How did you do the transition? Did you install OSSEC server on the Xen system, then add the clients to it and move them over? Each client keeps track of (I think) how many messages it has sent to the server. The server also tracks this. That way if a client sends a message labeled as #14 again (just an example :)), the server discards it thinking it is a replay. The following error makes me think something like that might be the problem: "2009/12/22 15:39:56 ossec-agentd(1407): ERROR: Duplicated counter for '[local client host name]'."
On Tue, Dec 22, 2009 at 3:42 PM, Peter M. Abraham <[email protected]> wrote: > Greetings: > > OSSEC V2.3 > > We are in the process of porting our ossec server from a physical > server to a XenServer 5.5 CentOS 5.4 64-bit guest virtual machine. > > While everything appears fine on the server side, on the client side > (even with re-generated ossec keys), it cannot talk to the ossec > server (even when firewalls are down). > > OSSEC Server: > > netstat -lnupe | grep :1514 > udp 0 0 0.0.0.0:1514 > 0.0.0.0:* 0 459945 14476/ > ossec-remoted > > > On the OSSEC client in /var/logs/ossec.log after restarting ossec (/ > var/ossec/etc/ossec.conf was updated with the IP address of the ossec > server. New keys were generated from the server and imported. > > 2009/12/22 15:39:56 ossec-agentd: WARN: Duplicate error: global: 0, > local: 184, saved global: 2323, saved local:2900 > 2009/12/22 15:39:56 ossec-agentd(1407): ERROR: Duplicated counter for > '[local client host name]'. > 2009/12/22 15:39:56 ossec-agentd(1214): WARN: Problem receiving > message from [IP ADDRESS OF XEN-BASED GSS SERVER]. > 2009/12/22 15:39:56 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: '[IP ADDRESS OF XEN-BASED GSS SERVER]'. > > > Please note the above is when the firewall is down on all ends; the > error is the same with the firewall up on both ends. > > Please advise. > > Thank you. >
