable address if a hostname is being sent instead?
