• Support
  • Forums
  • Blogs

Ossec not working properly

MikeMike

New Life Form
edited December 2012 in AlienVault USM Appliance > Sensor
Another day another question so it seems.

I recently configured a few windows servers with ossec agent to report to a sensor in that network that should be able to recieve their events.
But no events are being reported in the security events page.

I can't figure out what is wrong with the client(s).
The host says it can't connect to the server
error: 2012/10/17 03:52:15 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '(server ip)'.

to get an idea of what I've done / checked:
1. Yes i added the host in ossec server on the ossim client.
2. I made the keys and added them to their relevant hosts.
3. Agents are started.
4. Ossec-server is running.
5. Restarted the ossim-server.
6. The server is receiving events from the host. (although very little ~18 packets in circa 20 minutes( tcpdump to a file with only the relevant host ))
7. Events that are being received do so at the appropriate port. ( 1514 )
8. There is no natting. ( as far i can see from the logs etc )
9. Ossim firewall is not the culprit. ( standard rule opens that port any-any ( and tried it with ossim disabled ) )
10. Ran the verify agent. Nothing unusual it shows:
"2012/10/17 03:46:55 ossec-config(1226): ERROR: Error reading XML file '/var/ossec/etc/shared/agent.conf': XMLERR: File '/var/ossec/etc/shared/agent.conf' not found. (line 0)."
But that also shows on another sensor which receives the events fine.
11. It is a 4. sensor which is up to date.

If you need any more info please let me know.


Share post:

This discussion has been closed.