Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help setting up OSSEC

Status
Not open for further replies.
jet042

jet042

MIS
Dec 23, 2002
258
US
I have OSSEC 2.0 installed on a CentOS 5.3 server, but I can't get any of my Windows agents to connect to it. I've checked the application firewall on Windows (it's not enabled), but the OSSEC agent log just says that it can't connect to the server. Does anyone have a suggestion about what to try next?
 
Sort by date Sort by votes
You'll probably need to start with Wireshark or tcpdump on your CentOS machine to determine if the agents are getting to the Linux box or not.

My first thought would be that the firewall on your CentOS box is enabled and blocking the incoming connection requests. That may be wrong if you have clients from other OSs connecting to your CentOS box already.

You might want to try an 'lsof -i' and/or 'netstat -a |grep LISTENING' to see if OSSEC is really listening on any ports.

Another possibility is that SELinux is enabled on your CentOS box and keeping OSSEC from being able to run with the privileges that it requires.


pansophic
 
Upvote 0 Downvote
I agree with the selinux option

try

Code: 
setenforce 0

then disable selinux from /etc/selinux/config and try again

QatQat

If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!
 
Upvote 0 Downvote
@pansophic - Thanks. lsof -i shows that OSSEC is listening on the right port.

@QatQat - I have set SELinux to permissive and re-started the server, but the agents still won't connect. Is there a way to see if it is actually running permissive or check the logs for it?
 
Upvote 0 Downvote
Did you try a packet capture on the CentOS machine to see if the agent packets are getting to the CentOS machine?


pansophic
 
Upvote 0 Downvote
I can't. Packet capturing tools are expressly forbidden on our corporate networks without prior approval, and I don't have that.
 
Upvote 0 Downvote
HI Jet042,


permissive is still one of the functioning states of selinux.

set it to DISABLED

QatQat

If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!
 
Upvote 0 Downvote
QatQat - I've done that now, but the remote agent still won't connect. Any more suggestions.
 
Upvote 0 Downvote
Sorry for replying so late,

have you tried to issue a

Code: 
iptables -F
iptables -t nat -F



The two lines above flush all eventual rules in the filter and nat chain of your iptables, if they are enabled by default.

to stop iptables completely
Code: 
service iptables stop
chkconfig --level 2345 iptables off


QatQat

If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Krus1972
  • Locked
  • Question
Rewrite Rule for .htaccess Help
Replies
0
Views
274
Krus1972
Krus1972
mjj4golf2
  • Locked
  • Question
Help with setting up a media server
Replies
2
Views
229
vacunita
vacunita
daniel.warner
  • Locked
  • Question
Desperately need help setting up wildcard certs on Apache/Tomcat
Replies
2
Views
256
daniel.warner
daniel.warner
harro1968
  • Locked
  • Question
Help with ProxyPass
Replies
0
Views
170
harro1968
harro1968
Agent0007
  • Locked
  • Question
HELP Traffic Control of IP
Replies
2
Views
163
Agent0007
Agent0007

Part and Inventory Search

Sponsor

Back
Top