I'm glad i could help. Frank
On Sep 2, 2:59 pm, Chris Henderson <[email protected]> wrote: > Frank, > Thank you for your offer to help me offline, > however, you pointed me in the right direction and I was able to get > the hosts working. I > think what happened was when I installed ossec I started ossec before > importing the key, at least that is my theory. To fix the problem I stopped > ossec on the agent and added the key again. Once I started ossec back up the > agent connected without any problems. Thanks again steering me in the right > direction. > > Best Wishes, > > Chris > > On Thu, Aug 27, 2009 at 2:07 PM, nine 13 tech <[email protected]> wrote: > > > > > It has been my limited experience that it does have to do with keys. > > I solved this problem by taking a copy of the key file and using that > > to enter the data into the agents. or placing the key file on the > > client and removing everything in the file that is not for that client > > (since those files are supposed to be identical formats). > > Take a box and attempt to replicate the issue. I have also seen UTF8 > > vs ASCII encoding in the text file transport for the key garble it > > making an incorrectly formatted string that would not connect to the > > server. > > > Please feel free to contact me offline if you want some live help. > > Unfortunately I will not have much time until Monday afternoon or > > Tuesday. > > > On Aug 27, 1:17 pm, Chris Henderson <[email protected]> wrote: > > > Frank, > > > From the agents log I see the following: > > > > 009/08/27 12:02:36 ossec-agentd(4101): WARN: Waiting for server reply > > (not > > > started). Tried: 'x.x.x.x'. > > > > From the server log I see the following: > > > > 2009/08/27 12:08:06 ossec-remoted(1403): ERROR: Incorrectly formated > > message > > > from 'x.x.x.x'. > > > > I also used netcat between the two servers to make sure they can > > communicate > > > with each other using UDP 1514, each host was able to do so. I've been > > > tailing the server log file for a while now and it looks like all of the > > > agents that are not showing up are getting the "incorrectly formatted > > > message". Does this error have to do with the keys? > > > > Thanks, > > > > Chris > > > > On Wed, Aug 26, 2009 at 2:01 PM, nine 13 tech <[email protected]> > > wrote: > > > > > Chris, > > > > Have you checked the logs on the clients. there you might see > > > > something similar to: > > > > [WARN]trying to connect to <ip of OSSEC server> > > > > It has been my experience that there are just a few reasons why these > > > > agents will not connect. > > > > 1. the registed ip of the agent is not the IP that the server sees. to > > > > find this - initiate a session or error that would log on the server > > > > in /var/log/messages etc. or if there is the internet between the > > > > client and server hit whatsmyip.org to verify. > > > > 2. a firewall is blocking (you've already checked) > > > > 3. the key was garbled - you will see errors in /var/ossec/logs/ > > > > ossec.log > > > > 4. the agent is not started on the client (opps did that once) > > > > > If you can can you please post the client logs from one of the non > > > > connecting machines (please remember to obfuscate IP addresses) > > > > Frank Moss > > > > nine 13 tech > > > > > On Aug 25, 1:28 pm, Chris Henderson <[email protected]> wrote: > > > > > Hey All, > > > > > > In recent weeks I have added and removed several OSSEC agents and I > > > > > just noticed that none of the new agents are showing up in the OSSEC- > > > > > WUI under "Available Agents", and I'm not receiving notifications or > > > > > any alerts for the new hosts. If I run list_agents -a or -c it lists > > > > > the agents that currently show up in the WUI which total 12 servers. > > > > > If I do manage_agents and and list the servers there are over 40 > > > > > servers listed. I've set the agents up and extracted the keys, I've > > > > > also made sure the agents can get to the OSSEC server, as well as > > > > > making sure iptables isn't blocking the agent and server. I have even > > > > > restarted the OSSEC server. Any suggestions on why none of the new > > > > > hosts are being monitored? > > > > > > Thanks, > > > > > > Chris
