Solved FreeBSD 10 - OSSEC - Jail problem

fred974

Daemon

Reaction score: 47
Messages: 1,628

Hello everyone,

I have a problem with security/ossec-hids-server where the Agent is not sending any data to MySQL.
Host_ip: 192.168.1.185
Jail_ip: 192.168.1.125

I installed OSSEC on the the host and the agent in the jail. Both the OSSEC server and the OSSEC agent are up and running and I have no error in the logs.

As I have my web server in another jail, I have decided to send all the OSSEC data to a MySQL database. This was done because I couldn't think of how to get the data sent from the jail to the host in any other way.

When I look at the database, it is obvious that the server is sending some data to the database but nothing sent from the agent has been recorded
Code:
mysql> select * from agent;
Empty set (0.00 sec)

mysql> show tables;
+----------------------------+
| Tables_in_ossec            |
+----------------------------+
| agent                      |
| alert                      |
| category                   |
| data                       |
| location                   |
| server                     |
| signature                  |
| signature_category_mapping |
+----------------------------+
8 rows in set (0.00 sec)

mysql> select * from agent;
Empty set (0.00 sec)

mysql> select * from alert;
+----+-----------+---------+------------+-------------+-----------+--------+----------+----------+-----------------+
| id | server_id | rule_id | timestamp  | location_id | src_ip    | dst_ip | src_port | dst_port | alertid         |
+----+-----------+---------+------------+-------------+-----------+--------+----------+----------+-----------------+
|  1 |         1 |     502 | 1417014593 |           1 |         0 |      0 |        0 |        0 | 1417014592.2516 |
|  2 |         1 |    1002 | 1417024802 |           2 |         0 |      0 |        0 |        0 | 1417024800.3018 |
|  3 |         1 |    5715 | 1417028982 |           3 | 168301574 |      0 |        0 |        0 | 1417028981.3301 |
|  4 |         1 |    5303 | 1417028992 |           4 |         0 |      0 |        0 |        0 | 1417028992.3654 |
|  5 |         1 |    5302 | 1417029028 |           4 |         0 |      0 |        0 |        0 | 1417029028.3901 |
|  6 |         1 |    5303 | 1417029044 |           4 |         0 |      0 |        0 |        0 | 1417029040.4169 |
|  7 |         1 |     503 | 1417032907 |           5 |         0 |      0 |        0 |        0 | 1417032905.4416 |
|  8 |         1 |     550 | 1417032907 |           6 |         0 |      0 |        0 |        0 | 1417032905.4606 |
|  9 |         1 |     591 | 1417046418 |           7 |         0 |      0 |        0 |        0 | 1417046415.0    |
| 10 |         1 |     591 | 1417046444 |           8 |         0 |      0 |        0 |        0 | 1417046443.199  |
+----+-----------+---------+------------+-------------+-----------+--------+----------+----------+-----------------+
26 rows in set (0.00 sec)

mysql> select * from data;
Empty set (0.00 sec)

mysql> select * from location;
+----+-----------+----------------------------------------------+
| id | server_id | name                                         |
+----+-----------+----------------------------------------------+
|  1 |         1 | trinity->ossec-monitord                      |
|  2 |         1 | trinity->/var/log/maillog                    |
|  3 |         1 | trinity->/var/log/auth.log                   |
|  4 |         1 | trinity->/var/log/messages                   |
|  5 |         1 | (webagent) 192.168.1.125->ossec              |
|  6 |         1 | (webagent) 192.168.1.125->syscheck           |
|  7 |         1 | (webagent) 192.168.1.125->ossec-logcollector |
|  8 |         1 | trinity->ossec-logcollector                  |
+----+-----------+----------------------------------------------+
8 rows in set (0.00 sec)
Here is the log from the OSSEC server's /ossec-hids/logs/ossec.log:
Code:
97 2014/11/27 11:20:37 ossec-execd: INFO: Started (pid: 9095).
98 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading local decoder file.
99 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml'
100 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml'
101 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml'
102 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml'
103 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml'
104 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml'
105 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml'
106 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'symantec-ws_rules.xml'
107 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml'
108 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml'
109 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml'
110 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml'
111 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'pure-ftpd_rules.xml'
112 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml'
113 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml'
114 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml'
115 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml'
116 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'roundcube_rules.xml'
117 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'wordpress_rules.xml'
118 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'cimserver_rules.xml'
119 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml'
120 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'vmpop3d_rules.xml'
121 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'courier_rules.xml'
122 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml'
123 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'web_appsec_rules.xml'
124 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'apache_rules.xml'
125 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'nginx_rules.xml'
126 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'php_rules.xml'
127 2014/11/27 11:20:37 ossec-remoted: INFO: Started (pid: 14366).
128 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml'
129 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'postgresql_rules.xml'
130 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml'
131 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml'
132 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml'
133 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'cisco-ios_rules.xml'
134 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml'
135 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'sonicwall_rules.xml'
136 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml'
137 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'sendmail_rules.xml'
138 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml'
139 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'mailscanner_rules.xml'
140 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'dovecot_rules.xml'
141 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'ms-exchange_rules.xml'
142 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'racoon_rules.xml'
143 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'vpn_concentrator_rules.xml'
144 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'spamd_rules.xml'
145 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'msauth_rules.xml'
146 2014/11/27 11:20:37 ossec-rootcheck: System audit file not configured.
147 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'mcafee_av_rules.xml'
148 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'trend-osce_rules.xml'
149 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'ms-se_rules.xml'
150 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'zeus_rules.xml'
151 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'solaris_bsm_rules.xml'
152 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'vmware_rules.xml'
153 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'ms_dhcp_rules.xml'
154 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'asterisk_rules.xml'
155 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml'
156 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'attack_rules.xml'
157 2014/11/27 11:20:37 ossec-analysisd: INFO: Reading rules file: 'local_rules.xml'
158 2014/11/27 11:20:37 ossec-analysisd: INFO: Total rules enabled: '1258'
159 2014/11/27 11:20:37 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
160 2014/11/27 11:20:37 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
161 2014/11/27 11:20:37 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics'
162 2014/11/27 11:20:37 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
163 2014/11/27 11:20:37 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
164 2014/11/27 11:20:37 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
165 2014/11/27 11:20:42 ossec-syscheckd: INFO: Started (pid: 16957).
166 2014/11/27 11:20:42 ossec-rootcheck: INFO: Started (pid: 16957).
167 2014/11/27 11:20:42 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
168 2014/11/27 11:20:42 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
169 2014/11/27 11:20:42 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.
170 2014/11/27 11:20:42 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
171 2014/11/27 11:20:42 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
172 2014/11/27 11:20:43 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'.
173 2014/11/27 11:20:43 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/auth.log'.
174 2014/11/27 11:20:43 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/security'.
175 2014/11/27 11:20:43 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/xferlog'.
176 2014/11/27 11:20:43 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'.
177 2014/11/27 11:20:43 ossec-logcollector: INFO: Started (pid: 12471).
178 2014/11/27 11:20:53 ossec-dbd: Connected to database 'ossec' at '192.168.1.130'.
179 2014/11/27 11:21:45 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
180 2014/11/27 11:21:45 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
181 2014/11/27 11:24:55 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).
182 2014/11/27 11:25:07 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database).
183 2014/11/27 11:25:27 ossec-rootcheck: INFO: Starting rootcheck scan.
184 2014/11/27 11:28:22 ossec-rootcheck: INFO: Ending rootcheck scan.
185 2014/11/27 11:58:24 ossec-syscheckd: INFO: Starting syscheck scan.
186 2014/11/27 12:02:00 ossec-syscheckd: INFO: Ending syscheck scan.
187 2014/11/27 12:32:01 ossec-syscheckd: INFO: Starting syscheck scan.
188 2014/11/27 12:35:37 ossec-syscheckd: INFO: Ending syscheck scan.
189 2014/11/27 13:10:38 ossec-syscheckd: INFO: Starting syscheck scan.
190 2014/11/27 13:14:14 ossec-syscheckd: INFO: Ending syscheck scan.
191 2014/11/27 13:44:15 ossec-syscheckd: INFO: Starting syscheck scan.
192 2014/11/27 13:47:50 ossec-syscheckd: INFO: Ending syscheck scan.
193 2014/11/27 14:17:51 ossec-syscheckd: INFO: Starting syscheck scan.
194 2014/11/27 14:21:26 ossec-syscheckd: INFO: Ending syscheck scan.
195 2014/11/27 14:51:27 ossec-syscheckd: INFO: Starting syscheck scan.
196 2014/11/27 14:55:01 ossec-syscheckd: INFO: Ending syscheck scan.
 
