Use tcpdump to make sure packets are making it to the manager from the agent, and to the agent from the manager.
On Mon, Aug 15, 2011 at 3:43 PM, blacklight <[email protected]> wrote: > The agent ossec.log files for the two agents show that the agents are > operational and ready to go: > > Typical example: > > 2011/08/15 11:59:33 ossec-agentd(1410): INFO: Reading authentication > keys file. > 2011/08/15 11:59:33 ossec-agentd: INFO: Assigning sender counter: > 7731:6770 > 2011/08/15 11:59:33 ossec-agentd: INFO: Started (pid: 30229). > 2011/08/15 11:59:33 ossec-agentd: INFO: Server IP Address: > 10.80.80.100 > 2011/08/15 11:59:33 ossec-agentd: INFO: Trying to connect to server > (10.80.80.100:1514). > ... > 2011/08/15 12:06:42 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: '10.80.80.100'. > 2011/08/15 12:08:32 ossec-agentd: INFO: Trying to connect to server > (10.80.80.100:1514). > > On the other hand, at the server, either there is a failure to assign > a sender counter i.e. the "ossec-agentd: INFO: Assigning sender > counter:" does not appear, or we get > > 2011/08/12 12:40:12 ossec-remoted: INFO: No previous counter available > for 'vapp022.crickabold.com'. > 2011/08/12 12:40:12 ossec-remoted: INFO: Assigning counter for agent > vapp022.crickabold.com: '0:0'. > There are no other logs related to this agent? The above messages shouldn't be preventing the agent from connecting. > Under either scenario, the status of the agents is "Disconnected" > > Obviously, we'd like to fix that. > > > > On Aug 12, 2:13 pm, "dan (ddp)" <[email protected]> wrote: >> On Thu, Aug 11, 2011 at 1:07 PM, blacklight <[email protected]> wrote: >> > Hello Folks, >> >> > One of our agents is listed in the list of "Available Agents" in the >> > OSSEC GUI as "Inactive" >> >> > Attempted Resolution: >> >> > (1) I logged into the OSSEC server host, ran /var/ossec/bin/ >> > manage_agents to get the index ID of the host - say 140 >> > (2) On the OSSEC server host, I went into /var/ossec/queue/rids and >> > deleted the file 140 >> >> Why did you delete the rids? >> >> > (3) I restarted OSSEC on the OSSEC server host >> >> > (4) On the OSSEC agent host, I went into /var/ossec/queue/rids and >> > deleted the file 140 >> > (3) I restarted OSSEC on the OSSEC agent >> >> > This procedure works 100% of the time. Until today i.e. running /var/ >> > ossec/bin/agent_control -i 140 still shows the agent as "Disconnected" >> >> > As a side note, I don't think anyone screwed with firewall access >> > lists because our SNMP polling still correctly shows the agent host as >> > operational. How should I troubleshoot this> >> >> > Thanks, >> >> You could start by looking at the ossec.log files on the agent and the >> manager.
