Greetings Dan: Originally, I did a fresh install on the target, CentOS 5.4 64-bit Xen Guest. Then I copied over the client keys and the ossec.conf along with other local configuration files and the local_rules.xml file.
Then I tried using sed to just change the IP address in the agent configuration, but while sed worked (by the way, please, please consider allowing machine names over IP addresses) I received errors galore with agents trying to communicate with the server. Last night, on the Windows agents I did an uninstall, then a fresh install. On the Linux agents, I did an install stating "no" to upgrade and "yes" to overwrite the /var/ossec folder. On the server itself (prior to 38 re-installs), I remove the client keys and added the keys in fresh. *** On the ossec server itself, do I put in one <allowed-ips> per agent? *** The "ERROR: Incorrectly formated message" error is just from one of thirty-eight agents. Should I try a fresh re-install agent? Do I need to remove and re-add the agent key? Other errors showing up in the ossec.log are as follows: 2009/12/23 01:41:55 ossec-remoted(1218): ERROR: Unable to send message to 027. 2009/12/23 03:25:42 ossec-remoted(1218): ERROR: Unable to send message to 009. 2009/12/23 15:17:41 ossec-remoted: WARN: Duplicate error: global: 0, local: 841, saved global: 1, saved local:4728 2009/12/23 15:17:41 ossec-remoted(1407): ERROR: Duplicated counter for '[agent host name goes here'. Thoughts? Thank you.