OP
fred974

fred974

Daemon

Reaction score: 47
Messages: 1,628

Here is the log from the OSSEC Agent/ossec-hids/logs/ossec.log
Code:
2014/11/27 11:20:43 ossec-execd: INFO: Started (pid: 8738).
2014/11/27 11:20:43 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800
2014/11/27 11:20:43 ossec-rootcheck: System audit file not configured.
2014/11/27 11:20:47 ossec-syscheckd: INFO: Started (pid: 15034).
2014/11/27 11:20:47 ossec-rootcheck: INFO: Started (pid: 15034).
2014/11/27 11:20:47 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2014/11/27 11:20:47 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2014/11/27 11:20:47 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.
2014/11/27 11:20:47 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2014/11/27 11:20:47 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2014/11/27 11:20:49 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'.
2014/11/27 11:20:49 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/auth.log'.
2014/11/27 11:20:49 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/security'.
2014/11/27 11:20:49 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/xferlog'.
2014/11/27 11:20:49 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'.
2014/11/27 11:20:49 ossec-logcollector: INFO: Started (pid: 12228).
2014/11/27 11:21:49 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2014/11/27 11:21:49 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
2014/11/27 11:24:57 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).
2014/11/27 11:25:09 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database).
2014/11/27 11:25:29 ossec-rootcheck: INFO: Starting rootcheck scan.
2014/11/27 11:26:10 ossec-rootcheck: INFO: Ending rootcheck scan.
2014/11/27 11:56:11 ossec-syscheckd: INFO: Starting syscheck scan.
2014/11/27 11:59:45 ossec-syscheckd: INFO: Ending syscheck scan.
2014/11/27 12:29:46 ossec-syscheckd: INFO: Starting syscheck scan.
2014/11/27 12:33:17 ossec-syscheckd: INFO: Ending syscheck scan.
2014/11/27 13:03:19 ossec-syscheckd: INFO: Starting syscheck scan.
2014/11/27 13:06:51 ossec-syscheckd: INFO: Ending syscheck scan.
2014/11/27 13:36:52 ossec-syscheckd: INFO: Starting syscheck scan.
2014/11/27 13:40:23 ossec-syscheckd: INFO: Ending syscheck scan.
2014/11/27 14:10:24 ossec-syscheckd: INFO: Starting syscheck scan.
2014/11/27 14:13:57 ossec-syscheckd: INFO: Ending syscheck scan.
2014/11/27 14:43:58 ossec-syscheckd: INFO: Starting syscheck scan.
2014/11/27 14:47:33 ossec-syscheckd: INFO: Ending syscheck scan.
2014/11/27 15:17:34 ossec-syscheckd: INFO: Starting syscheck scan.
2014/11/27 15:21:06 ossec-syscheckd: INFO: Ending syscheck scan.
I am not sure what this line mean
Code:
ossec-syscheckd: INFO: Ending syscheck scan (forwarding database).
Does it mean that it sent the data to the DB?

