On Wed, Dec 23, 2009 at 3:37 PM, Peter M. Abraham <[email protected]> wrote: > Greetings Dan: > > Originally, I did a fresh install on the target, CentOS 5.4 64-bit Xen > Guest. Then I copied over the client keys and the ossec.conf along > with other local configuration files and the local_rules.xml file. > > Then I tried using sed to just change the IP address in the agent > configuration, but while sed worked (by the way, please, please > consider allowing machine names over IP addresses) I received errors > galore with agents trying to communicate with the server. >
If IP addresses are so difficult, why not just set them all up as a range instead of individual IPs? ie. 192.168.1.0/24 instead of 192.168.1.23 > Last night, on the Windows agents I did an uninstall, then a fresh > install. On the Linux agents, I did an install stating "no" to > upgrade and "yes" to overwrite the /var/ossec folder. On the server > itself (prior to 38 re-installs), I remove the client keys and added > the keys in fresh. > > > *** On the ossec server itself, do I put in one <allowed-ips> per > agent? *** > > If you're seeing the error with only 1 agent, this probably isn't the problem. For future reference the information on this option can be found: http://www.ossec.net/main/manual/configuration-options/ > The "ERROR: Incorrectly formated message" error is just from one of > thirty-eight agents. Should I try a fresh re-install agent? Do I > need to remove and re-add the agent key? > I would try re-installing the agent. If that doesn't solve it, I would remove the agent on the server (using manage_agents) and re-add it (restarting the server processes after re-adding it). > Other errors showing up in the ossec.log are as follows: > > 2009/12/23 01:41:55 ossec-remoted(1218): ERROR: Unable to send message > to 027. > 2009/12/23 03:25:42 ossec-remoted(1218): ERROR: Unable to send message > to 009. > > 2009/12/23 15:17:41 ossec-remoted: WARN: Duplicate error: global: 0, > local: 841, saved global: 1, saved local:4728 > 2009/12/23 15:17:41 ossec-remoted(1407): ERROR: Duplicated counter for > '[agent host name goes here'. > > Thoughts? > > Thank you. > > The duplicated counter error sounds like the agent is trying to send a message using a counter it has already used. To help protect against replay attacks ossec keeps track of how many messages the agent has sent. If the agent sends a second message with a lower counter than the server has on record for that agent the message will be discarded. If you reinstall the server without preserving those counters this message will be expected. There's information in the archives for turning off this feature. Note that this is not recommended though. I don't have any clues off hand on the other errors.
