One-way agents normally show as "Connected" like regular agents, actually. All the one-way flag does afaik is skip the section in the agent startup where it waits for a response from the manager before continuing to start; otherwise, they behave exactly like normal agents.
Also, no, the manager wasn't updated recently, although we did physically move to a new location so I'm a little worried there's some kind of connection issue (although Wireshark says the packets are getting to the manager...). I've already confirmed from a few angles that we're receiving no events at all, and I think the agent would show up as "Connected" under agent_control before it would send events...? But I'll definitely try killing the firewall and setting debug. Thanks! -Alisha On Mar 27, 1:30 pm, "dan (ddp)" <[email protected]> wrote: > Are you sure that isn't how one way agents always show up? I have no > idea, I don't like that option. Was the manager updated recently > (maybe the one way comms setting has to be set on the manager and > someone forgot to set it)? > > You can try: > Turn off the firewall on the manager. > Run the manager's ossec processes in debug mode, look for errors again. > Double check to make sure logs aren't making it to the manager (you > can even turn on the log all option to triple check).
