After a clean vanilla installation of v5.1.1 with 23 agents, I'm getting spammed in the server logs with:
ossec-remoted(1403): ERROR: Incorrectly formated message from 'ip.address.of.agent'. -------------------------------- I'm also seeing a lot of: ossec-remoted(1213): WARN: Message from ip.addr.of.agent not allowed. -------------------------------- Every once in a while I see: ossec-remoted(2202): ERROR: Error uncompressing string. -------------------------------- Out of the 23 agents, 14 of them show as 'never connected' and in the logs of the agents we have: ossec-agentd(1407): ERROR: Duplicated counter for 'HOSTNAME' ossec-agentd(1214): WARN: Problem receiving message from 'ip.of.server' ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'ip.of.server' -------------------------------- Some of the agents that do connect end up disconnecting at some point and it requires a restart of the ossec server before I see them online again (and sometimes they don't come back online) There are no firewalls between the agents and server and I'm running a mix of CentOS 5 and Redhat Ent 4 & 5 servers; primarily in x86_64 (64bit libs) but a few in i386 (32bit libs). I've looked through the wiki category for errors: http://www.ossec.net/wiki/index.php/Errors:1403 (there is no description page for 1213, 1214, or 4101) http://www.ossec.net/wiki/index.php/Errors:AgentCommunication None of the suggestions work. I've reinstalled agents, the server, recreated/reassigned keys, restarted the services 100xs; stood on my left leg, then my right, faced north, then east, prayed to the Bit-God, did a raindance -- all to no avail. Is there anyone that has had these problems and found a solution? //Clint