This is the client /agent ossec-hids/etc/ossec.conf file
Code:
<!-- OSSEC WebAgent config -->
<ossec_config>
  <client>
  <server-ip>192.168.1.185</server-ip>
  </client>
  <syscheck>
  <!-- Frequency that syscheck is executed -- default every 2 hours (7200 second) -->
  <frequency>1800</frequency>
  <!-- Directories to check  (perform all possible verifications) -->
  <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
  <directories check_all="yes">/bin,/sbin</directories>
  <!-- Files/directories to ignore -->
  <ignore>/etc/mtab</ignore>
  <ignore>/etc/hosts.deny</ignore>
  <ignore>/etc/mail/statistics</ignore>
  <ignore>/etc/random-seed</ignore>
  <ignore>/etc/adjtime</ignore>
  <ignore>/etc/httpd/logs</ignore>
  </syscheck>
  <rootcheck>
  <rootkit_files>/usr/local/ossec-hids/etc/shared/rootkit_files.txt</rootkit_files>
  <rootkit_trojans>/usr/local/ossec-hids/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  </rootcheck>
  <localfile>
  <log_format>syslog</log_format>
  <location>/var/log/messages</location>
  </localfile>
  <localfile>
  <log_format>syslog</log_format>
  <location>/var/log/auth.log</location>
  </localfile>
  <localfile>
  <log_format>syslog</log_format>
  <location>/var/log/security</location>
  </localfile>
  <localfile>
  <log_format>syslog</log_format>
  <location>/var/log/xferlog</location>
  </localfile>
  <localfile>
  <log_format>syslog</log_format>
  <location>/var/log/maillog</location>
  </localfile>
<!--
  <localfile>
  <log_format>apache</log_format>
  <location>/var/www/logs/access_log</location>
  </localfile>
  <localfile>
  <log_format>apache</log_format>
  <location>/var/www/logs/error_log</location>
  </localfile>
-->
</ossec_config>
This is the Server ossec-hids/etc/ossec.conf file
Code:
  1 <!-- OSSEC Server config -->
  2
  3 <ossec_config>
  4  <global>
  5  <email_notification>yes</email_notification>
  6  <email_to>me@gmail.com</email_to>
  7  <smtp_server>smtp.gmail.com</smtp_server>
  8  <email_from>root@jails.kkkkkk.net.</email_from>
  9  </global>
10
11  <database_output>
12  <hostname>192.168.1.130</hostname>
13  <username>ossecadmin</username>
14  <password>xm17***lwj1lztggnyx7ryb</password>
15  <database>ossec</database>
16  <port>1226</port>
17  <type>mysql</type>
18  </database_output>
19
20  <rules>
21  <include>rules_config.xml</include>
22  <include>pam_rules.xml</include>
23  <include>sshd_rules.xml</include>
24  <include>telnetd_rules.xml</include>
25  <include>syslog_rules.xml</include>
26  <include>arpwatch_rules.xml</include>
27  <include>symantec-av_rules.xml</include>
28  <include>symantec-ws_rules.xml</include>
29  <include>pix_rules.xml</include>
30  <include>named_rules.xml</include>
31  <include>smbd_rules.xml</include>
32  <include>vsftpd_rules.xml</include>
33  <include>pure-ftpd_rules.xml</include>
34  <include>proftpd_rules.xml</include>
35  <include>ms_ftpd_rules.xml</include>
36  <include>ftpd_rules.xml</include>
37  <include>hordeimp_rules.xml</include>
38  <include>roundcube_rules.xml</include>
39  <include>wordpress_rules.xml</include>
40  <include>cimserver_rules.xml</include>
41  <include>vpopmail_rules.xml</include>
42  <include>vmpop3d_rules.xml</include>
43  <include>courier_rules.xml</include>
44  <include>web_rules.xml</include>
45  <include>web_appsec_rules.xml</include>
46  <include>apache_rules.xml</include>
47  <include>nginx_rules.xml</include>
48  <include>php_rules.xml</include>
49  <include>mysql_rules.xml</include>
50  <include>postgresql_rules.xml</include>
51  <include>ids_rules.xml</include>
52  <include>squid_rules.xml</include>
53  <include>firewall_rules.xml</include>
54  <include>cisco-ios_rules.xml</include>
55  <include>netscreenfw_rules.xml</include>
56  <include>sonicwall_rules.xml</include>
57  <include>postfix_rules.xml</include>
58  <include>sendmail_rules.xml</include>
59  <include>imapd_rules.xml</include>
60  <include>mailscanner_rules.xml</include>
61  <include>dovecot_rules.xml</include>
62  <include>ms-exchange_rules.xml</include>
63  <include>racoon_rules.xml</include>
64  <include>vpn_concentrator_rules.xml</include>
65  <include>spamd_rules.xml</include>
66  <include>msauth_rules.xml</include>
67  <include>mcafee_av_rules.xml</include>
68  <include>trend-osce_rules.xml</include>
69  <include>ms-se_rules.xml</include>
70  <!-- <include>policy_rules.xml</include> -->
71  <include>zeus_rules.xml</include>
72  <include>solaris_bsm_rules.xml</include>
73  <include>vmware_rules.xml</include>
74  <include>ms_dhcp_rules.xml</include>
75  <include>asterisk_rules.xml</include>
76  <include>ossec_rules.xml</include>
77  <include>attack_rules.xml</include>
78  <include>local_rules.xml</include>
79  </rules>
80
81
82  <syscheck>
83  <!-- Frequency that syscheck is executed -- default every 20 hours -->
84  <frequency>1800</frequency>
85
86  <!-- Directories to check  (perform all possible verifications) -->
87  <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
88  <directories check_all="yes">/bin,/sbin</directories>
89
90  <!-- Files/directories to ignore -->
91  <ignore>/etc/mtab</ignore>
92  <ignore>/etc/hosts.deny</ignore>
93  <ignore>/etc/mail/statistics</ignore>
94  <ignore>/etc/random-seed</ignore>
95  <ignore>/etc/adjtime</ignore>
96  <ignore>/etc/httpd/logs</ignore>
97  </syscheck>
98
99  <rootcheck>
100  <rootkit_files>/usr/local/ossec-hids/etc/shared/rootkit_files.txt</rootkit_files>
101  <rootkit_trojans>/usr/local/ossec-hids/etc/shared/rootkit_trojans.txt</rootkit_trojans>
102  </rootcheck>
103
104  <global>
105  <white_list>127.0.0.1</white_list>
106  <white_list>192.168.1.125</white_list>
107  <white_list>192.168.1.145</white_list>
108  <white_list>192.168.1.130</white_list>
109  </global>
110
111  <remote>
112  <connection>secure</connection>
113  <allowed-ips>192.168.1.125</allowed-ips>
114  </remote>
115
116  <alerts>
117  <log_alert_level>1</log_alert_level>
118  <email_alert_level>7</email_alert_level>
119  </alerts>
120
121  <command>
122  <name>host-deny</name>
123  <executable>host-deny.sh</executable>
124  <expect>srcip</expect>
125  <timeout_allowed>yes</timeout_allowed>
126  </command>
127
128  <command>
129  <name>pf-block</name>
130  <executable>pf.sh</executable>
131  <expect>srcip</expect>
132  </command>
133
134  <command>
135  <name>firewall-drop</name>
136  <executable>firewall-drop.sh</executable>
137  <expect>srcip</expect>
138  <timeout_allowed>yes</timeout_allowed>
139  </command>
140
141  <command>
142  <name>disable-account</name>
143  <executable>disable-account.sh</executable>
144  <expect>user</expect>
145  <timeout_allowed>yes</timeout_allowed>
146  </command>
147
148
149  <!-- Active Response Config -->
150  <active-response>
151  <!-- This response is going to execute the host-deny
152  - command for every event that fires a rule with
153  - level (severity) >= 6.
154  - The IP is going to be blocked for  600 seconds.
155  -->
156  <command>host-deny</command>
157  <location>local</location>
158  <level>6</level>
159  <timeout>600</timeout>
160  </active-response>
161
162  <active-response>
163  <command>pf-block</command>
164  <location>defined-agent</location>
165  <agent_id>001</agent_id>
166  <rules_group>authentication_failed,authentication_failures</rules_group>
167  </active-response>
168
169  <active-response>
170  <!-- Firewall Drop response. Block the IP for
171  - 600 seconds on the firewall (iptables,
172  - ipfilter, etc).
173  -->
174  <command>firewall-drop</command>
175  <location>local</location>
176  <level>6</level>
177  <timeout>600</timeout>
178  </active-response>
179
180  <!-- Files to monitor (localfiles) -->
181
182  <localfile>
183  <log_format>syslog</log_format>
184  <location>/var/log/messages</location>
185  </localfile>
186
187  <localfile>
188  <log_format>syslog</log_format>
189  <location>/var/log/auth.log</location>
190  </localfile>
191
192  <localfile>
193  <log_format>syslog</log_format>
194  <location>/var/log/security</location>
195  </localfile>
196
197  <localfile>
198  <log_format>syslog</log_format>
199  <location>/var/log/xferlog</location>
200  </localfile>
201
202  <localfile>
203  <log_format>syslog</log_format>
204  <location>/var/log/maillog</location>
205  </localfile>
206
207 </ossec_config>
I tried to temporarily disabled the firewall with pfctl -d but it hasn't changed anything

