Hey Trevor, I just had the same issue and resolved it with these steps:
-stop the agent and delete all files in the rids directory on that agent -delete the file associated with that agent ID in the rids directory on the server cheers, cnk On Thu, Jun 25, 2009 at 12:20 PM, tm<[email protected]> wrote: > > Hello, > > We are currently running an OSSEC pilot in a department at a > university . Our environment consists of Mac, RHE, Solaris, SuSE and > Windows hosts. > > The biggest issue we face in using OSSEC is reinstalling agents > because their hosts have had to have their operating systems > reinstalled. This happens frequently in our environment. Whenever we > try to reinstall the OSSEC agent, getting it to communicate with the > server using the same key has been problematic. > > We have learned how to set up the agent's client.keys file using the > entry in the server's client.keys file. However, we are unsure of how > to reinitialize the counters for that agent in the agent's /var/ossec/ > queue/rids directory and the server's /var/ossec/queue/rids directory. > > Because of the sheer number of potential agents in our environment we > don't want to use manage_agents to remove agents and recreate them in > coordination with the reinstallation of the OS on the agent. This > results in a new ID and a new key. We would rather use the same ID > and key for the agent once the OS has been reinstalled on the agent. > Also, using manage_agents is difficult to use in an environment where > we currently automate the reinstallation of the OS on the host. We'd > like to include the agent reinstallation as part of the automation > process. > > Can anyone explain how the counters work in the /var/ossec/queue/rids > directory on both the server and agent? A counter seems to be of the > format x:y: where x is something called the global counter and y is > something called the local counter (according to the source code). If > we reinstall an OSSEC agent, push out the key from the server's > client.keys file, what do we do with the counters in the /var/ossec/ > queue/rids directory on the server and agent in order to allow them to > communicate again? > > Cheers! > Trevor > > > >
