You got me. So what should I do to get the appropriate rids file? It still didn't work after I copied manager's rids to agent, vice versa. Thanks.
On Wed, Apr 11, 2012 at 8:51 PM, dan (ddp) <[email protected]> wrote: > So the agent was running fine, then you reverted to a previous > snapshot and it stopped working? > Your rids are messed up. You got the agent and manager out of sync. > Stop the OSSEC processes on the manager and the agent, move the > appropriate rids file in /var/ossec/queue/rids, then start the > processes again. > Or remove the agent and issue a new key. > > On Wed, Apr 11, 2012 at 3:59 AM, <[email protected]> wrote: > > Hi, > > I have ossec server on ubuntu, and an agent on windows xp. windows xp > > is a virtual machine. > > At beginning, everything is OK. But when I chang virtual machine to > > older snapshot (its agent works fine when I took this snapshot), the > > agent can not connect to server only more. It's log is as follow: > > > > 2012/04/11 15:17:59 ossec-agent: INFO: Started (pid: 6404). > > 2012/04/11 15:18:09 ossec-agent: WARN: Process locked. Waiting for > > permission... > > 2012/04/11 15:18:20 ossec-agent(4101): WARN: Waiting for server reply > > (not started). Tried: '202.197.1.100'. > > 2012/04/11 15:18:22 ossec-agent: INFO: Trying to connect to server > > (202.197.1.100:1514). > > 2012/04/11 15:18:22 ossec-agent: INFO: Using IPv4 for: 202.197.1.100 . > > 2012/04/11 15:18:43 ossec-agent(4101): WARN: Waiting for server reply > > (not started). Tried: '202.197.1.100'. > > > > What's the problem with it? > > Gratitude! >