Thank you in advance for your help

Fred
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,764
Messages: 39,365

As far as I understand from the documentation the agent doesn't connect to the MySQL database. Only the manager does.
 
OP
fred974

fred974

Daemon

Reaction score: 47
Messages: 1,628

Well this is what I thought as well but I wasn't too sure. So this means that the server is not getting the info from the agent to then be passed to the database.

Is the way I disabled pf correct to test the connection between my FreeBSD host and jail?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,764
Messages: 39,365

So this mean that the server is not getting the info from the agent to then be passed to the database..
That would seem to be the case.

Is the way I disabled pf correct to test the connection between my FreeBSD host and jail?
Yes, a pfctl -d completely disables it.
 
OP
fred974

fred974

Daemon

Reaction score: 47
Messages: 1,628

Hi SirDice,
Could you please tell me if the following command is correct to see if there is my agent is sending data to the host:
tcpdump -i lagg0 dst 192.168.1.125 and port 1514

Having no error in the logs and the firewall disabled, I find it hard to see how to tackle this problem :(

General speaking, how do you get the jails to communicate to the host without breaking the security model around jails?
 
OP
fred974

fred974

Daemon

Reaction score: 47
Messages: 1,628

I just managed to get the following error but I have no idea what it really means:
/usr/local/ossec-hids/bin/ossec-syscheckd -d
Code:
2014/11/27 22:41:42 ossec-syscheckd: DEBUG: Starting ...
2014/11/27 22:41:42 ossec-rootcheck: DEBUG: Starting ...
2014/11/27 22:41:42 ossec-rootcheck: Starting queue ...
2014/11/27 22:41:46 ossec-syscheckd(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'.
2014/11/27 22:41:46 ossec-rootcheck(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'.
2014/11/27 22:41:54 ossec-syscheckd(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'.
2014/11/27 22:41:54 ossec-rootcheck(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'.
2014/11/27 22:42:08 ossec-syscheckd(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'.
2014/11/27 22:42:08 ossec-rootcheck(1211): ERROR: Unable to access queue: '/usr/local/ossec-hids/queue/ossec/queue'. Giving up..
 
OP
fred974

fred974

Daemon

Reaction score: 47
Messages: 1,628

Hi everyone,

Since my last post I find out that I need to use the jail IP address in the agent <server> block
Code:
<client>
  <server-ip>192.168.1.125</server-ip>
  </client>
Since I did that I get the following error message on the agent log file
Code:
2014/11/30 22:50:41 ossec-syscheckd(1224): ERROR: Error sending message to queue.
2014/11/30 22:50:45 ossec-syscheckd: socket busy ..
2014/11/30 22:50:50 ossec-syscheckd: socket busy ..
2014/11/30 22:50:50 ossec-logcollector: socketerr (not available).
/usr/local/ossec-hids/bin/ossec-syscheckd -d
is now giving me:
Code:
2014/11/30 22:51:57 ossec-syscheckd: DEBUG: Starting ...
2014/11/30 22:51:57 ossec-rootcheck: DEBUG: Starting ...
2014/11/30 22:51:57 ossec-rootcheck: Starting queue ...
2014/11/30 22:51:57 ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set to: '6400'.
Could anyone please assist me?

Thank you

Fred
 
Last edited by a moderator:
OP
fred974

fred974

Daemon

Reaction score: 47
Messages: 1,628

Hi guy,

Any help on how to resolve this problem would be much appreciated.

