Hi Cal,

Try disabling counters. They lose synchronisation specially when agents are 
Edit /var/ossec/etc/internal_options.conf and set 
"remoted.verify_msg_id=0", both agent & manager.

Enable debug mode on both hosts, open internal_options and set debug to 
level 2 (specially in remoted.debug variable).

Sometimes the problem could be related with NAT, try adding the agent with 
"any" option and test if it works (use manage_agent and when prompting for 
IP enter "any").

Open etc/client.keys on OSSEC Manager (be careful! this file is critical) 
and remove duplicated entries, the agent will fail to connect if there is 
more than one entry with the same IP.

Hope it helps,

best regards,

Pedro S.

On Tuesday, August 2, 2016 at 2:08:14 PM UTC-7, Cal wrote:
> Hi all,
> Been debugging an issue for a few hours, thought I'd ask for another 
> opinion.
> The situation:
> I have an OSSEC server with approximately 70 agents connected and 15 or so 
> that won't connect.
> Tested so far:
> Tcpdump shows UDP packets from both OSSEC agents and server (running on 
> non-standard port 1520)
> Traceroute from agent to server and other direction, no problem
> Can ping the server from agent
> Can ping the agent from server
> Ex:
> server:
> 15:51:00.135367 IP 172.28.156.XX.60625 > 172.28.29.XX.1520: UDP, length 73
> agent:
> 15:51:00.135916 IP 172.28.156.XX.60625 > 172.28.29.XX.1520: UDP, length 73
> I've tried re-adding the keys to agents several times. Enabled debugging 
> on server, but only noted logs are from the agent:
> 2016/08/02 15:56:39 ossec-agentd: INFO: Trying to connect to server 
> (172.28.29.XX:1520).
> 2016/08/02 15:56:39 ossec-agentd: INFO: Using IPv4 for: 172.28.29.XX
> Any ideas where to look next? I've also tried removing the agents, 
> re-adding, re-installing, etc.
> Thank you!


You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to