Hi Cal. As you can see when an agent connects successfully, the server answers it with an UDP message from server:1520 —in your case— to the agent. Usually the server prints an error into the log when it receives a bad message (unauthorized key, counter error, incorrectly formatted message...) so maybe the message couldn't return back to the agent.
Please check that every message generated by the server is arriving to the agent. If it isn't, you may have a network problem. If you don't find such messages, please write back to us and copy the remoted log. Hope it helps. Kind regards. On Friday, August 5, 2016 at 2:53:39 PM UTC-7, Cal wrote: > > Pedro, > > Maybe I spoke too soon. It worked for most of the agents, but I have a few > stubborn ones having the same issues. I tried the steps you outline earlier > that worked on the other agents, but not on these. Any other ideas for > something I could be missing? Thanks again! > > > On Wednesday, August 3, 2016 at 1:48:40 PM UTC-4, Cal wrote: >> >> Pedro, >> >> Awesome! Your method worked flawlessly. Thanks! >> >> Cal >> >> On Tuesday, August 2, 2016 at 8:51:59 PM UTC-4, Pedro S wrote: >>> >>> Hi Cal, >>> >>> >>> Try disabling counters. They lose synchronisation specially when agents >>> are reinstalled. >>> Edit /var/ossec/etc/internal_options.conf and set >>> "remoted.verify_msg_id=0", both agent & manager. >>> >>> Enable debug mode on both hosts, open internal_options and set debug to >>> level 2 (specially in remoted.debug variable). >>> >>> Sometimes the problem could be related with NAT, try adding the agent >>> with "any" option and test if it works (use manage_agent and when prompting >>> for IP enter "any"). >>> >>> Open etc/client.keys on OSSEC Manager (be careful! this file is >>> critical) and remove duplicated entries, the agent will fail to connect if >>> there is more than one entry with the same IP. >>> >>> Hope it helps, >>> >>> best regards, >>> >>> Pedro S. >>> >>> >>> >>> On Tuesday, August 2, 2016 at 2:08:14 PM UTC-7, Cal wrote: >>>> >>>> Hi all, >>>> >>>> Been debugging an issue for a few hours, thought I'd ask for another >>>> opinion. >>>> >>>> The situation: >>>> I have an OSSEC server with approximately 70 agents connected and 15 or >>>> so that won't connect. >>>> >>>> Tested so far: >>>> Tcpdump shows UDP packets from both OSSEC agents and server (running on >>>> non-standard port 1520) >>>> Traceroute from agent to server and other direction, no problem >>>> Can ping the server from agent >>>> Can ping the agent from server >>>> >>>> Ex: >>>> server: >>>> 15:51:00.135367 IP 172.28.156.XX.60625 > 172.28.29.XX.1520: UDP, length >>>> 73 >>>> >>>> agent: >>>> 15:51:00.135916 IP 172.28.156.XX.60625 > 172.28.29.XX.1520: UDP, length >>>> 73 >>>> >>>> I've tried re-adding the keys to agents several times. Enabled >>>> debugging on server, but only noted logs are from the agent: >>>> 2016/08/02 15:56:39 ossec-agentd: INFO: Trying to connect to server >>>> (172.28.29.XX:1520). >>>> 2016/08/02 15:56:39 ossec-agentd: INFO: Using IPv4 for: 172.28.29.XX >>>> >>>> Any ideas where to look next? I've also tried removing the agents, >>>> re-adding, re-installing, etc. >>>> >>>> Thank you! >>>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