Thank you all
 
OP
fred974

fred974

Daemon

Reaction score: 47
Messages: 1,628

More test done today...
### From the OSSEC agent inside FreeBSD jail ###
/usr/local/ossec-hids/bin/ossec-control status
Code:
ossec-logcollector is running...
ossec-syscheckd is running...
ossec-agentd is running...
ossec-execd is running...
tcpdump -i lagg0 port 1514
Code:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lagg0, link-type EN10MB (Ethernet), capture size 65535 bytes
...Nothing after 30 minutes, so I guess the agent isn't sending any packets to the manager

### From the OSSEC server ... FreeBSD Host ###
/usr/local/ossec-hids/bin/ossec-control status
Code:
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...
ossec-dbd is running...
tcpdump -i lagg0 port 1514
Code:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lagg0, link-type EN10MB (Ethernet), capture size 65535 bytes
...Nothing after 30 minutes
/usr/local/ossec-hids/bin/agent_control -lc
Code:
OSSEC HIDS agent_control. List of available agents:
   ID: 000, Name: trinity.skint.ltd (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: webagent, IP: 192.168.1.125/24, Active
 

junovitch@

Daemon
Developer

Reaction score: 632
Messages: 1,773

I can't help with the application you are using as I have no experience it but I see two things wrong right off the bat.

First off:
General speaking, how do you get the jails to communicate to the host without breaking the security model around jails?

To answer your comment, things just work if you don't do any crazy things with multiple routing tables. Your approach is wrong here: tcpdump -i lagg0 dst 192.168.1.125. The reason for this is when communication is happening on the local machine, it will not use the lagg interface. It uses the loopback. What you want to use is tcpdump -i lo0 host 192.168.1.125 to get that local traffic and both sides of the communication.

To go with the above point, it is very typical to skip firewalling on the loopback with PF. You shouldn't have to disable PF as you mentioned above at all it if you use the typical skip rule like this on the loopback in your /etc/pf.conf.
Code:
set skip on lo

Secondly, why are you looking at port 1514? According to /etc/services, that port is Fujitsu-dtcns. MySQL uses 3306 by default and Syslog is 514 by default. Does sockstat on your jail show an open socket from the jail IP to port 3306 on the host? Can you post the result?
 
OP
fred974

fred974

Daemon

Reaction score: 47
Messages: 1,628

Hi junovitch
Thank you very much for your reply, it is very much appreciated.
I am looking at at port 1514 because this is the default port for ossec.
The agent on the jails communicate to the ossec server installed on the FreeBSD host via port 1514. It is the ossec server that then relay the data to MySQL.

I do use the skip rule on the loopback in my /etc/pf.conf so I'm glad to know that I can keep pf running

