I ran the tcpdump on the broken agent, a good agent and the server. On the broken agent, i saw only packets from the agent to server, as the ESTABLISHED connection would explain them.
On the server, i saw no packets whatsoever towards the client. On the good agent, on agent restart i saw some packets from the server to the agent. On the broken agent, even on agent restart i saw no packets from the server. The weirdest thing is that i see no errors on either the server log or the agent log. I also tried to set agentd in debug mode (agentd.debug=2 in /var/ossec/etc/internal_options.conf, but nothing gets logged. Is debugging support a compiling stage option or it gets built in by default? If the latter, then wjy I also noticed something: On every agent except the broken one, when the agentd starts, it logs something like (this is taken from a working agent): 2011/03/20 17:27:07 ossec-agentd(1225): INFO: SIGNAL Received. Exit Cleaning... 2011/03/20 17:27:07 ossec-agentd(1410): INFO: Reading authentication keys file. 2011/03/20 17:27:07 ossec-agentd: INFO: Assigning counter for agent xxx_yyy8: '1:6385'. 2011/03/20 17:27:07 ossec-agentd: INFO: Assigning sender counter: 113:9733 2011/03/20 17:27:07 ossec-agentd: INFO: Started (pid: 16472). 2011/03/20 17:27:07 ossec-agentd: INFO: Server IP Address: 10.5.x.y 2011/03/20 17:27:07 ossec-agentd: INFO: Trying to connect to server (10.5.x.y:1514). 2011/04/04 16:40:56 ossec-agentd(1225): INFO: SIGNAL Received. Exit Cleaning... 2011/04/04 16:40:56 ossec-agentd(1410): INFO: Reading authentication keys file. 2011/04/04 16:40:56 ossec-agentd: INFO: Assigning counter for agent xxx_yyy8: '4:2300'. 2011/04/04 16:40:56 ossec-agentd: INFO: Assigning sender counter: 209:9551 2011/04/04 16:40:56 ossec-agentd: INFO: Started (pid: 5184). 2011/04/04 16:40:56 ossec-agentd: INFO: Server IP Address: 10.5.x.y 2011/04/04 16:40:56 ossec-agentd: INFO: Trying to connect to server (10.5.x.y:1514). On the broken agent i see something like this: 2011/03/29 18:17:40 ossec-agentd(1225): INFO: SIGNAL Received. Exit Cleaning... 2011/03/29 18:17:40 ossec-agentd(1410): INFO: Reading authentication keys file. 2011/03/29 18:17:40 ossec-agentd: INFO: Assigning counter for agent xxx_yyy1: '2:4459'. 2011/03/29 18:17:40 ossec-agentd: INFO: Assigning sender counter: 123:5187 2011/03/29 18:17:40 ossec-agentd: INFO: Started (pid: 24504). 2011/03/29 18:17:40 ossec-agentd: INFO: Server IP Address: 10.5.x.y 2011/03/29 18:17:40 ossec-agentd: INFO: Trying to connect to server (10.5.x.y:1514). 2011/04/04 16:39:12 ossec-agentd(1225): INFO: SIGNAL Received. Exit Cleaning... 2011/04/04 16:39:12 ossec-agentd(1410): INFO: Reading authentication keys file. 2011/04/04 16:39:12 ossec-agentd: INFO: Assigning counter for agent xxx_yyy1: '2:4459'. 2011/04/04 16:39:12 ossec-agentd: INFO: Assigning sender counter: 155:5125 2011/04/04 16:39:12 ossec-agentd: INFO: Started (pid: 16775). 2011/04/04 16:39:12 ossec-agentd: INFO: Server IP Address: 10.5.x.y 2011/04/04 16:39:12 ossec-agentd: INFO: Trying to connect to server (10.5.x.y:1514). So as far as i can tell, on different day restarts, a good agent will change both reported counters, however the broken agent changes just one. Does anybody have any idea what those counters mean? On Wed, Mar 30, 2011 at 10:13 PM, dan (ddp) <[email protected]> wrote: > Run the tcpdump. If the agent isn't using the IP address that was > assigned to it when it was created (with manage_agents), you may have > to delete the agent and try again. You can use 'any' (without the > quotes) for the IP if it seems to pick IPs arbitrarily. > > On Wed, Mar 30, 2011 at 12:25 PM, Valentin Avram <[email protected]> wrote: > > Thank you for the info, it worked perfectly, now the server no longer > > complains about being unable to send messages to the clients. > > > > Only one problem remains now, the agent on the VPN client (which does all > > the routing) on the remote side, is reported as inactive. > > Same behaviour: > > - the agent does not complain about anything in the logs > > - i can see an established udp connection from the agent to the server > > (udp/1514) > > - the server does not complain about anything in the logs > > ... but the agent is reported by the list_agents utility and by the WUI > as > > inactive. > > > > The funny path is that in the WUI i can see events sent by that agent. > > > > Short description: > > - agent is on a machine with 192.168.a.b + 172.16.t.w IPs > > - server is on a machine with 10.x.y.z + 172.16.r.t IPs > > - the agent has been installed using the key generated by the server for > IP > > 172.16.t.w > > - the agent on the machine for any connection towards 10.x.y.z would use > > source IP 172.16.t.w (as indicated by "ip route get 10.x.y.z") > > - the server listens only on the 10.x.y.z interface > > > > For now i'm running out of ideas, i guess i'll need to run some tcpdumps > to > > figure out any cause. > > > > On Tue, Mar 29, 2011 at 5:00 PM, dan (ddp) <[email protected]> wrote: > >> > >> local_ip > >> http://www.ossec.net/doc/syntax/head_ossec_config.remote.html > >> > >> On Tue, Mar 29, 2011 at 9:56 AM, Valentin Avram <[email protected]> > wrote: > >> > Do you know what the option to specify the IP or network interface to > >> > use > >> > is? Cause on the manual on the ossec site i can't find anything. > >> > > >> > On Mon, Mar 28, 2011 at 9:58 PM, dan (ddp) <[email protected]> wrote: > >> >> > >> >> Wow, that seems pretty complicated. > >> >> > >> >> You can specify the IP address the OSSEC manager will use its > >> >> ossec.conf. > >> >> > >> >> You chould use tcpdump to see which IP address the OSSEC manager is > >> >> attempting to use when communicating with the agents. I'm guessing > the > >> >> error message you see is because the manager is using the wrong IP. > >> >> > >> >> On Sun, Mar 27, 2011 at 5:13 PM, Valentin Avram <[email protected]> > >> >> wrote: > >> >> > >> > > >> > > > > > >
