• Support
  • Forums
  • Blogs

OSSEC service is down despite I have attached a agent to it.

jamesykljamesykl

Big Time
+8
edited June 2014 in AlienVault USM Appliance > Sensor
Hi guys, I encounter another problem which indicates that my ossec is down. I try to start it but it still not working. Am I doing something wrong?

I installed the unix ossec agent in my CentOS vm, and the ip address I use the one I saw in the ifconfig. I follow the method but still cannot boot up the ossec sensor in ossim.

Hope anyone can help me out with this problem, because I tried all day but still cant get it up.

The aim I want to achieve is to allow OSSIM to detect the log in my CentOS vm. just as simple as that.

For CentOS - the network connection i used is NAT

For OSSIM server in vm as well - the network connection I used is Host-only

Does this affect the connection?

Share post:

Best Answer

  • Answer ✓
    I always need to start the ossec server under ossec control. I agree with @rezgui‌ restart the ossec server.

Answers

  • edited June 2014
    hi try to restart the agent and also verify the key.
    the network connection dosen't affect the connection between the server and the agent ossec
  • Yea I have tried restarting the agent but still the same. Wondering what might gone wrong with the system..... Did you encounter this problem before or all along you ossec is running?
  • restart also the ossec server
  • I tried restarting but still down. it doesnt seems to be able to run.
  • see the log of ossec /var/ossec/log/ossec.log to resolve the problem
  • From the log what should I look out for? sorry I am quite new to this stuff
  • to see the erro message form ossec to understatand the problem
  • it seems like I got an error with regards to unable to access to queue in this location

    "var/ossec/queue/ossec/queue"

    And when I go to that file, it says that error in handling queue No such device or address

    How should I solve this problem?
  • hmm it seems that the problem is still there despite the fact that the solution was to stop and start the ossec services.

    What does it meant by "If there is any configuration error, fix it." ?
  • edited June 2014
    you need to check th pid for the services (ossec-,ossec-logcollector, ossec-monitord ossec-remoted,ossec-syscheckd) in /var/ossec/var/run exit or not.
    to know which exactly service dosen't running
  • I found out the reason why my ossec is down. The reason is because I have dummy agents with the wrong IP address in it. The ossec service is able to run when I only had my 127.0.0.1 service running. If I add in like ossec in my linux virtual machine, it will go down again. I was wondering whether or not the possible reason for it is because of the IP address of my OSSIM? cause I using host-only network connection. Does anyone have similar configuration for their OSSIM network connection?
  • Ok i found out the reason why... the reason is highly likely due to the ossec-remote is not running. I just tried another installation of OSSIM in another vmware and it had ossec-remote running as well as ossec-service running all the time. With this i am able to link with my windows agent with a result of active status.

    However, I was thinking what could be the possible reason that cause the ossec-remote to be down? does anyone have any idea on this?
This discussion has been closed.