tcpdump -i lo0 from the FreeBSD Host
Code:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
This the sockstat from the FreeBSD host:
Code:
  1 USER  COMMAND  PID  FD PROTO  LOCAL ADDRESS  FOREIGN ADDRESS
  2 sysadmin sshd  86701 4  stream -> ??
  3 sysadmin sshd  86701 5  tcp4  192.168.1.185:2913  10.8.20.10:54010
  4 root  sshd  86698 5  tcp4  192.168.1.185:2913  10.8.20.10:54010
  5 root  sshd  86698 6  stream -> ??
  6 ossec  ossec-agen 30245 4  dgram  /queue/ossec/queue
  7 ossec  ossec-agen 30245 7  udp4  192.168.1.125:53101  192.168.1.125:1514
  8 ossec  ossec-agen 30245 8  dgram  -> /usr/local/ossec-hids/queue/alerts/execq
  9 root  ossec-logc 30233 4  dgram  -> /queue/ossec/queue
10 ossec  ossec-agen 30229 4  dgram  /queue/ossec/queue
11 ossec  ossec-agen 30229 7  udp4  192.168.1.125:34667  192.168.1.125:1514
12 ossec  ossec-agen 30229 8  dgram  -> /usr/local/ossec-hids/queue/alerts/execq
13 root  ossec-exec 30225 4  dgram  /usr/local/ossec-hids/queue/alerts/execq
14 root  cron  2297  4  dgram  -> /var/run/logpriv
15 88  mysqld  2287  14 tcp4  192.168.1.130:2596  *:*
16 88  mysqld  2287  15 stream /tmp/mysql.sock
17 root  syslogd  1616  4  dgram  /var/run/log
18 root  syslogd  1616  5  dgram  /var/run/logpriv
19 root  cron  1524  4  dgram  -> /var/run/logpriv
20 root  syslogd  1468  4  dgram  /var/run/log
21 root  syslogd  1468  5  dgram  /var/run/logpriv
22 root  cron  1386  4  dgram  -> /var/run/logpriv
23 root  sshd  1382  4  tcp4  192.168.1.125:2914  *:*
24 www  hiawatha  1362  3  tcp4  192.168.1.125:80  *:*
25 www  php-fpm  1358  0  stream /var/run/php-fpm.sock
26 www  php-fpm  1357  0  stream /var/run/php-fpm.sock
27 root  php-fpm  1356  6  stream -> ??
28 root  php-fpm  1356  8  stream -> ??
29 root  php-fpm  1356  9  stream /var/run/php-fpm.sock
30 root  syslogd  1282  4  dgram  /var/run/log
31 root  syslogd  1282  5  dgram  /var/run/logpriv
32 root  sshd  1202  4  tcp4  192.168.1.185:2913  *:*
33 nobody  openvpn  1180  6  udp4  192.168.1.185:1194  *:*
34 _smtpd  smtpd  1163  4  tcp4  127.0.0.1:25  *:*
35 _smtpd  smtpd  1163  5  dgram  -> /var/run/logpriv
36 _smtpd  smtpd  1163  7  stream -> ??
37 _smtpd  smtpd  1163  24 stream -> ??
38 _smtpd  smtpd  1163  26 stream -> ??
39 _smtpd  smtpd  1163  28 stream -> ??
40 _smtpd  smtpd  1163  34 stream -> ??
41 _smtpd  smtpd  1162  5  dgram  -> /var/run/logpriv
42 _smtpd  smtpd  1162  73 stream -> ??
43 _smtpd  smtpd  1162  91 stream -> ??
44 _smtpd  smtpd  1161  5  dgram  -> /var/run/logpriv
45 _smtpd  smtpd  1161  17 stream -> ??
46 _smtpd  smtpd  1161  59 stream -> ??
47 _smtpd  smtpd  1161  69 stream -> ??
48 _smtpd  smtpd  1161  84 stream -> ??
49 _smtpd  smtpd  1160  5  dgram  -> /var/run/logpriv
50 _smtpd  smtpd  1160  9  stream -> ??
51 _smtpd  smtpd  1160  25 stream -> ??
52 _smtpd  smtpd  1160  48 stream -> ??
53 _smtpd  smtpd  1159  5  dgram  -> /var/run/logpriv
54 _smtpd  smtpd  1159  15 stream -> ??
55 _smtpd  smtpd  1159  57 stream -> ??
56 _smtpd  smtpd  1159  67 stream -> ??
57 _smtpd  smtpd  1159  78 stream -> ??
58 _smtpd  smtpd  1158  5  dgram  -> /var/run/logpriv
59 _smtpd  smtpd  1158  11 stream -> ??
60 _smtpd  smtpd  1158  27 stream -> ??
61 _smtpd  smtpd  1158  54 stream -> ??
62 _smtpd  smtpd  1158  56 stream -> ??
63 _smtpd  smtpd  1158  58 stream -> ??
64 _smtpd  smtpd  1158  60 stream -> ??
65 _smtpd  smtpd  1157  4  stream /var/run/smtpd.sock
66 _smtpd  smtpd  1157  5  dgram  -> /var/run/logpriv
67 _smtpd  smtpd  1157  19 stream -> ??
68 _smtpd  smtpd  1157  35 stream -> ??
69 _smtpd  smtpd  1157  49 stream -> ??
70 _smtpd  smtpd  1157  61 stream -> ??
71 _smtpd  smtpd  1157  71 stream -> ??
72 _smtpd  smtpd  1157  79 stream -> ??
73 _smtpd  smtpd  1157  85 stream -> ??
74 _smtpd  smtpd  1157  90 stream -> ??
75 _smtpq  smtpd  1156  5  dgram  -> /var/run/logpriv
76 _smtpq  smtpd  1156  13 stream -> ??
77 _smtpq  smtpd  1156  29 stream -> ??
78 _smtpq  smtpd  1156  55 stream -> ??
79 _smtpq  smtpd  1156  66 stream -> ??
80 _smtpq  smtpd  1156  68 stream -> ??
81 _smtpq  smtpd  1156  70 stream -> ??
82 _smtpq  smtpd  1156  72 stream -> ??
83 root  smtpd  1154  5  dgram  -> /var/run/logpriv
84 root  smtpd  1154  6  stream -> ??
85 root  smtpd  1154  8  stream -> ??
86 root  smtpd  1154  10 stream -> ??
87 root  smtpd  1154  12 stream -> ??
88 root  smtpd  1154  14 stream -> ??
89 root  smtpd  1154  16 stream -> ??
90 root  smtpd  1154  18 stream -> ??
91 ossec  ossec-moni 1146  4  dgram  -> /queue/ossec/queue
92 root  ossec-sysc 1142  3  dgram  -> /queue/ossec/queue
93 root  ossec-sysc 1142  5  dgram  -> /queue/ossec/queue
94 ossecr  ossec-remo 1139  4  udp4  *:1514  *:*
95 ossecr  ossec-remo 1139  5  dgram  /queue/alerts/ar
96 ossecr  ossec-remo 1139  6  dgram  -> /queue/ossec/queue
97 root  ossec-logc 1133  4  dgram  -> /queue/ossec/queue
98 ossec  ossec-anal 1129  4  dgram  /queue/ossec/queue
99 ossec  ossec-anal 1129  8  dgram  -> /queue/alerts/ar
100 ossec  ossec-anal 1129  9  dgram  -> /usr/local/ossec-hids/queue/alerts/execq
101 root  ossec-exec 1125  4  dgram  /usr/local/ossec-hids/queue/alerts/execq
102 root  ntpd  1096  3  stream -> ??
103 root  ntpd  1096  4  dgram  -> /var/run/logpriv
104 _ntp  ntpd  1095  3  stream -> ??
105 _ntp  ntpd  1095  4  stream -> ??
106 _ntp  ntpd  1095  5  dgram  -> /var/run/logpriv
107 _ntp  ntpd  1095  8  stream -> ??
108 _ntp  ntpd  1094  3  udp4  192.168.1.185:37173  130.88.212.143:123
109 _ntp  ntpd  1094  4  stream -> ??
110 _ntp  ntpd  1094  5  dgram  -> /var/run/logpriv
111 _ntp  ntpd  1094  6  udp4  127.0.0.1:123  *:*
112 _ntp  ntpd  1094  7  stream -> ??
113 _ntp  ntpd  1094  8  udp4  192.168.1.185:24821  178.62.250.107:123
114 _ntp  ntpd  1094  9  udp4  192.168.1.185:54984  193.62.22.98:123
115 _ntp  ntpd  1094  10 udp4  192.168.1.185:39101  217.114.59.66:123
116 _ntp  ntpd  1094  11 udp4  192.168.1.185:22079  143.210.16.201:123
117 _ntp  ntpd  1094  12 udp4  192.168.1.185:65150  84.45.170.220:123
118 root  syslogd  939  4  dgram  /var/run/log
119 root  syslogd  939  5  dgram  /var/run/logpriv
120 _pflogd  pflogd  833  5  stream -> ??
121 root  pflogd  829  4  stream -> ??
122 root  devd  821  4  stream /var/run/devd.pipe
123 root  devd  821  7  dgram  -> /var/run/logpriv
I can see see 2 entry at line 7 and 11.. does this mean that the agent on the Jail actally communication with the jail?
Code:
  7 ossec    ossec-agen 30245 7  udp4   192.168.1.125:53101   192.168.1.125:1514
11 ossec    ossec-agen 30229 7  udp4   192.168.1.125:34667   192.168.1.125:1514
This the sockstat from the FreeBSD Jail:
Code:
  1 USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
  2 ossec    ossec-agen 30245 4  dgram  /queue/ossec/queue
  3 ossec    ossec-agen 30245 7  udp4   192.168.1.125:65507   192.168.1.125:1514
  4 ossec    ossec-agen 30245 8  dgram  -> /usr/local/ossec-hids/queue/alerts/execq
  5 root     ossec-logc 30233 4  dgram  -> /queue/ossec/queue
  6 ossec    ossec-agen 30229 4  dgram  /queue/ossec/queue
  7 ossec    ossec-agen 30229 7  udp4   192.168.1.125:31486   192.168.1.125:1514
  8 ossec    ossec-agen 30229 8  dgram  -> /usr/local/ossec-hids/queue/alerts/execq
  9 root     ossec-exec 30225 4  dgram  /usr/local/ossec-hids/queue/alerts/execq
10 root     cron       1386  4  dgram  -> /var/run/logpriv
11 root     sshd       1382  4  tcp4   192.168.1.125:1914    *:*
12 www      hiawatha   1362  3  tcp4   192.168.1.125:80      *:*
13 www      php-fpm    1358  0  stream /var/run/php-fpm.sock
14 www      php-fpm    1357  0  stream /var/run/php-fpm.sock
15 root     php-fpm    1356  6  stream -> ??
16 root     php-fpm    1356  8  stream -> ??
17 root     php-fpm    1356  9  stream /var/run/php-fpm.sock
18 root     syslogd    1282  4  dgram  /var/run/log
19 root     syslogd    1282  5  dgram  /var/run/logpriv
sockstat on my jail show no open socket from the jail IP (192.168.1.125) to port 1514 on the host.

