While I believe ossec::server worked like a charm for my server, I’m seeing the following for clients when using ossec::client:
2011/11/23 01:49:22 ossec-execd: INFO: Started (pid: 21856).
2011/11/23 01:49:22 ossec-agentd(1410): INFO: Reading authentication keys file.
2011/11/23 01:49:22 ossec-agentd(1750): ERROR: No remote connection configured. Exiting.
2011/11/23 01:49:25 ossec-syscheckd(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:25 ossec-rootcheck(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:31 ossec-logcollector(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:31 ossec-logcollector(1211): ERROR: Unable to access queue: ‘/var/ossec/queue/ossec/queue’. Giving up…
2011/11/23 01:49:33 ossec-syscheckd(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:33 ossec-rootcheck(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:46 ossec-syscheckd(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2011/11/23 01:49:46 ossec-rootcheck(1211): ERROR: Unable to access queue: ‘/var/ossec/queue/ossec/queue’. Giving up…
I verified the client can access the server as the server has the client’s key is in /var/ossec/etc/client.keys.
Any ideas?
Hi Clif!
On Nov 22, 2011, at 7:17 PM, Clif Smith wrote:
While I believe ossec::server worked like a charm for my server, I'm seeing the following for clients when using ossec::client:
2011/11/23 01:49:22 ossec-execd: INFO: Started (pid: 21856).
2011/11/23 01:49:22 ossec-agentd(1410): INFO: Reading authentication keys file.
2011/11/23 01:49:22 ossec-agentd(1750): ERROR: No remote connection configured. Exiting.
2011/11/23 01:49:25 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2011/11/23 01:49:25 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2011/11/23 01:49:31 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2011/11/23 01:49:31 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
2011/11/23 01:49:33 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2011/11/23 01:49:33 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2011/11/23 01:49:46 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2011/11/23 01:49:46 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
I verified the client can access the server as the server has the client's key is in /var/ossec/etc/client.keys.
Any ideas?
It looks like ossec really wants the agents to exist in /var/ossec/etc/client.keys. Currently, only the server recipe is managing this, with the ossec-batch-manager.pl script. You'll need to rerun chef-client on the server after ossec is up on the clients, and restart the ossec daemons on the client(s). I don't know off-hand a great way to coordinate and handle this, yet.
I created http://tickets.opscode.com/browse/COOK-846 for tracking this.
--
Opscode, Inc
Joshua Timberman, Technical Program Manager
IRC, Skype, Twitter, Github: jtimberman
Thanks for the reply! I tried adding the code from the ticket for the client but it appears to create another key which conflicts with the key the server creates?
On Nov 23, 2011, at 1:19 PM, Joshua Timberman wrote:
Hi Clif!
On Nov 22, 2011, at 7:17 PM, Clif Smith wrote:
While I believe ossec::server worked like a charm for my server, I'm seeing the following for clients when using ossec::client:
2011/11/23 01:49:22 ossec-execd: INFO: Started (pid: 21856).
2011/11/23 01:49:22 ossec-agentd(1410): INFO: Reading authentication keys file.
2011/11/23 01:49:22 ossec-agentd(1750): ERROR: No remote connection configured. Exiting.
2011/11/23 01:49:25 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2011/11/23 01:49:25 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2011/11/23 01:49:31 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2011/11/23 01:49:31 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
2011/11/23 01:49:33 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2011/11/23 01:49:33 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2011/11/23 01:49:46 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2011/11/23 01:49:46 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
I verified the client can access the server as the server has the client's key is in /var/ossec/etc/client.keys.
Any ideas?
It looks like ossec really wants the agents to exist in /var/ossec/etc/client.keys. Currently, only the server recipe is managing this, with the ossec-batch-manager.pl script. You'll need to rerun chef-client on the server after ossec is up on the clients, and restart the ossec daemons on the client(s). I don't know off-hand a great way to coordinate and handle this, yet.
I created http://tickets.opscode.com/browse/COOK-846 for tracking this.
--
Opscode, Inc
Joshua Timberman, Technical Program Manager
IRC, Skype, Twitter, Github: jtimberman