我已经在一台服务器上安装了 Ossec,并在 Redhat 上运行的其他一些服务器上安装了代理。问题是,一些服务器能够通信并将日志发送到服务器,而其他服务器则处于 INACTIVE 状态,即使我已经导入了安全密钥。
2013/02/23 15:34:34 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.109.1'.
2013/02/23 15:38:30 ossec-agentd: INFO: Trying to connect to server (192.168.109.1:1514).
2013/02/23 15:38:30 ossec-agentd: INFO: Using IPv4 for: 192.168.109.1 .
2013/02/23 15:38:51 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.109.1'.
2013/02/23 15:43:05 ossec-agentd: INFO: Trying to connect to server (192.168.109.1:1514).
2013/02/23 15:43:05 ossec-agentd: INFO: Using IPv4 for: 192.168.109.1 .
2013/02/23 15:43:26 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.109.1'.
2013/02/23 15:47:58 ossec-agentd: INFO: Trying to connect to server (192.168.109.1:1514).
2013/02/23 15:47:58 ossec-agentd: INFO: Using IPv4 for: 192.168.109.1 .
2013/02/23 15:48:19 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.109.1'.
2013/02/23 15:53:09 ossec-agentd: INFO: Trying to connect to server (192.168.109.1:1514).
2013/02/23 15:53:09 ossec-agentd: INFO: Using IPv4 for: 192.168.109.1 .
2013/02/23 15:53:30 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.109.1'.
2013/02/23 15:58:38 ossec-agentd: INFO: Trying to connect to server (192.168.109.1:1514).
2013/02/23 15:58:38 ossec-agentd: INFO: Using IPv4 for: 192.168.109.1 .
2013/02/23 15:58:59 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.109.1'
我咨询了安全团队,他们说主机和代理之间有防火墙。他们在服务器上启用了端口 514 UDP。但代理仍然无法与服务器通信
[emerg@Monit ~]$ netstat -panu
(No info could be read for "-p": geteuid()=1344 but you should be root.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:32769 0.0.0.0:* -
udp 0 0 0.0.0.0:514 0.0.0.0:* -
udp 0 0 0.0.0.0:10000 0.0.0.0:* -
udp 0 0 0.0.0.0:657 0.0.0.0:* -
udp 0 0 0.0.0.0:660 0.0.0.0:* -
udp 0 0 0.0.0.0:5353 0.0.0.0:* -
udp 0 0 0.0.0.0:1514 0.0.0.0:* -
udp 0 0 0.0.0.0:111 0.0.0.0:* -
udp 0 0 0.0.0.0:631 0.0.0.0:* -
udp 0 0 10.1.1.109:123 0.0.0.0:* -
udp 0 0 192.168.109.1:123 0.0.0.0:* -
udp 0 0 127.0.0.1:123 0.0.0.0:* -
udp 0 0 0.0.0.0:123 0.0.0.0:* -
udp 0 0 :::32771 :::* -
udp 0 0 :::5353 :::* -
udp 0 0 fe80::21e:c9ff:fee0:123 :::* -
udp 0 0 fe80::21e:c9ff:fee0:123 :::* -
udp 0 0 ::1:123 :::* -
udp 0 0 :::123 :::*
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>systems@advancedoperations.com</email_to>
<smtp_server>10.171.1.10</smtp_server>
<email_from>ossec.osl@advancedoperations.com</email_from>
</global>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>roundcube_rules.xml</include>
<include>wordpress_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
<include>apache_rules.xml</include>
"ossec.conf" 162L, 5585C
13M 3734M ACCEPT udp -- * * 0.0.0.0/0 192.168.9.1 multiport dports 123,514
小智 1
如果您假设防火墙阻止了两者,则可以在命令行上测试连接:
netcat -u servername 1514
现在,如果您输入一些文本,您应该在 OSSEC 服务器端找到如下日志消息:
less /var/ossec/logs/ossec.log
2014/02/14 17:54:07 ossec-remoted(1403): ERROR: Incorrectly formated message from 'nn.nn.nn.nnn'.
如您所见,我使用 OSSEC 默认端口 1514 进行通信。那么,您确定使用的是端口 514 吗?
有关如何调试 OSSEC 连接的分步说明,您可以查看我的博客如何调试 OSSEC 连接。