I have to admit that I am really confuse in interpreting these 2 line in the FreeBSD host
Code:
 7 ossec    ossec-agen 30245 7  udp4   192.168.1.125:53101   192.168.1.125:1514
11 ossec    ossec-agen 30229 7  udp4   192.168.1.125:34667   192.168.1.125:1514
 
OP
fred974

fred974

Daemon

Reaction score: 47
Messages: 1,628

tcpdump -i lo0 host 192.168.1.125 from the FreeBSD Host after restarting the ossec agent got me this:
Code:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 65535 bytes
...
11:22:45.900215 IP zion.trinitech.ltd.31095 > trinity.trinitech.ltd.fujitsu-dtcns: UDP, length 150
11:22:45.900777 IP zion.trinitech.ltd.31095 > trinity.trinitech.ltd.fujitsu-dtcns: UDP, length 142
11:22:45.901206 IP zion.trinitech.ltd.31095 > trinity.trinitech.ltd.fujitsu-dtcns: UDP, length 142
11:22:45.902542 IP zion.trinitech.ltd.31095 > trinity.trinitech.ltd.fujitsu-dtcns: UDP, length 142
...
^C
228 packets captured
228 packets received by filter
0 packets dropped by kernel
 

junovitch@

Daemon
Developer

Reaction score: 632
Messages: 1,773

sockstat on my jail show no open socket from the jail IP (192.168.1.125) to port 1514 on the host.

I have to admit that I am really confuse in interpreting these 2 line in the FreeBSD host
Code:
 7 ossec    ossec-agen 30245 7  udp4   192.168.1.125:53101   192.168.1.125:1514
11 ossec    ossec-agen 30229 7  udp4   192.168.1.125:34667   192.168.1.125:1514

Excellent stuff. This is helpful. So there is one additional line in the sockstat output on the host that is relevant here.

Code:
94 ossecr  ossec-remo 1139  4  udp4  *:1514  *:*

So let's step back and explain this. The connectionless nature of UDP make it a bit odd when listening on * as shown above. I've got two examples to illustrate it. I have OpenVPN on my laptop that automatically starts with my laptop. When I am home, the VPN fails to connect with log messages about sending packets to X.X.X.X where that is my public IP because it received packets from 10.100.82.1 which is my default gateway. Unbound also gave me issues when using my VPN because I was querying my default gateway but the packets came with a different return address. Both of these examples show how UDP behaves when you have a service listening on * because the return packets just come back with the IP address of the "closest" interface.

So to put this into context here, the initial connection is 192.168.1.125 -> 192.168.1.185 but because the service on the hosts listens on all IPs, the connection gets established as 192.168.1.125 <-> 192.168.1.125 as shown in your first sockstat above.

This bit of different between TCP and UDP is a bit strange at first. I'm wondering if similar to my experience with DNS query errors and OpenVPN refusing to connect when it receives a packet from a different address than it sent to applies here as well. Can you try explicitly setting OSSEC remote to use the host IP and on all? The link below seems to indicate that there is a local_ip option that may get the effect I'm looking for.

http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.remote.html

If you can give that a try and post the results of sockstat | grep ossec that would be helpful to validate that the connection is being made properly after the change. If you add a tcpdump, please use the -n flag to prevent hostnames from creeping in and making this more confusing to read.
 
