I've figured out a few things but have not been led to a final conclusion, yet.
I can "turn" these messages on and off by enabling and disabling database logging. When I have $ossec/bin/ossec-control enable database - I get the error log messages and all the agents go offline, but when I shut DB logging off, they start to work. This could be something special with just my setup or perhaps not many folks use the MySQL database features... not sure, but more testing is needed... //Clint ----- Original Message ----- From: "Clint Alexander" <[email protected]> To: <[email protected]> Sent: Sunday, August 02, 2009 5:17 PM Subject: [ossec-list] v5.1.1: WARN msg not allowed, Incorrectly formated, and Duplicate counters? > > I confirmed that each key was unique; the agent even prompted the > information (name, ip, id) from the server to confirm and it was correct. > So > this isn't likely to be the issue. > > Could the order in which services are stopped and started be an issue? > > I go and add the keys to each agent, restarting each agent as I finish it; > and then once all agents are completed, I restart the server. Should this > be > done differently? > > > //Clint > > ----- Original Message ----- > From: "Daniel Cid" <[email protected]> > To: <[email protected]> > Sent: Thursday, July 30, 2009 4:24 PM > Subject: [ossec-list] Re: v5.1.1: WARN msg not allowed, Incorrectly > formated, and Duplicate counters? > > > > Hi Clint, > > These errors are related to one key being assigned to more than one > agent. When you do it, > you will have this duplicated counters, errors uncompressing (since it > wasn't able to decrypt > properly), etc. > > I would suggest stopping ossec and re-creating the keys. One by one, > you go adding new > keys to the agents, making sure each key you create is only used once. > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > > On Sat, Jul 25, 2009 at 12:02 PM, Clint Alexander<[email protected]> > wrote: >> After a clean vanilla installation of v5.1.1 with 23 agents, I'm getting >> spammed in the server logs with: >> >> ossec-remoted(1403): ERROR: Incorrectly formated message from >> 'ip.address.of.agent'. >> >> -------------------------------- >> I'm also seeing a lot of: >> >> ossec-remoted(1213): WARN: Message from ip.addr.of.agent not allowed. >> >> -------------------------------- >> Every once in a while I see: >> >> ossec-remoted(2202): ERROR: Error uncompressing string. >> >> -------------------------------- >> Out of the 23 agents, 14 of them show as 'never connected' and in the >> logs >> of the agents we have: >> >> ossec-agentd(1407): ERROR: Duplicated counter for 'HOSTNAME' >> ossec-agentd(1214): WARN: Problem receiving message from 'ip.of.server' >> ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: >> 'ip.of.server' >> >> -------------------------------- >> >> Some of the agents that do connect end up disconnecting at some point and >> it >> requires a restart of the ossec server before I see them online again >> (and >> sometimes they don't come back online) >> >> >> There are no firewalls between the agents and server and I'm running a >> mix >> of CentOS 5 and Redhat Ent 4 & 5 servers; primarily in x86_64 (64bit >> libs) >> but a few in i386 (32bit libs). >> >> I've looked through the wiki category for errors: >> http://www.ossec.net/wiki/index.php/Errors:1403 >> (there is no description page for 1213, 1214, or 4101) >> http://www.ossec.net/wiki/index.php/Errors:AgentCommunication >> >> None of the suggestions work. >> >> >> I've reinstalled agents, the server, recreated/reassigned keys, restarted >> the services 100xs; stood on my left leg, then my right, faced north, >> then >> east, prayed to the Bit-God, did a raindance -- all to no avail. >> >> Is there anyone that has had these problems and found a solution? >> >> //Clint >> >
