Frank, Thank you for your offer to help me offline, however, you pointed me in the right direction and I was able to get the hosts working. I think what happened was when I installed ossec I started ossec before importing the key, at least that is my theory. To fix the problem I stopped ossec on the agent and added the key again. Once I started ossec back up the agent connected without any problems. Thanks again steering me in the right direction.
Best Wishes, Chris On Thu, Aug 27, 2009 at 2:07 PM, nine 13 tech <[email protected]> wrote: > > It has been my limited experience that it does have to do with keys. > I solved this problem by taking a copy of the key file and using that > to enter the data into the agents. or placing the key file on the > client and removing everything in the file that is not for that client > (since those files are supposed to be identical formats). > Take a box and attempt to replicate the issue. I have also seen UTF8 > vs ASCII encoding in the text file transport for the key garble it > making an incorrectly formatted string that would not connect to the > server. > > Please feel free to contact me offline if you want some live help. > Unfortunately I will not have much time until Monday afternoon or > Tuesday. > > On Aug 27, 1:17 pm, Chris Henderson <[email protected]> wrote: > > Frank, > > From the agents log I see the following: > > > > 009/08/27 12:02:36 ossec-agentd(4101): WARN: Waiting for server reply > (not > > started). Tried: 'x.x.x.x'. > > > > From the server log I see the following: > > > > 2009/08/27 12:08:06 ossec-remoted(1403): ERROR: Incorrectly formated > message > > from 'x.x.x.x'. > > > > I also used netcat between the two servers to make sure they can > communicate > > with each other using UDP 1514, each host was able to do so. I've been > > tailing the server log file for a while now and it looks like all of the > > agents that are not showing up are getting the "incorrectly formatted > > message". Does this error have to do with the keys? > > > > Thanks, > > > > Chris > > > > On Wed, Aug 26, 2009 at 2:01 PM, nine 13 tech <[email protected]> > wrote: > > > > > > > > > Chris, > > > Have you checked the logs on the clients. there you might see > > > something similar to: > > > [WARN]trying to connect to <ip of OSSEC server> > > > It has been my experience that there are just a few reasons why these > > > agents will not connect. > > > 1. the registed ip of the agent is not the IP that the server sees. to > > > find this - initiate a session or error that would log on the server > > > in /var/log/messages etc. or if there is the internet between the > > > client and server hit whatsmyip.org to verify. > > > 2. a firewall is blocking (you've already checked) > > > 3. the key was garbled - you will see errors in /var/ossec/logs/ > > > ossec.log > > > 4. the agent is not started on the client (opps did that once) > > > > > If you can can you please post the client logs from one of the non > > > connecting machines (please remember to obfuscate IP addresses) > > > Frank Moss > > > nine 13 tech > > > > > On Aug 25, 1:28 pm, Chris Henderson <[email protected]> wrote: > > > > Hey All, > > > > > > In recent weeks I have added and removed several OSSEC agents and I > > > > just noticed that none of the new agents are showing up in the OSSEC- > > > > WUI under "Available Agents", and I'm not receiving notifications or > > > > any alerts for the new hosts. If I run list_agents -a or -c it lists > > > > the agents that currently show up in the WUI which total 12 servers. > > > > If I do manage_agents and and list the servers there are over 40 > > > > servers listed. I've set the agents up and extracted the keys, I've > > > > also made sure the agents can get to the OSSEC server, as well as > > > > making sure iptables isn't blocking the agent and server. I have even > > > > restarted the OSSEC server. Any suggestions on why none of the new > > > > hosts are being monitored? > > > > > > Thanks, > > > > > > Chris >
