tcpdump will pick up packets even if they're blocked by the firewall. Are the messages coming from the correct IP? Did the manager's IP change at all? You could also try deleting the agent from the manager, creating a new one, and installing that key on the agent.
On Tue, Mar 27, 2012 at 4:50 PM, Alisha Kloc <[email protected]> wrote: > One-way agents normally show as "Connected" like regular agents, > actually. All the one-way flag does afaik is skip the section in the > agent startup where it waits for a response from the manager before > continuing to start; otherwise, they behave exactly like normal > agents. > > Also, no, the manager wasn't updated recently, although we did > physically move to a new location so I'm a little worried there's some > kind of connection issue (although Wireshark says the packets are > getting to the manager...). > > I've already confirmed from a few angles that we're receiving no > events at all, and I think the agent would show up as "Connected" > under agent_control before it would send events...? But I'll > definitely try killing the firewall and setting debug. > > Thanks! > -Alisha > > > On Mar 27, 1:30 pm, "dan (ddp)" <[email protected]> wrote: >> Are you sure that isn't how one way agents always show up? I have no >> idea, I don't like that option. Was the manager updated recently >> (maybe the one way comms setting has to be set on the manager and >> someone forgot to set it)? >> >> You can try: >> Turn off the firewall on the manager. >> Run the manager's ossec processes in debug mode, look for errors again. >> Double check to make sure logs aren't making it to the manager (you >> can even turn on the log all option to triple check).