OP
fred974

fred974

Daemon

Reaction score: 47
Messages: 1,628

Hi junovitch,

Sorry for the delay in the reply but Christmas time is always busy here:)
I have changed my ossec-hids/etc/ossec.conf file to inclule thelocal_ip option
Code:
<remote>
<connection>secure</connection>
<local_ip>192.168.1.185</local_ip>
<allowed-ips>192.168.1.125</allowed-ips>
</remote>
sockstat | grep ossec from the FreeBSD Host
Code:
root     ossec-sysc 1348  3  dgram  -> /queue/ossec/queue
root     ossec-sysc 1348  5  dgram  -> /queue/ossec/queue
root     ossec-logc 1344  4  dgram  -> /queue/ossec/queue
ossec    ossec-agen 1340  4  dgram  /queue/ossec/queue
ossec    ossec-agen 1340  7  udp4   192.168.1.125:36477   192.168.1.185:1514
ossec    ossec-agen 1340  8  dgram  -> /usr/local/ossec-hids/queue/alerts/execq
root     ossec-exec 1336  4  dgram  /usr/local/ossec-hids/queue/alerts/execq
ossec    ossec-moni 1146  4  dgram  -> /queue/ossec/queue
root     ossec-sysc 1142  3  dgram  -> /queue/ossec/queue
root     ossec-sysc 1142  5  dgram  -> /queue/ossec/queue
ossecr   ossec-remo 1139  4  udp4   192.168.1.185:1514    *:*
ossecr   ossec-remo 1139  5  dgram  /queue/alerts/ar
ossecr   ossec-remo 1139  6  dgram  -> /queue/ossec/queue
root     ossec-logc 1133  4  dgram  -> /queue/ossec/queue
ossec    ossec-anal 1129  4  dgram  /queue/ossec/queue
ossec    ossec-anal 1129  8  dgram  -> /queue/alerts/ar
ossec    ossec-anal 1129  9  dgram  -> /usr/local/ossec-hids/queue/alerts/execq
root     ossec-exec 1125  4  dgram  /usr/local/ossec-hids/queue/alerts/execq
tcpdump -n -i lo0 from the FreeBSD Host
Code:
 1 09:03:25.099311 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
  2 09:03:25.099533 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
  3 09:03:25.099843 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
  4 09:03:25.101583 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
  5 09:03:25.103010 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 134
  6 09:03:25.126689 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
  7 09:03:25.129072 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
  8 09:03:25.147238 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
  9 09:03:25.147460 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 134
10 09:03:25.148052 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
11 09:03:25.148367 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
12 09:03:25.213193 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
13 09:03:25.213415 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 134
14 09:03:25.213733 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
15 09:03:25.214889 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
16 09:03:26.978349 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 494
17 09:03:27.340890 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
18 09:03:27.342940 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
19 09:03:27.343700 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
20 09:03:27.345197 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
21 09:03:27.346772 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
22 09:03:27.346979 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 134
23 09:03:27.347138 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 134
24 09:03:27.347877 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 134
25 09:03:27.348039 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 134
26 09:03:27.348199 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 134
27 09:03:27.348739 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
28 09:03:27.348985 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 134
29 09:03:27.351962 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
30 09:03:27.353299 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 134
31 09:03:27.353519 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
32 09:03:29.473814 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
33 09:03:29.474141 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
34 09:03:29.474454 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
35 09:03:29.474758 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 134
36 09:03:29.474935 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 134
37 09:03:29.476106 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
38 09:03:29.477807 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
39 09:03:29.478186 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
40 09:03:29.478634 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
41 09:03:29.479065 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
42 09:03:29.479408 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 134
43 09:03:29.479567 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 134
44 09:03:29.479727 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
45 09:03:29.480338 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
46 09:03:29.483512 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
47 09:03:31.612012 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 134
48 09:03:31.612408 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
49 09:03:31.612942 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 134
50 09:03:31.614238 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
51 09:03:31.614774 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
52 09:03:31.614977 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
53 09:03:31.615137 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 134
54 09:03:31.615359 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 134
55 09:03:31.615577 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
56 09:03:31.617665 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
57 09:03:31.617951 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142
58 09:03:31.618215 IP 192.168.1.125.55476 > 192.168.1.185.1514: UDP, length 142

From all the output above, I am right to assume that the communication between the jail and host is working as it should be?
How can I see if data is sent to the database correctly?

SHOW TABLE STATUS FROM OSSEC;
Code:
+----------------------------+--------+---------+------------+------+----------------+-------------+-----------------+--------------+-----------+----------------+---------------------+-------------+------------+-----------------+----------+----------------+---------+
| Name                       | Engine | Version | Row_format | Rows | Avg_row_length | Data_length | Max_data_length | Index_length | Data_free | Auto_increment | Create_time         | Update_time | Check_time | Collation       | Checksum | Create_options | Comment |
+----------------------------+--------+---------+------------+------+----------------+-------------+-----------------+--------------+-----------+----------------+---------------------+-------------+------------+-----------------+----------+----------------+---------+
| agent                      | InnoDB |      10 | Compact    |    0 |              0 |       16384 |               0 |            0 |         0 |              1 | 2014-11-26 13:15:10 | NULL        | NULL       | utf8_general_ci |     NULL |                |         |
| alert                      | InnoDB |      10 | Compact    |  197 |             83 |       16384 |               0 |        49152 |         0 |           NULL | 2014-11-26 13:15:10 | NULL        | NULL       | utf8_general_ci |     NULL |                |         |
| category                   | InnoDB |      10 | Compact    |  130 |            126 |       16384 |               0 |        32768 |         0 |            131 | 2014-11-26 13:15:10 | NULL        | NULL       | utf8_general_ci |     NULL |                |         |
| data                       | InnoDB |      10 | Compact    |    0 |              0 |       16384 |               0 |        16384 |         0 |           NULL | 2014-11-26 13:15:10 | NULL        | NULL       | utf8_general_ci |     NULL |                |         |
| location                   | InnoDB |      10 | Compact    |   12 |           1365 |       16384 |               0 |            0 |         0 |             15 | 2014-11-26 13:15:10 | NULL        | NULL       | utf8_general_ci |     NULL |                |         |
| server                     | InnoDB |      10 | Compact    |    0 |              0 |       16384 |               0 |        16384 |         0 |              2 | 2014-11-26 15:08:26 | NULL        | NULL       | utf8_general_ci |     NULL |                |         |
| signature                  | InnoDB |      10 | Compact    |  952 |            103 |       98304 |               0 |        49152 |         0 |            953 | 2014-11-26 13:15:10 | NULL        | NULL       | utf8_general_ci |     NULL |                |         |
| signature_category_mapping | InnoDB |      10 | Compact    | 2134 |             46 |       98304 |               0 |            0 |         0 |           2135 | 2014-11-26 13:15:10 | NULL        | NULL       | utf8_general_ci |     NULL |                |         |
+----------------------------+--------+---------+------------+------+----------------+-------------+-----------------+--------------+-----------+----------------+---------------------+-------------+------------+-----------------+----------+----------------+---------+
8 rows in set (0.00 sec)
 

junovitch@

Daemon
Developer

Reaction score: 632
Messages: 1,773

It's still one-way traffic but that would be normal if it is anything like normal syslog traffic. At this point the setup should allow everything to talk properly. I would suggest triggering an event and make sure it propagates. There is probably a MySQL query you can do to view an event after it is inserted or a log you can run a tail -f <log_name_here> as you trigger an event.
 
Top