The agent ossec.log files for the two agents show that the agents are operational and ready to go:
Typical example: 2011/08/15 11:59:33 ossec-agentd(1410): INFO: Reading authentication keys file. 2011/08/15 11:59:33 ossec-agentd: INFO: Assigning sender counter: 7731:6770 2011/08/15 11:59:33 ossec-agentd: INFO: Started (pid: 30229). 2011/08/15 11:59:33 ossec-agentd: INFO: Server IP Address: 10.80.80.100 2011/08/15 11:59:33 ossec-agentd: INFO: Trying to connect to server (10.80.80.100:1514). ... 2011/08/15 12:06:42 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.80.80.100'. 2011/08/15 12:08:32 ossec-agentd: INFO: Trying to connect to server (10.80.80.100:1514). On the other hand, at the server, either there is a failure to assign a sender counter i.e. the "ossec-agentd: INFO: Assigning sender counter:" does not appear, or we get 2011/08/12 12:40:12 ossec-remoted: INFO: No previous counter available for 'vapp022.crickabold.com'. 2011/08/12 12:40:12 ossec-remoted: INFO: Assigning counter for agent vapp022.crickabold.com: '0:0'. Under either scenario, the status of the agents is "Disconnected" Obviously, we'd like to fix that. On Aug 12, 2:13 pm, "dan (ddp)" <[email protected]> wrote: > On Thu, Aug 11, 2011 at 1:07 PM, blacklight <[email protected]> wrote: > > Hello Folks, > > > One of our agents is listed in the list of "Available Agents" in the > > OSSEC GUI as "Inactive" > > > Attempted Resolution: > > > (1) I logged into the OSSEC server host, ran /var/ossec/bin/ > > manage_agents to get the index ID of the host - say 140 > > (2) On the OSSEC server host, I went into /var/ossec/queue/rids and > > deleted the file 140 > > Why did you delete the rids? > > > (3) I restarted OSSEC on the OSSEC server host > > > (4) On the OSSEC agent host, I went into /var/ossec/queue/rids and > > deleted the file 140 > > (3) I restarted OSSEC on the OSSEC agent > > > This procedure works 100% of the time. Until today i.e. running /var/ > > ossec/bin/agent_control -i 140 still shows the agent as "Disconnected" > > > As a side note, I don't think anyone screwed with firewall access > > lists because our SNMP polling still correctly shows the agent host as > > operational. How should I troubleshoot this> > > > Thanks, > > You could start by looking at the ossec.log files on the agent and the > manager.
