I recently configured a few windows servers with ossec agent to report to a sensor in that network that should be able to recieve their events. But no events are being reported in the security events page.
I can't figure out what is wrong with the client(s). The host says it can't connect to the server error: 2012/10/17 03:52:15 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '(server ip)'.
to get an idea of what I've done / checked: 1. Yes i added the host in ossec server on the ossim client. 2. I made the keys and added them to their relevant hosts. 3. Agents are started. 4. Ossec-server is running. 5. Restarted the ossim-server. 6. The server is receiving events from the host. (although very little ~18 packets in circa 20 minutes( tcpdump to a file with only the relevant host )) 7. Events that are being received do so at the appropriate port. ( 1514 ) 8. There is no natting. ( as far i can see from the logs etc ) 9. Ossim firewall is not the culprit. ( standard rule opens that port any-any ( and tried it with ossim disabled ) ) 10. Ran the verify agent. Nothing unusual it shows: "2012/10/17 03:46:55 ossec-config(1226): ERROR: Error reading XML file '/var/ossec/etc/shared/agent.conf': XMLERR: File '/var/ossec/etc/shared/agent.conf' not found. (line 0)." But that also shows on another sensor which receives the events fine. 11. It is a 4. sensor which is up to date.