1

I have an two ec2 instances. In one I have installed ossec server and in other I have installed ossec agent.

Here are my server config INBOUND (security group/firewall) :

port:514   source:0.0.0.0/0
port:1514   source:0.0.0.0/0

But it seems to be not working. In my agent log file I keep on getting:

2012/08/28 06:52:52 ossec-agentd: INFO: Using IPv4 for: x.x.x.x.x.x .
2012/08/28 06:53:13 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'x.x.x.x.x'.

Edit:

Running sudo netstat --inet -nlp | grep ossec. I'm getting:

udp        0      0 0.0.0.0:1514            0.0.0.0:*                           26027/ossec-remoted

Where I'm making the mistake?

quanta
  • 50,327
  • 19
  • 152
  • 213
batman
  • 321
  • 1
  • 5
  • 10

4 Answers4

2

It says ossec-remoted(1403): ERROR: Incorrectly formated message from 'my client ip'.

It means that you have imported the wrong authentication keys (maybe from a different agent) or the IP address you configured the agent is different from what the server is seeing. Removing and re-adding the key (make sure the IP is correct) and try again.

quanta
  • 50,327
  • 19
  • 152
  • 213
  • Now on the server logs I can see mess like `ossec-logcollector: INFO: Started (pid: 30441)`. But still in client I'm getting the same `WARN: Waiting for server reply (not started). Tried: 'x.x.x.x.x'.` Error! – batman Aug 28 '12 at 07:41
  • What could be the issue? – batman Aug 28 '12 at 08:11
  • Am I need to open any ports in client side?? – batman Aug 28 '12 at 08:16
  • No. Which firewall are you using? Make sure that you have opened those up for UDP and allowed outbound traffic. – quanta Aug 28 '12 at 08:27
  • Can you be clear? Outbound traffic in server side or client side? What port I need to open? I'm very new to OSSEC, kindly help me. – batman Aug 28 '12 at 08:30
  • Server side. Please tell us which firewall are you running? Where did you put the above rules `port:1514 source:0.0.0.0/0`? – quanta Aug 28 '12 at 08:34
  • I set those firewall rules in amazon vpc security groups. So what outbounds I need to open at server side? – batman Aug 28 '12 at 08:37
  • I'm not familiar with Amazon EC2 and Security Groups. Try this: http://www.mail-archive.com/ossec-list@googlegroups.com/msg14965.html – quanta Aug 28 '12 at 09:01
1

In my case, this error was caused by an unsynced queue between server and agent, after server migration.

Queues "/var/ossec/queue/rids" must be copied from an old server. Also, see Wazuh's recommendations for migrating from OSSEC.

You can clear Directory "./rid" on windows agent as workaround.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
Sergey
  • 11
  • 1
0

Simply goto on effected client "my-client-ip" and remove client ID which will be found inside directory"/var/ossec/queue/rids/" and then restart ossec-hids service and agent will active on the console.

Shahid Iqbal
  • 1
0

I've faced the same problem few months ago with ossec-hids v2.9.2. on CentOS 7

If you have imported the correct authentication keys you need to enable IPv6 on ossec server in order to be able to run ossec-remoted. Remember to restart the ossec-hids service after make the changes on IPv6 configuration.

I don't know if is a feature or a bug, but after enabling IPv6 ossec-remoted answered the ossec-clients.

Abel
  • 322
  • 3
  • 13