I was getting those messages and fixed the problem by verifying the entry for the client key in the client.keys file on the server and the agent to ensure that they matched. I had one letter off of what was expected.
-----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of gentuxx Sent: Thursday, August 24, 2006 11:23 AM To: [email protected] Subject: [ossec-list] Re: ossec-remoted misreporting -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 gentuxx wrote: > Hi all, > > I've got one agent that is being reported as not allowed by > ossec-remoted on the server. It is whitelisted in the server config. > > Any ideas on why this might be happening and/or how to troubleshoot it? > Sorry for the repeated self-posts..... Now, I'm getting the following entries in ossec.log: 2006/08/24 09:19:49 ossec-remoted(1403): Incorrectly formated message from '192.168.0.200'. 2006/08/24 09:19:49 ossec-remoted(1403): Incorrectly formated message from '192.168.0.200'. 2006/08/24 09:19:49 ossec-remoted(1403): Incorrectly formated message from '192.168.0.200'. 2006/08/24 09:19:49 ossec-remoted(1403): Incorrectly formated message from '192.168.0.200'. 2006/08/24 09:19:49 ossec-remoted(1403): Incorrectly formated message from '192.168.0.200'. 2006/08/24 09:19:49 ossec-remoted(1406): Checksum mismatch on message from '192.168.0.200'. 2006/08/24 09:19:49 ossec-remoted(1403): Incorrectly formated message from '192.168.0.200'. 2006/08/24 09:19:52 ossec-remoted(1403): Incorrectly formated message from '192.168.0.200'. 2006/08/24 09:19:52 ossec-remoted(1403): Incorrectly formated message from '192.168.0.200'. 2006/08/24 09:19:52 ossec-remoted(1403): Incorrectly formated message from '192.168.0.200'. 2006/08/24 09:19:52 ossec-remoted(1403): Incorrectly formated message from '192.168.0.200'. Since the comms between server and agent are encrypted, sniffing the traffic won't work. The only thing I can think of is that the agent is a SPARC system and the server is x86. Would this make any difference in terms of "endian-ness" or anything like that? (IIRC SPARC's are big-endian and x86's are little-endian.) Both are running gentoo linux and ossec-0.9-1. - -- gentux echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2 18D3 4A9E -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE7dJ6TPA54hjTSp4RAl+rAJ0dYb+ZcLSSmMs2zfnl1HaA2+5QhACfQ1A4 eAtU1g/Zo6VYJwauIIv6Sc8= =p16o -----END PGP SIGNATURE----- This electronic mail (including any attachments) may contain information that is privileged, confidential, and/or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic email or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please notify us immediately by reply email so that we may correct our internal records. Please then delete the original message (including any attachments) in its entirety. Thank you.
