-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marty E. Hillman wrote: > I was getting those messages and fixed the problem by verifying the > entry for the client key in the client.keys file on the server and the > agent to ensure that they matched. I had one letter off of what was > expected. >
I verified that the key was correct. Even removed the agent and re-added it. Still got the same message. Then I realized that the agent was running 0.9, while the server was 0.9-1, I thought that might have been it. So I upgraded the agent, and I still get the messages. Daniel (or anyone else), is there anyway I can make the client talk to the server in the clear (syslog?). This might help in troubleshooting the comms between this particular client and the server. If not, maybe that could be a feature request. Set communications to be encrypted by default, but set an XML attribute in the config, or something, to allow a particular agent to talk in the clear to the server so problems like this could be troubleshot effectively. Let me know, and I'll add the bug, if necessary. > > -----Original Message----- > From: [email protected] [mailto:[EMAIL PROTECTED] > On Behalf Of gentuxx > Sent: Thursday, August 24, 2006 11:23 AM > To: [email protected] > Subject: [ossec-list] Re: ossec-remoted misreporting > > > gentuxx wrote: >>> Hi all, >>> >>> I've got one agent that is being reported as not allowed by >>> ossec-remoted on the server. It is whitelisted in the server config. >>> >>> Any ideas on why this might be happening and/or how to troubleshoot > it? > > > Sorry for the repeated self-posts..... > > Now, I'm getting the following entries in ossec.log: > > 2006/08/24 09:19:49 ossec-remoted(1403): Incorrectly formated message > from '192.168.0.200'. > 2006/08/24 09:19:49 ossec-remoted(1403): Incorrectly formated message > from '192.168.0.200'. [...snip extra log messages...] > > > Since the comms between server and agent are encrypted, sniffing the > traffic won't work. The only thing I can think of is that the agent is > a SPARC system and the server is x86. Would this make any difference in > terms of "endian-ness" or anything like that? (IIRC SPARC's are > big-endian and x86's are little-endian.) > > Both are running gentoo linux and ossec-0.9-1. > -- - -- gentux echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2 18D3 4A9E -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE8TleTPA54hjTSp4RAo67AKCmF9eAD4+6WvHSbWHwMCEjNSytJACg8vOx XhRjXhuTCjEMlxzViVsMz3Y= =Xi5+ -----END PGP SIGNATURE-----
